That's how two-factor authentication works - Google Safety Centre (2024)

A successful data hack can have unpleasant consequences. There have been cases where unknown attackers have used victims’ accounts to troll in the user's name on social media or send fraudulent emails. Other people have experienced money disappearing from their online bank accounts. Often, people don’t notice that their accounts have been hacked until the damage is already done.

One reason why data theft occurs again and again is that most users rely too much on their passwords to protect them in the online world. People are unaware of the existence of online lists containing millions of username and password combinations. These 'password dumps', as experts call the lists, are assembled from data taken in numerous successful instances of data theft. Because many people use their passwords for several things, their login data for their Google Accounts can also be found in these 'password dumps' even if their accounts have not actually been hacked. Another constant threat is posed by phishing – fraudulent attempts to obtain passwords and other information via seemingly trustworthy emails or websites.

That’s why companies like Google recommend that users secure their online account with two-factor authentication, which involves presenting two separate factors in order to log in, such as a password and a code sent via text. This authentication method has become very common, particularly for banks and credit card companies.

Security experts distinguish between three basic types of security factors. The first is a piece of information ('something you know'): for example, a user receives a code via text and enters it, or has to answer a security question. The second is a physical object ('something you have') that can be used for authentication, such as a credit card. The third is biometric data ('something you are'), like when smartphone users unlock their screen with their fingerprint. All two-factor authentication strategies employ a combination of two of these different factors.

Google offers various kinds of two-factor authentication. Alongside the traditional password, users can enter a one-time security code that they receive via text or voice call or that they generate on the Google Authenticator app, which runs on Android and on Apple’s iOS mobile operating system. Users can also provide a list of trusted devices within their Google Account. If a user tries to log in from a device that’s not on the list, he or she will receive a security warning from Google.

For the past three years, Google has also offered its users the option of using a physical security token, called a security key. This is a USB, NFC or Bluetooth dongle that has to be connected to the device in question. The process is based on an open authentication standard called Universal 2nd Factor (U2F), developed by the FIDO consortium. Google is part of that consortium alongside companies like Microsoft, Mastercard and PayPal. Security tokens based on the U2F standard are available from various manufacturers for a small fee. They have proven very successful – since the introduction of security keys, the data theft risk has decreased significantly. While an online account can theoretically be hacked from anywhere in the world, a physical security token has to actually be in the hands of the thieves (who would also need their victims’ login details to access the account). Several companies, in addition to Google, already support these security tokens.

Of course, two-factor authentication also has its disadvantages. Those using text codes must have their mobile phone handy when logging in from a new device. And USB and Bluetooth dongles can get lost. But these are not insurmountable problems, and it’s certainly worth the risk when one considers how much additional security they offer. Anyone who loses their security key can remove the lost token from their account and add a new one. Another option is to register a second security key at the start and keep it in a safe place.

For more information, visit:

g.co/2step