Earlier this year, security researchers discovered a fire sale taking place on the dark web: 2.2 billion usernames and passwords that had been stolen in data breaches and compiled into a multi-volume database dubbed as Collection #1-5.

With so many passwords leaked, there is a decent chance that yours was among them. (You can check at haveibeenpwned.com.) If hackers tried to log in to your accounts before you had a chance to change your passwords, only one thing might have saved you: two-factor authentication.

Two-factor authentication (2FA) requires you to enter two pieces of information to verify your identity before you can access your account, typically your password and a one-time-use 2FA code. With 2FA enabled, even if a data breach or hacker compromises your password, your account will still be safe.

If you are only protecting your accounts with passwords—even strong, unique passwords—you are putting your online data at risk. As your personal data increasingly migrates to the digital world, 2FA is an easy and effective way of adding additional security to online accounts. Many of the largest platforms offer 2FA. Even Fortnite, the popular online video game, has promoted 2FA to its users with a special dance emote to members who secure their accounts with 2FA.

Unfortunately, there remain many online services that still do not offer 2FA, including many VPN and email providers. And there are others who do but implement it in a way that can be easily gamed by determined hackers. In this article we’ll take a closer look at 2FA.

How does two-factor authentication (2FA) work?

Two-factor authentication adds an extra identity verification to the standard log-in procedure. Instead of just typing in your username and password to sign in, 2FA requires you to provide another type of credential before you can access your account.

The most common types of 2FA use:

a one-time verification code that is sent to a phone number or email address

the answer to a security question, such as the first concert you attended or the place you were born

a time-based, one-time password (TOTP) that is generated by an authenticator app, like Authy or DuoMobile

a physical fob, like Yubikey, which can be plugged into your device

biometric information, such as a fingerprint or iris scan (not common).

Most of these methods rely on verifying your identity by checking to see if you are in possession of a designated token, namely your mobile phone or your Yubikey. The others test your identity based on something you know (like the security question) or using your physical traits.

As 2FA becomes the cyber security standard, online organizations are making it easier and easier to set up. Most sites allow you to set up your 2FA by scanning a QR code with one of the code-generating apps mentioned above. Most platforms also offer you recovery or backup codes in case you lose your means of delivering your second factor of authentication—your phone or your Yubikey—so you do not have to reset your account.

Avoid weak types of 2FA

Some types of 2FA are more secure than others. Two-factor authentication that relies on SMS is vulnerable to being compromised, as recent hacks of Reddit, Twitter founder Jack Dorsey, and others have demonstrated. In a SIM swap attack, hackers persuade or bribe phone company employees to transfer your phone number to another SIM. There are also social engineering tricks that can be used to obtain 2FA codes sent by SMS. For this reason, we advise everyone to avoid using 2FA systems that rely on SMS.

Knowledge-based 2FA tests like security questions are also more vulnerable to attacks. Your mother’s maiden name or the city in which you were born, for instance, are a matter of public record. If your service provider only offers questions as 2FA, then provide a unique false answer and store it somewhere safe, like a password manager, so you don’t forget.

Hardware 2FA options like Yubikey are the most secure, but currently few services support it. For the time being, the best method of 2FA is an authenticator app. These apps work by generating a hash based on the time and a secret key, which only your phone and the website’s servers know. This hash is then shortened to a six-digit number for you to type in to a window following the username and password page at sign in.

Other 2FA scams to watch out for

Even after you’ve enabled 2FA, you still need to take precautions. Recently, researchers found several instances where accounts equipped with 2FA were compromised by convincingly accurate phishing pages, including a fraudulent replica that mimicked ProtonMail by using the domain “protonemail.ch”. The hackers tried to fool their targets into entering their username, password, and 2FA code into the fake site. As soon as these details have been shared, they are quickly replicated to break into the account while the 2FA code is still valid.

Token-based 2FA is an excellent method of securing your account, but it is not a silver bullet. As these reports have shown, well-made phishing pages, something frequently encountered on Black Friday scam sites, can still compromise 2FA. Users must be vigilant to make sure they are on a legitimate website.

How to enable 2FA in your Proton account

ProtonMail and ProtonVPN both offer 2FA via authenticator app that you can enable to protect the sensitive information stored in your account. You can find instructions to add 2FA protection to your ProtonMail and ProtonVPN accounts on our 2FA guide.

While 2FA can make signing in to your accounts slightly more time consuming, the added security is worth it. We encourage you to enable two-factor authentication on your accounts wherever possible.

Best Regards,

The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.