top of page

Why you should be au fait with 2FA

Turning on two-factor authentication is one of the most effective ways to protect your online accounts from cyber criminals.

2FA is a simple step which will help better protect your most important accounts such as email, banking, social media and online shopping apps by adding an extra layer of security to all of them.

Two-factor authentication (2FA), or 2-step verification (2SV) and multi-factor authentication (MFA), helps to keep cyber criminals out of your accounts, even if they know your passwords. It's recommend you take time to set up 2FA on all your important accounts, even for ones that you've protected with strong passwords.

How does two-factor authentication work?

When you set up Two-factor authentication, you’ll be sent a PIN or code, often by SMS or email. You then need to enter this PIN to prove that it's really you (since it’s presumed only you - and not the cyber criminal) can access your phone or email.

There are different types of two-factor authentication. So instead of entering a PIN or code, you may be able to enter your fingerprint, or face scan, or use an app (such as those provided by Microsoft or Google).

You don't necessarily need a mobile phone to turn on two-factor authentication; some organisations will let you use a landline number, or a separate device (such as a card reader for online banking) or a USB stick.

The important thing is that whatever type you choose (and you can check your service provider’s website to see which type they support), it only takes a few minutes to set it up.

Once you’ve done this, you’re instantly much safer online. You won't have to enter the PIN (or provide your fingerprint) every time you use a service; depending on how it’s set up, you’ll only need to do this when ‘suspicious’ activity is detected (such as a login attempt from a different device, or a request to change the password).

Why should I take time to set up two-factor authentication?

It's easier than you think for someone to steal your password.

Even if you've always looked after your passwords (and taken the time to create a strong one with three random words, and avoided the worst passwords - including a really unsecure one that 23 million people were estimated to be using!), they can still be stolen through no fault of your own.

The most common way that passwords are stolen is when an organisation holding your details suffers a data breach. Criminals will use passwords stolen in the breach to try and access other accounts, a technique known as 'credential stuffing' that works because many people use the same password for different accounts.

Criminals may also try and trick you into revealing your passwords by sending you links to scam websites asking you to log in, either by email, text message or direct messages/chat. Phishing, basically!

Even if your passwords are hard to guess, that doesn't make them any harder to steal. In other words, even accounts protected with strong passwords will benefit from using two-factor authentication.

How to turn on two-factor authentication

If two-factor authentication is available for an account, the option to switch it on is usually found in the security settings for the account. Note it may also be called 2-step verification (2SV) or multi-factor authentication (MFA).

For instructions on how to turn on two-factor authentication for specific services (and devices), please refer to the following links:

Turn on 2FA for email

Turn on 2FA for social media

Turn on 2FA for other accounts



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page