Use two-factor authentication to protect your accounts

When you log in to your accounts online, you mostly use a simple ‘username and password’ combination to do so. Adding two-factor authentication (2FA) to your login process is a simple way of adding an extra layer of security to your accounts.

The problem with relying on a username and password style of login is that you can’t always keep your password safe. Your password could be stolen:

  • through a scam, like phishing
  • from a business you have an account with, if they have a data breach.

Find out more about phishing

How data breaches work

Adding another level of security with 2FA makes it harder for an attacker to access your online accounts — just knowing your password isn’t enough.

And, if you’re running a business, 2FA can also help you keep your business systems and data safe.

Find out about 2FA for business

How 2FA works

When you log into an online account with a username and password, you’re using what’s called single factor authentication. You only need one thing — your password — to verify that you are who you say you are.

With 2FA, you need to provide two things — your password and something else — before you can access an account.

You can authenticate (prove you are you) based on:

  • something you know
  • something you have, and
  • something you are.

Something you know could be your:

  • password
  • passphrase
  • security questions, or
  • PIN number.

Something you have could be:

  • a physical device, for example:
    • security tokens and fobs assigned to a specific person that generates a temporary access code, or
    • your phone, where you get a call back to press certain phone keys to grant access to an account
  • software, such as an application like Google Authenticator, that:
    • sends a notification to your smartphone, or
    • provides you with a temporary access code.

Something you are includes things like:

  • fingerprint scans, and
  • voice recognition.

For example: with 2FA, if you want to log into one of your social media accounts, you might need both your password and a temporary access code from an app on your phone. That means that even if someone finds out what your password is, they can’t get into your account with that alone. They’d also need to have physical access to your phone so they can get the code, which isn’t very likely.

Visit CERT NZ for more information. 
Visit ACSC for more information.