Use two-factor authentication to protect your accounts

When you log in to your accounts online, you mostly use a simple 'username and password' combination to do so. Adding two-factor authentication (2FA) to your login process is a simple way of adding an extra layer of security to your accounts.

The problem with relying on a username and password style of login is that you can’t always keep your password safe. Your password could be stolen:

  • through a scam, like phishing
  • from a business you have an account with, if they have a data breach.

Find out more about phishing

How data breaches work

Adding another level of security with 2FA makes it harder for an attacker to access your online accounts — just knowing your password isn’t enough.

And, if you’re running a business, 2FA can also help you keep your business systems and data safe.

Find out about 2FA for business

How 2FA works

When you log into an online account with a username and password, you’re using what’s called single factor authentication. You only need one thing — your password — to verify that you are who you say you are.

With 2FA, you need to provide two things — your password and something else — before you can access an account.

You can authenticate (prove you are you) based on:

  • something you know
  • something you have, and
  • something you are.

Something you know could be your:

  • password
  • passphrase
  • security questions, or
  • PIN number.

Something you have could be:

  • a physical device, for example:
    • security tokens and fobs assigned to a specific person that generates a temporary access code, or
    • your phone, where you get a call back to press certain phone keys to grant access to an account
  • software, such as an application like Google Authenticator, that:
    • sends a notification to your smartphone, or
    • provides you with a temporary access code.

Something you are includes things like:

  • fingerprint scans, and
  • voice recognition.

For example: with 2FA, if you want to log into one of your social media accounts, you might need both your password and a temporary access code from an app on your phone. That means that even if someone finds out what your password is, they can’t get into your account with that alone. They’d also need to have physical access to your phone so they can get the code, which isn’t very likely.


If you receive a temporary access code for an account you weren’t trying to log into, change your password. It could be that someone’s got your password details and they’re attempting to access that account without your knowledge.


Where you can use 2FA

You can enable 2FA on most of your online accounts, like your:

  • email accounts
  • social media networks
  • internet banking
  • online shopping sites.

You can also set 2FA up on your devices — on laptops, tablets, smartphones, and even some game consoles.

Like any security measure, 2FA isn’t bulletproof. Make sure you’re still using strong passwords and have robust security settings on your devices and accounts.

See if you can enable 2FA on the system you use External Link


It’s possible to intercept verification codes that are sent by text. While using 2FA via text is much safer than not using 2FA, if there’s a different method available, we recommend using that instead.


How to turn 2FA on

You’ll often find the option to enable 2FA in the privacy settings of your online accounts.

Some online services don’t call it two-factor authentication though. Some will call it two-step authentication or multi-factor authentication (MFA). Others use different terms, for example 'security key', when they’re talking about 2FA.

Banks all enable their 2FA systems differently. Some will have different options depending on if you’re logging into your account on your desktop, laptop, or mobile device. Check your bank’s website to see what their 2FA options are, and how to set it up.