Your two-factor authentication methods – ranked
Not all 2FA methods are equal. We have ranked some of the most common two-factor authentication methods for individuals and small and medium businesses by how secure they are.
Two-factor authentication (2FA) is an additional security step that is used to prove or validate it’s really you logging into your account. It's one of the most effective ways to keep other people out of your online accounts. We have put together a guide that explains what 2FA is and how to enable it for your key accounts.
Set up two-factor authentication (2FA)
2FA can be set up using different methods, with different online accounts giving you different options. We’ve taken the types of 2FA you might come across and ranked them from least secure to most secure, so you can make an informed choice.
If there is only one option available, remember, having any form of 2FA makes your accounts more secure than not having it.
5. SMS or email code
What is it?
You enter your login details, the website (or app) sends an SMS (text message) with a code to your mobile phone. You enter the code on the website, and it lets you into your account. This code can be used once and only for a certain amount of time, which is why it's called a 'one-time passcode'.
This method is also used by some banks for large or unusual payments and transfers.
How secure is it?
SMS codes as 2FA is very widely used and adds an important layer of security to your online accounts but scammers can find ways to get hold of your code. By using techniques like SIM swapping, they can intercept these messages in transit, or they could impersonate someone in authority and persuade you to give them your code.
Codes sent to your email are less secure than SMS and are not recommended.
4. Authenticator apps
What is it?
An authentication app generates one-time passcodes you can use to validate your login. Each passcode is unique to an account and they are time-sensitive, meaning they change at short intervals. When you login with your password, you will be prompted to enter the code for the account from your authenticator app.
How secure is it?
Authenticator apps are more secure than codes sent to you by text. They are harder to intercept and they rely on something you have, in this case, an authentication app installed on your phone to make sure it’s really you logging in to the account.
Authenticator apps can also work offline so if your phone does not have network coverage or a Wi-Fi connection, you can still use the codes it generates to log in. There is still a risk that an impersonator could ask you for the verification codes over the phone to try and log in remotely.
Tip: Never share or give your temporary passcode to anyone, even if it’s someone from a trusted organisation. Scammers commonly use this tactic where they will say they have sent you a one-time password to verify your identity and ask you to read it back. If you give it to them, they can get into your account with the code.
3. Push notifications
What is it?
Push notifications are generated when you log into your account on a device. For example, if you try to access your email on a public computer, you get a notification on your phone asking if you are attempting to log in. You can select ‘yes’ to validate, or ‘no’ to cancel the login.
How secure is it?
As with authenticator apps, this type of authentication needs you to have a trusted, secondary device such as your mobile phone to be able to log in. Anyone impersonating you would need to get their hands on your phone to be able to get in. In many cases, the notification will also tell you where the login is taking place, so you can spot someone trying to remotely break into your account.
Your secondary device needs an active internet connection for this type of 2FA to work and it cannot be done offline.
2. Number matching
What is it?
When you log in to your account on a computer, the website shows you a code on the screen. At the same time, you get a notification on your phone asking you if you are trying to log in. But instead of asking you to simply select yes or no, it asks you to either select the number that matches the one on your screen, or type the code on your phone.
How secure is it?
Like push notifications, this form of 2FA requires you to have a secondary device. A possible downside to push notifications is user fatigue – a scammer who has your credentials can attempt multiple logins. Being flooded with notifications could lead a user to accept a login session. Number matching mitigates this risk. A new code is generated for every login attempt and you would have to see the number on the screen and match it, so a scammer cannot log in to your account remotely.
1. Physical security keys
What is it?
A security key is another device, often a USB stick, that you can plug into your computer or phone to validate your login. It may require a second password, but usually it just needs you to plug it in.
How secure is it?
Security keys make your account phishing resistant – someone who may have obtained your credentials will not only need your password or a passcode, but also the physical key to get into your account. Unlike other methods, security keys also protect you if the attackers somehow have access to your phone. Scammers also cannot persuade you to give them an authentication code or to accept a notification.
This 2FA method comes with additional costs because it requires you to have a secondary device. It is also less common – not many websites allow you to set up an external key. But you can use this for your most important accounts – such as, to log in to your work computer or for your business’s social media accounts.
Tip
Setting up 2FA is easy and you can do it right now. To start, we recommend setting up 2FA for your most important online accounts, such as internet banking, email accounts, inland revenue and social media networks.