The basics
Whakamahia te motuhēhēnga tukarua hei whakamaru i ō pūkete

Use two-factor authentication to protect your accounts

Adding two-factor authentication (2FA) to your logins is a simple way of adding an extra layer of security to your online accounts.

What is 2FA?

When you log into an online with a username and password, you’re using what’s called single factor authentication. You only need one thing — your password — to verify that you are who you say you are.

With 2FA, you need to provide two things — your password and something else — before you can access an account.

The two things you use to authenticate (prove you are you) can be:

  • something you know, and
  • something you have or something you are.

Something you know could be your:

  • password
  • security questions, or
  • PIN number.

Something you have could be:

  • your phone, where you receive a text message with a code or a call asking you to press certain buttons on your phone
  • a physical security token or fob that generates a temporary access code, or connects to your computer (like a YubiKey)
  • software, for example an app like Google Authenticator, that sends a notification to your phone or provides you with a temporary access code.

Something you are includes things like:

  • fingerprint scans
  • facial recognition
  • voice recognition.

Why it matters

The problem with relying on a username and password to log into your online accounts is that you can’t always keep your passwords safe. Your password could be guessed, or stolen:

  • through a scam, like
  • from a business you have an account with, if they have a data breach.


Adding another level of security with makes it harder for an attacker to get into your online accounts — just knowing your username and password isn’t enough.

For example, if you want to log into one of your social media accounts and you have 2FA set up, you might need both your password and a temporary access code from an app on your phone. This means that even if someone finds out what your password is, they can’t get into your account unless they also have physical access to your phone so they can get the code – which isn’t very likely.

Some online services don’t call it two-factor authentication. They might call it two-step authentication, two-step verification, multi-factor authentication (MFA) or use a term like 'security key' instead.

How to protect yourself

  • Enable 2FA on your accounts

    You can enable 2FA on most of your online accounts, like your:

    • email accounts
    • social media networks
    • internet banking
    • online shopping sites.

    You'll often find the option to enable 2FA in the privacy settings of your online accounts.

    Banks all enable their 2FA systems or security features differently. Some will have different options depending on if you’re logging into your account on your desktop, laptop, or mobile device. Check your bank’s website to see what their security options are, and how to set them up.

    See if you can enable 2FA on your accounts

    Like any security measure, 2FA isn’t bulletproof. Make sure you’re still using strong passwords and have good security practices when using your devices.

  • Choose a method other than a text message if possible

    It’s possible to intercept verification codes that are sent by text. While using 2FA via text is much safer than not using 2FA, if there’s a different method available – for example, using an authentication app or security key – we recommend using that instead.

    If you receive a temporary access code for an account you weren’t trying to log into, change your password. Someone might have accessed your password details and be attempting to access your account without your knowledge.