Virginia Tech® home

2-factor authentication

What is 2-factor authentication?

As its name implies, 2-factor authentication is a login method that requires you to present two factors to log into an account. Usually, this means you have to present something you know, like a password, and then enter information from something you have, like your fingerprint or a code from an app on your phone. 

2-factor authentication is also referred to as two-step verification and multifactor authentication, or MFA.

Why is 2-factor important? 

2-factor authentication provides an extra layer of security in case your password gets in someone else's hands — and unfortunately, that is not an uncommmon occurrence. 

Think of 2-factor authentication as entering the headquarters of a secret society of which you are privileged to be a member. Your username and password are the "secret knock" at the door, specific only to you. That’s the first factor. The second factor is the bouncer, who looks through the peephole and makes sure it’s really you, not just someone who learned that special knock.

In our technology-mediated world, we gain that assurance by using a device that only you should have access to, such as your smartphone or a digital token. A hacker won’t be able to complete the second step without that personal device in hand — unless you mistakenly grant your approval.

2-factor best practices

While 2-factor authentication is an important and effective security tool, it's not infallible.

Never approve a Duo push or other second-factor request that you didn't just initiate

2-factor authentication will only protect you if you approve second-factor requests that YOU initiate. If you get a second-factor request out of the blue, deny it — and go change your password for the account associated with that request.

And, if you start getting multiple Duo pushes, that is a huge red flag that someone is trying to hack your account. Never accept a request just to make the notifications stop; report any unusual activity like this on your VT accounts to the IT Security Office.

Some second factor options are more secure than others

In general, touch ID, physical security keys (i.e., YubiKey), and verified push notifications (where you receive a push notification from an app, but also have to enter a code to approve the push) are considered the most secure.

Passcodes received by SMS or phone call are less secure, as phone numbers can be spoofed and messages intercepted. The bottom line: use the most secure 2-factor method accessible to you and available from the service you are logging into. 

More info on 2-factor authentication