The basics
Whakamahia te motuhēhēnga tukarua hei whakamaru i ō pūkete

Use two-factor authentication to protect your accounts

Adding two-factor authentication (2FA) to your logins is a simple way of adding an extra layer of security to your online accounts.

3 min read

View transcript

[Visual] The video begins with an intro graphic displaying the video title ‘Protect yourself online Two-Factor Authentication’ which is laid over branded colours (lilac, teal, deep purple) and design (circles).

[Audio] A backing track with an upbeat but calming tune begins and continues for the duration of the video.

[Visual] The frame changes as the narration begins and opens up with a laptop icon central on screen. The style of the video is animated with bright branded colours (shades of green).

[Audio narrator] There are a lot of personal details tied up in our online accounts. From banking, to emails, to social media. But is one layer of protection enough?

[Visual] Credit card icon drops from the top left and sits to the left of the laptop, a phone with social icons drops from the top right and sits to the right of the laptop. An envelop with mail popping out appears on the screen of the laptop.

[Visual] Title screen displays with text: What is 2FA over branded colours (deep purple, teal, spring green) and design (circles).

[Audio narrator] Two factor authentication, or 2FA,

[Visual] Frame changes to show two shields stacked onto each other in the middle of the screen. A mobile phone sits to the left of the shields. Small purple balls cascade towards the shields in all directions and ricochet off them once they hit. The balls slide off screen. The background is green.

[Audio narrator] is an additional security step that helps keep other people out of your online accounts.

[Visual] Frame changes to show a circle with lines across it spinning, and a padlock sitting to the right of the circle. An icon representing a person sits to the right of the padlock and bumps into the padlock over and over.

[Audio narrator] It's a way of ensuring that it's really you who was logging into your account. And is one of the most effective ways to keep attackers out. Most of your online accounts

[Visual] Frame changes to show a laptop central on screen, asterisks are typed out over the screen to represent a password. A closed padlock above the password bar goes from locked to unlocked.

[Audio narrator] are accessed by simple login details, usually a username and password.

[Visual] Large yellow circle appears to the top right of the laptop with an explanation mark inside a triangle – representing a warning.

[Audio narrator] But what if scammers guessed your password? Or found it via a data breach?

[Visual] Frame changes to the double shield central on screen. Small purple balls cascade towards the shields in all directions and ricochet off them once they hit. The balls slide off screen.

[Audio narrator] 2FA gives you an extra layer of protection and, when enabled, makes it harder for an attacker to get into your online accounts.

[Visual] The shields move to the left of the screen. Three bubbles appear central down the screen. Text appears next to each so it reads:

                2FA Two-factor authentication

                MFA Multi-factor authentication

                2SV Two-step verification

[Audio narrator] 2FA can be referred to in a variety of ways.

[Visual] Title screen displays with text: How does 2FA work? over branded colours (deep purple, teal, different tones of green) and design (circles).

[Audio narrator] Think of 2FA like having two locks on your house.

[Visual] Frame changes to show a house icon central on the screen, with a large keyhole shape on the house.

[Audio narrator] First, you unlock your front door using a key,

[Visual] Frame zooms in to open new frame through the keyhole to show a keypad device central on screen. Keys on the device change colour to represent a code being entered as the buttons are pressed, as this happens asterisks appear in the top of the device.

[Audio narrator] …but you also have a second lock that requires a code.

[Visual] Keypad device slides to the right of the screen, and the house with the keyhole detail slides in from the left of the screen to sit left of the keypad device.

[Audio narrator] These are two forms of security that you have before you get into your house.

[Visual] Laptop appears central on screen with the double shield central on its screen. Background is branded purple circles.

[Audio narrator] Having 2FA on your online accounts is similar.

[Visual] Branded circles background swaps to the green. The shields from the laptop change to the password bar and a locked padlock.

[Audio narrator] First, you log in with your username and password. Then secondly, before getting access to that account, you need a temporary code,

[Visual] Branded purple circles bounce back as the background, laptop is replaced with a phone. A speech bubble pops to the top right of the phone with asterisk to symbolise a code has been sent/received.

[Audio narrator] …either from an authentication app or a text message with a one-off code to use.

