Privacy Basics: Passwords, Tracking, and Data Retention/a> | Passwords

Two-Factor Authentication

Made by Stacy Martin, Senior Data Privacy Manager at Mozilla.

Find out how two-factor authentication works to secure your personal information online, learning about web mechanics and security.

60 minutes

  • Introduction

    Did you know that one of the easiest ways to secure your information online is also one of the least used? Two-factor authentication uses something you know (your password) and something you have (such as your phone) to guard access to your online data. In this activity, you'll learn how you can use two-factor authentication to add another layer of security around your personal information online.

  • 15

    Check Out Two-Factor Authentication with a Service You Use

    If you've ever used your bank's ATM, then you've used two-factor authentication. At the ATM, you insert your ATM card (something you have) and enter your passcode (something you know). No one with just your password or just your ATM card can gain access to your account at the ATM without having the other piece. Two-factor authentication basically doubles how much information a would-be thief needs to have in order to access your accounts.

    As security analyst Neil Rubenking says, “When two-factor authentication is involved, hackers lose interest. They'll get a much bigger payoff focusing on accounts protected with nothing but a password."

    Two-factor authentication is also sometimes called "two-step verification." Check to see which of your Web services off two-factor authentication and consider signing up for it. Instructions on how to set-up two-factor authentication with several popular asrvices like Google, Facebook, Yahoo, PayPal, LastPass, and Dropbox are here.

  • 5

    Avoiding "Man-in-the-Middle" Attacks

    Several services use your phone number as a form of two-factor authentication. You should know that using your phone number can set you up for a "man-in-the-middle" attack. You can learn more about man-in-the-middle attacks here.

    One simple way to fight man-in-the-middle attacks is to type in your web addresses with "https" instead of "http." The "s" stands for secure and it uses Web technologies to encrypt your communication with a web service. For example, if I visit google by typing instead of, all of my search terms will be scrambled and coded as they travel from my computer to Google search-engine computers. If I don't use the "s" and someone eavesdrops on my data as it travels across the Internet, they can see exactly what I typed in the searchbox.

  • 10

    Determine Whether or Not Two-Factor Authentication Works for You

    Think through these questions as you consider whether or not to use two-factor authentication with your Web services.

    • How does two-factor authentication work? Can you explain it or teach it to someone else?
    • What are the benefits of two-factor authentication?
    • What are some of the risks of two-factor authentication? Why is it important use two-factor authentication with secure, "https" connections to other websites?
    • Are the tradeoffs of adding an extra step by requiring two forms of identification when you sign in from an unknown computer worth the benefits of making it much more difficult for a thief to get access?
    • What can you do to minimize the risk of losing an external device? Tip: To avoid linking your account to a particular phone, you may be able to use a free Google Voice number. This also allows you to avoid providing a third party with your cell or home numbers.
    • What should you do before disclosing your phone number to a third party? Hint: Read their privacy policy to understand how it will be used and secured.
    • What are man-in-the-middle attacks? And what can you do? Tip: Use "https" and stay away from web servers you don’t trust.