Business basics
Kia pare i tō pakihi ki te motuhēhēnga tukarua (2FA)

Protect your business with two-factor authentication (2FA)

As part of your business strategy, you need to think about how to protect both your systems and your customers' accounts. 2FA is one of the tools that can help.

5 min read

What is two-factor authentication (2FA)?

View transcript

[Visual] The video begins with an intro graphic displaying the video title ‘Protect yourself online Two-Factor Authentication’ which is laid over branded colours (lilac, teal, deep purple) and design (circles).

[Audio] A backing track with an upbeat but calming tune begins and continues for the duration of the video.

[Visual] The frame changes as the narration begins and opens up with a laptop icon central on screen. The style of the video is animated with bright branded colours (shades of green).

[Audio narrator] There are a lot of personal details tied up in our online accounts. From banking, to emails, to social media. But is one layer of protection enough?

[Visual] Credit card icon drops from the top left and sits to the left of the laptop, a phone with social icons drops from the top right and sits to the right of the laptop. An envelop with mail popping out appears on the screen of the laptop.

[Visual] Title screen displays with text: What is 2FA over branded colours (deep purple, teal, spring green) and design (circles).

[Audio narrator] Two factor authentication, or 2FA,

[Visual] Frame changes to show two shields stacked onto each other in the middle of the screen. A mobile phone sits to the left of the shields. Small purple balls cascade towards the shields in all directions and ricochet off them once they hit. The balls slide off screen. The background is green.

[Audio narrator] is an additional security step that helps keep other people out of your online accounts.

[Visual] Frame changes to show a circle with lines across it spinning, and a padlock sitting to the right of the circle. An icon representing a person sits to the right of the padlock and bumps into the padlock over and over.

[Audio narrator] It's a way of ensuring that it's really you who was logging into your account. And is one of the most effective ways to keep attackers out. Most of your online accounts

[Visual] Frame changes to show a laptop central on screen, asterisks are typed out over the screen to represent a password. A closed padlock above the password bar goes from locked to unlocked.

[Audio narrator] are accessed by simple login details, usually a username and password.

[Visual] Large yellow circle appears to the top right of the laptop with an explanation mark inside a triangle – representing a warning.

[Audio narrator] But what if scammers guessed your password? Or found it via a data breach?

[Visual] Frame changes to the double shield central on screen. Small purple balls cascade towards the shields in all directions and ricochet off them once they hit. The balls slide off screen.

[Audio narrator] 2FA gives you an extra layer of protection and, when enabled, makes it harder for an attacker to get into your online accounts.

[Visual] The shields move to the left of the screen. Three bubbles appear central down the screen. Text appears next to each so it reads:

                2FA Two-factor authentication

                MFA Multi-factor authentication

                2SV Two-step verification

[Audio narrator] 2FA can be referred to in a variety of ways.

[Visual] Title screen displays with text: How does 2FA work? over branded colours (deep purple, teal, different tones of green) and design (circles).

[Audio narrator] Think of 2FA like having two locks on your house.

[Visual] Frame changes to show a house icon central on the screen, with a large keyhole shape on the house.

[Audio narrator] First, you unlock your front door using a key,

[Visual] Frame zooms in to open new frame through the keyhole to show a keypad device central on screen. Keys on the device change colour to represent a code being entered as the buttons are pressed, as this happens asterisks appear in the top of the device.

[Audio narrator] …but you also have a second lock that requires a code.

[Visual] Keypad device slides to the right of the screen, and the house with the keyhole detail slides in from the left of the screen to sit left of the keypad device.

[Audio narrator] These are two forms of security that you have before you get into your house.

[Visual] Laptop appears central on screen with the double shield central on its screen. Background is branded purple circles.

[Audio narrator] Having 2FA on your online accounts is similar.

[Visual] Branded circles background swaps to the green. The shields from the laptop change to the password bar and a locked padlock.

[Audio narrator] First, you log in with your username and password. Then secondly, before getting access to that account, you need a temporary code,

[Visual] Branded purple circles bounce back as the background, laptop is replaced with a phone. A speech bubble pops to the top right of the phone with asterisk to symbolise a code has been sent/received.

[Audio narrator] …either from an authentication app or a text message with a one-off code to use.

[Visual] The phone slides to the right of the screen, the laptop slides in from the left of the screen to sit left of the phone. The background is green.

[Audio narrator] This is a common example of how 2FA can work.

[Visual] Title screen displays with text: Where to begin? over branded colours (deep purples) and design (circles).

[Audio narrator] So, where to begin? Start with your most important accounts. Your internet banking, social media and email accounts.