[Visual] The phone slides to the right of the screen, the laptop slides in from the left of the screen to sit left of the phone. The background is green.

[Audio narrator] This is a common example of how 2FA can work.

[Visual] Title screen displays with text: Where to begin? over branded colours (deep purples) and design (circles).

[Audio narrator] So, where to begin? Start with your most important accounts. Your internet banking, social media and email accounts.

[Visual] The background flashes back to green. A phone flies down from the top right and sits on the right of the screen. A credit card flies down from the top left and sits on the left of the screen. An envelope flies down the middle of the screen and sits central on screen. Social icons pop up around the phone and text crosses along the bottom of the screen under each icon. ‘Internet banking’ under the cards, ‘Social media’ under the phone and ‘Email’ under the envelope.

[Audio narrator] Most of these will have an option to add 2FA in their security or privacy settings built into the website or app.

[Visual] Background flashes to green. The laptop appears central on screen with the shields central on its screen. A green circle with a tick, pops onto the top right of the laptop.

[Audio narrator] It can sometimes be tricky, so visit ownyouronline.govt.nz for step-by-step instructions on how to set up 2FA simply and easily.

[Visual] Title screen displays with text: ownyouronline.govt.nz with a purple branded background.

[Visual] Frame changes to show a collection of icons bunched together on the page. The circle with lines sit at the back with the phone, laptop and shields surrounding it.

[Audio narrator] Like all security measures, 2FA is one step towards helping you become more secure online. So make sure you're using good security practices everywhere like long, strong and unique passwords.

[Visual] Frame changes with purple background and words pop up in green bubbles down the centre of the frame. They read:

Long

Strong

Unique

Passwords.

[Visual] End frame. ‘Own Your Online’ logo pops up in to centre of the screen. Supporting logos NCSC is placed on the top right and the NZ Government logo is place on the top left.

What is 2FA?

Usually, when you log into an  you only need one thing to verify that you are who you say you are – your password. 

With , you need to provide two things. We often describe this is as choosing two out of: 

  • something that only you know,  
  • something that only you have, and  
  • something you are. 

Something you know could be your: 

  • password
  • security questions, or
  • PIN number.

Something you have could be: 

  • your phone, where you receive a text message with a code or a call,
  • software or an app – for example Google Authenticator – that sends a notification to your phone or provides you with a temporary access code, or 
  • a physical security token or key fob that generates a temporary access code. 

Something you are could be:

  • your fingerprint, 
  • your face (for Face ID), or
  • your voice.

Why it matters

Even if someone finds out what your password is, they can’t get into your account unless they also have physical access to, for example, your phone or your fingerprint. This simple barrier can stop most attacks in their tracks. 

The problem with relying on just your username and password is that you can’t always keep your passwords safe. Your password could be guessed or stolen, either  

  • through a scam, like

or if a business you have an account with suffers a data breach. 

How to create strong passwords

What is Phishing

What is a data breach?

Adding that extra step with 2FA makes it much harder for an attacker to get into your online accounts.

There are a lot of different names for two-factor authentication. It might be called, two-step verification (2SV), multi-factor authentication (MFA) or use a term like 'security key' instead.

How to protect yourself

  • Enable 2FA on your accounts

    You can enable 2FA on most of your online accounts. We recommend starting with the most important ones, such as: 

    • internet banking
    • email accounts,
    • social media networks, and
    • online accounts with financial details - for example, investment sites, Inland Revenue or online shopping.

    You'll often find the option to enable 2FA in the privacy settings of the website or app.

    Companies can enable 2FA or other security features in a variety of ways. Some may even have different options if you’re logging into your account on your desktop, laptop, or mobile device. 

    It can be confusing, so we've created a guide to help you turn on 2FA for each account. 

    How to set up two-factor authentication on your main accounts

    Like any security measures, 2FA isn’t bulletproof. Make sure you’re using strong passwords and have good security practices when using your devices.

  • Choose a method other than a text message if possible

    It’s possible to intercept verification codes that are sent by text. While using 2FA via text is much safer than not using 2FA, if there’s a different method available – for example, using an authentication app or – we recommend using that instead.

    If you receive a temporary access code for an account you weren’t trying to log into, change your password. Someone might have accessed your password details and be attempting to access your account without your knowledge.