A quick guide to two-factor authentication (2FA)

If you feel like you have more online accounts and passwords than you can keep track of, you’re not the only one. And with so much account information to remember, it can be tempting to use the same simple password for all your accounts.

But that can make your accounts more vulnerable to hacking. And when it comes to things like your personal information and online banking, having easy-to-guess passwords can have serious consequences. 

That’s why two-factor authentication (2FA) can be a crucial part of helping you keep your online accounts more secure. Find out how 2FA works and why it can be an important part of online security. 

Key takeaways

• Two-factor authentication creates an extra layer of security to help prevent unauthorized access to online accounts.
• Two-factor authentication might combine a password with a text message, email, authenticator app, push notification, biometric authentication or physical key. 
• Combining two-factor authentication with a password manager can help you keep your accounts even more secure.

Two-factor authentication adds an extra layer of account security that aims to help prevent unauthorized online account access.

With 2FA, users start by entering their username and password—the first authentication factor. If the site’s authentication server verifies that information, the user goes on to the second part—or “factor”—of the authentication process. 

That second factor requires users to verify their identity in a second way. And according to the Cybersecurity & Infrastructure Security Agency (CISA), the second step may involve any of the following:

Text message (SMS) or email

You get an authentication code sent to your phone or email. Then, you use the code to finish signing in to your account. This is considered the weakest form of two-factor authentication, according to CISA.

Authenticator app

An authenticator app generates login codes on your smartphone. When prompted for your code, you open the app and enter the displayed number.

Push notification

Instead of a numeric code, the service sends a request to your phone to ask if it should let you in. You’ll see a pop-up, which you can approve or deny.  

Fast identity online (FIDO) 

FIDO is a type of two-factor authentication that uses things like biometric identification—your fingerprint, face, eyes or voice—or a physical security key to verify your identity. CISA says this is the most secure type of two-factor authentication.

Multi-factor authentication and two-factor authentication can be used interchangeably, says the CISA. 

Both terms refer to a layered method of making your online accounts more secure by combining a password with a second step of identity verification.

You might also see this referred to as two-factor verification, two-step authentication, 2FA, MFA and more. 

A password isn’t always enough when it comes to keeping your accounts secure. That’s especially true when people use common, easy-to-guess passwords. In fact, according to CISA, “123456” is still the most common password in the U.S.

That’s where two-factor authentication comes into play. 

With two-factor authentication, even if your password is compromised, unauthorized people might still be stopped from getting into your account by the second authentication factor. You can think of it as an account double-checking that it’s really you trying to sign in. 

According to the FBI, most people don’t turn on two-factor authentication because they think it’ll be inconvenient. But experts say that two-factor authentication can be a very effective way to help you keep your accounts safer. 

And when you’re protecting your personal information and your money, it’s worth it to do everything you can. Keep in mind that even if you do enable 2FA, it’s still important to use complex, hard-to-guess passwords.

Typically, you can enable two-factor authentication in the security settings of your account. But the process may vary depending on what kind of device you’re using and the account you’re securing.

Here’s how you can enable two-factor authentication using the Capital One Mobile app: 

1. Download the Capital One mobile app. Once you’ve downloaded the app, agree to receive push notifications. That way, you can enable Mobile App Verification on your device.
2. Manage devices in your settings. Sign in and tap Profile on the bottom toolbar. Next, tap Security, and you’ll see Mobile App Verification under Additional Security. This is where you can enable this feature and enroll your devices.
3. Look for the mobile app verification request. For this extra layer of security, Capital One will send you a push notification to verify it’s you. Open the Capital One app to approve the Mobile App Verification request.

Here are some other guides for how to turn on two-factor authentication: 

• Apple
• Facebook
• Google 

Password managers are apps that create and store strong passwords for your online accounts. They can also help you find any weak passwords or passwords you’ve used across multiple accounts.

With a virtual vault full of hard-to-guess passwords—that you don’t have to keep track of yourself—password managers can help you keep your accounts more secure. 

But a password manager does have its own password. And that could be a potential vulnerability. So rather than thinking you have to decide between a password manager or enabling two-factor authentication, consider using both to add more layers of security to your accounts.

Two-factor authentication can be an important part of keeping your online accounts more secure. But even the most thorough security protocols still partly rely on the user to choose strong passwords and avoid sharing their login credentials. 

Want more tips for staying safe and secure online? Learn about ways to protect your digital identity, avoid phishing scams and protect yourself from identity theft.