To use many of the services on the Internet today, such as email, online banking, or online shopping, you must first prove you are who you say you are. This process is known as authentication. Authentication is done by using something you know (such as your password), something you have (such as your smartphone), or something unique to you (such as a retinal scan or fingerprint).
One of the most common ways of authenticating is a username and a password. The problem with using just a password for authentication is that all an attacker needs to do is guess or compromise your password to gain instant access to your online account and information. The harm is even worse if you use the same username and password for multiple accounts. To better protect your accounts, many websites are moving to stronger authentication methods that require the use of more than one factor to authenticate.
For stronger authentication, you not only have to know something like your password, you also have to have something, such as your smartphone, or present something unique to you, such as your fingerprint. For two-factor authentication, you need two factors to prove who you are instead of just one. A common example of two-factor authentication is your ATM card. To access your ATM, you need to both have something (your ATM card), and you need to know something (your PIN). If an attacker steals your ATM card, it does them no good unless they also know your PIN.
Two-factor authentication works similarly to your ATM card and PIN combination. You use your username and password to access your online account. However, after you enter the correct password, the site requires a second factor of authentication, such as verification code or your fingerprint. Without the second factor, you won’t have access.
One example of two-factor authentication is used by Gmail. Google’s two-step verification requires both your password and your smartphone. To prove you have your smartphone, Google will send it a one-time verification code via SMS that is unique for you. You then enter the code for access to your account. Thus, an attacker must have both your password and physical access to your smartphone to get into your Gmail account. This feature is not automatic; to enable this feature, you must log into your Google account, go into your Account Settings, select security and follow the options for two-step verification.
'For more information, read the full article at SecuringtheHuman.org.