Two Factor What? Everything you need to know about Two Factor Authentication (2FA)

What’s the first thing you think about when someone mentions keeping your online accounts safe? We bet it’s having a long, complicated password. And this is because for many years, having a strong password was the main way to secure an account.

But passwords are vulnerable. And every time a B2C company is hacked, there’s a high chance that your login details have been compromised and will soon be available for criminals to purchase on the dark web. That’s where security measures like Two Factor Authentication come in.

What is Two Factor Authentication?

Two Factor Authentication (also known as 2FA or 2-step verification) is the practice of setting up an added layer of security to your logins. It allows an application to link your user to an authentication mechanism (i.e. Google authenticator app or your mobile phone). When you enter your password to login, it generates a number that expires quickly and is recognized by the application to confirm that your login is valid.

Most applications that deal with sensitive data provide support for 2FA, some of these applications being email, cloud storage, banking, business applications etc.

Why is Two Factor Authentication important, and why aren’t passwords enough?

There is a constant security threat to any organization that provides services over the internet – which is a lot of businesses. Cyberattacks are becoming increasingly sophisticated, and a successful one makes it possible for third parties to steal long lists of usernames and passwords. With this information, third parties can gain access to these accounts and can attempt an account takeover.

This risk is further exacerbated by the fact that many people use the same password in many applications. This means that when attackers get access to someone’s username and password combination, they can access several of that person’s applications.

So, an easy way to prevent this type of unauthorised access is to activate Two Factor Authentication, particularly in applications that contain sensitive data. Preventing access to your account can help protect your personal information and prevent further leaks or loss of data. When you have 2FA active and a third party tries to gain access to your account using your username and password, they will be asked for the 2FA number which they will not have, preventing access to your account.

What are the different types of Two Factor Authentication?

While they all work under more or less the same premise, there are a number of different types of two factor authentication available:

Authenticator App 2FA: this is where the user downloads a free authenticator app to their mobile device. When the user attempts to log in, they’ll need to open the app and use the unique one time passcode (OTP) provided.

SMS text or voice-based 2FA: this is where the user is sent a unique code via text message to a mobile device. Alternatively they’ll receive a call to their phone number with their code. The user then needs to enter this code to complete their login.

Push-based notification 2FA: this is when a notification is sent to the relevant app already installed on the user’s phone (for example the Gmail app). Then the user just needs to approve.

Hardware token/key 2FA: this is one of the earlier forms of 2FA, and is when the user is issued with a device which they use to receive a numeric code for login.

Biometric approval: this is a relatively new addition to the 2FA world, where the user provides a piece of biometric data (i.e. fingerprint or facial recognition image) and this is used to compare and confirm their identity at login.

Remember to protect your recovery codes

Recovery codes are one-use codes issued when you’re setting up 2FA. Remember to keep a record of them, as they’ll enable you to access your account if your authentication device (i.e. mobile phone) is lost or stolen.

Why doesn’t everyone use Two Factor Authentication?

Two Factor Authentication may sound like a no-brainer, but worryingly, ‘How to turn off two factor authentication’ is quite a popular Google search term.

Simply put, people like convenience. People are accustomed to using just their password when logging in to an account, which in many cases is stored in their computer or browser. So, having to open an app or pull a key to log in to their account is more time consuming.

But while 2FA may add another step to your login process, in a world with an ever-increasing risk of account takeovers, the security it provides is invaluable. More and more applications offer it, and a large number of companies are now making it mandatory for their employees. This is particularly significant during these post-COVID times, when working from home and logging in remotely is now the norm in most businesses.

What’s the difference between Two Factor Authentication and Multi Factor Authentication?

Two Factor Authentication and multi factor authentication aren’t that different. Whereas 2FA uses just one other device to authenticate a user’s login, multi factor may use a number of devices or factors to authenticate. Some companies with a lot of sensitive, financial, or personal information at risk may choose multi factor authentication as an added measure.

How to see if you’ve been part of a data breach

It doesn’t matter if your password is complex or long, or if you have different passwords for different accounts. The truth is if your password has been part of a data breach then your account is at risk. is a useful tool that helps you check if your email and password have ever been part of a data breach. Google also offers a similar functionality that allows you to check if any of your passwords stored in the Chrome password manager are part of an exposed data breach.

Does Red Sift offer Two Factor Authentication on its products?

Of course! If you want to activate 2FA in your OnDMARC application you can go to My Account (top right), scroll down to Security and click on Enable two-factor authentication. You can also consult our step-by-step article.

Not an OnDMARC customer but want to try it out? Why not sign up below for your free trial.


Gino Coquis

16 Aug. 2021



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more