Two-Factor Authentication (2FA) Explained
Two-factor authentication, or 2FA, is an additional layer of security that decreases the likelihood of an account being hacked. The idea behind it is that logging into a service requires something you know and something you have.
Something You Know
Online accounts, typically, only require something you know; a password.
There's a number of problems with this; it's often incredibly insecure. The problem is that, as humans, we're not very good at coming up with unique, random stuff.
Although not all of the world's 7.13 billion people are on the internet, over half are; that's 3.188 billion people online. Think you can come up with a unique password... that you'll remember? Think again.
Passwords often undergo a one-way 128-bit cryptographic function, using the MD5 algorithm, to produce a unique sequence of characters of a fixed length called a hash.
However, the MD5 algorithm has since been found to suffer vulnerabilities.
According to the Password Random website, the most popular password is
password. The hash of
If you know the hash value of every word in the dictionary, those words can be given unique hash values. Using a dictionary of hash values of known words, it is relatively simple for a hacker to reverse engineer a hash value. That is why it is recommended not to use a single word as a password.
Passwords, Further Reading... and Listening
I wrote about Picking Passwords: Pitfalls, Practicalities and Protection, and Harry Guinness taught you How to Perform a Password Security Audit.
Something You Have
As you can see, passwords alone are not necessarily particularly secure. Authentication relies on something you know. If a hacker knows that something, as well, then they have access to the account.
You'll recall that I said the idea behind it is that logging into a service requires something you know and something you have.
Whilst a hacker may know a username and password, if the login requires something you have, then you are likely to have that something and the hacker is not.
The thing that most people have with them pretty much all the time is a smartphone, so it comes as no surprise that this is used for 2FA.
Regardless of whether the second factor is via a numerical code sent in an SMS text, or whether it is generated by an authentication app such as Authy, the fact is that the time-sensitive numerical code that you have on the smartphone will be unavailable to someone who is trying to hack an account of yours.
Setting Up 2FA on a PayPal Account
Log in to PayPal
Open a web browser, such as Safari or Google Chrome, and type
paypal.com into the omnibar at the top of the web browser window.
I recommend that you do it this way and do not search for PayPal or click on links that you find in emails or on web pages. I specifically recommend typing the domain name into the omnibar as this way you can be sure (relatively speaking) that you are visiting the genuine PayPal website.
At the top right-hand side of the screen, click the Log In button.
Enter the account username and password and click the Log In button to access the PayPal website account.
Navigating the PayPal Website
Find the Security Key Option
In the world of PayPal, the name for 2FA is Security Key. I don't think it's a helpful name, but it's the functionality, and the protection that it affords you, that counts.
From the Summary view of the PayPal account, as shown above, you'll need to navigate a couple of pages in order to find the Security Key setting.
On the top right-hand side of the screen, click on the Settings Cog, next to the Log Out button, to display the PayPal account profile information.
On the navigation at the top, you'll see a heading marked Security, as shown in the screenshot above. Click this navigation item.
On the Security screen, you'll see that the fourth option listed is Security Key. To the right, click Update to access the settings for this item.
Activating the Security Key
By default, you won't have a Security Key. Click the Get Security Key link, as shown in the screenshot above.
In order to register a mobile telephone number, enter the number in the Enter mobile number: box and the Confirm mobile number: boxes.
The Security Key two-factor authentication is now set up for the PayPal account. Using the button at the top right-hand side of the screen, click Log Out.
Logging in to PayPal Using 2FA
paypal.com into the browser omnibar, for the reasons I explained earlier.
The mobile phone telephone number that you registered earlier will be partially displayed, with the last three digits of the number showing and the rest obfuscated for privacy and security.
Check that the last three digits of the number are correct for the mobile phone.
If the number is correct, click on the Send Me the Text blue button.
After anything from a few seconds to a few minutes, you'll receive a text from PayPal containing a six-digit authentication number.
This number is time-sensitive and must be used within five minutes. Beyond this, it will time out, and you'll need to request a new Security Key authentication code.
Enter the six-digit Security Key authentication code and click Continue to go through to the PayPal account.
You'll now have logged in to the PayPal account with something you know, being the password, and something you have, being the mobile phone.
This is two-factor authentication, and the PayPal account is now much more secure as a result.
If you're anything like me, you like to keep contact information up-to-date. With this tip, you'll be able to see quickly the sender of a text message being PayPal.
Set up a contact card for PayPal and enter the mobile number as 62226. That's it. No international dialling code. No dialling code. Just the shortcode number.
Now, when you receive an authentication message, instead of saying it has come from 62226, it will say that it has come from PayPal.
Note, this is the shortcode that PayPal uses in the United Kingdom. The number may be different for other regions.
In this tutorial, I have explained that two-factor authentication is something you know and something you have. In this example, it's a password and a time-sensitive code sent to you by SMS.
I have explained that two-factor authentication is more secure than a password alone, and I have shown you how to set up two-factor authentication on a PayPal account.
It is particularly important to set up two-factor authentication on important accounts, especially any that involve finances.