[Visual] The background flashes back to green. A phone flies down from the top right and sits on the right of the screen. A credit card flies down from the top left and sits on the left of the screen. An envelope flies down the middle of the screen and sits central on screen. Social icons pop up around the phone and text crosses along the bottom of the screen under each icon. ‘Internet banking’ under the cards, ‘Social media’ under the phone and ‘Email’ under the envelope.

[Audio narrator] Most of these will have an option to add 2FA in their security or privacy settings built into the website or app.

[Visual] Background flashes to green. The laptop appears central on screen with the shields central on its screen. A green circle with a tick, pops onto the top right of the laptop.

[Audio narrator] It can sometimes be tricky, so visit ownyouronline.govt.nz for step-by-step instructions on how to set up 2FA simply and easily.

[Visual] Title screen displays with text: ownyouronline.govt.nz with a purple branded background.

[Visual] Frame changes to show a collection of icons bunched together on the page. The circle with lines sit at the back with the phone, laptop and shields surrounding it.

[Audio narrator] Like all security measures, 2FA is one step towards helping you become more secure online. So make sure you're using good security practices everywhere like long, strong and unique passwords.

[Visual] Frame changes with purple background and words pop up in green bubbles down the centre of the frame. They read:

Long

Strong

Unique

Passwords.

[Visual] End frame. ‘Own Your Online’ logo pops up in to centre of the screen. Supporting logos NCSC is placed on the top right and the NZ Government logo is place on the top left.

What is 2FA

When your staff log into a business system, or when your customers log into their account on your website, they use a username and password combination. This is known as single factor authentication. 

Two-factor authentication ( ) requires them to verify that they are who they say they are by providing something else on top of that. That extra piece can be:

  • something they have, or
  • something they are.

Something they have could be:

  • their phone, to receive a code via text message or input biometrics,
  • software – like an authenticator app – that sends an access notification, provides them with an access code or one-time password (OTP), or
  • a security token or key fob that generates access authentication codes.

Something they are includes things like:

  • fingerprint scans,
  • face scans, and
  • voice recognition ( data).

How it works

When your staff or customer log into the system, they'll be asked for the usual username and password credentials, and then they'll be asked for the second piece of information as well.

For example, they could get a random 6-digit number or one-time password (OTP) sent to an application on their smartphone, or a physical key fob. They'll need to use this to verify themselves when they're logging in.

Why it matters

Businesses and organisations of any size can experience cyber attacks. The problem with relying solely on passwords to protect online accounts and systems is that people can’t always keep their passwords safe. Passwords could be guessed or stolen, either through a scam, like , or if their information is caught up in a data breach.

Learn about phishing scams

Learn about data breaches

While an attacker may be able to get access to your staff or customers' login details quite easily, they’re unlikely to have access to the device receiving the authentication code or OTP as well. This makes it much harder for the attacker to gain access to someone's account.

  • It strengthens your internal systems

    Adding another level of security with 2FA makes it harder for an attacker to get into your business systems, which makes you more resilient to other types of attacks, such as ransomware or data theft.

  • It meets customer security expectations

    Customers expect websites to provide 2FA so they can protect their accounts and data. When given the choice, customers may choose a business that provides 2FA over one that doesn't. 

  • It can protect risky access methods, like remote access

    Remote access to a system or network can be risky since it must be used over the internet. This type of access should always use a form of 2FA so your staff and systems can be more secure.

    Enabling staff to work remotely

Protect your business with 2FA

On your systems

There’s no shortage of 2FA solutions on the market, but the approach and the technology they use can vary. Talk to your information security expert about the best solution for your business.

Implementing 2FA will vary from system to system. For cloud-based services, you may be able to enforce 2FA for all staff that have access to that service. For services that you manage or build yourself, you can refer to CERT NZ's Critical Controls for more advice.

Multi-factor authentication and verification - CERT NZ(external link)

On the accounts you use

If you use online accounts, such email, banking, accounting, or government services, these should all have 2FA turned on. If attackers get into these accounts it can be as bad as if they're in your internal systems. Ensure your most important accounts all have 2FA turned on.

  • Web-based email services.
  • Banking and financial services.
  • Virtual private networks ( ).
  • Any cloud-based service you use.

To help set up 2FA on your main accounts, we’ve created a guide that steps you through the process.

Set up two-factor authentication

The risks

Having 2FA is always better than not having it. However, not all 2FA methods are equally secure.

Codes sent via text message or email can be intercepted. Certain biometric verification methods can be inconsistent and give false positives and false negatives.

Our advice is to implement 2FA methods that use physical key fobs, tokens or authenticator apps.

Get help

If you’ve experienced an online security issue, your first step is to contact the service provider.

You can also report an online issue or security incident to us at CERT NZ.

Get help now