Passwords are tricky, as I’ve written before. This year I’ve noticed a marked uptick in the use 2FA, otherwise known as 2-factor authentication or sometimes called 2-step verification. You’ve noticed it too, when you’ve tried to log in using passwords and been made to jump through another hoop and provide a random code before finally logging into your destination website or app. Since you might also wonder what the heck is 2FA and why is it torturing you so badly, let’s chat about it.

What the Heck is 2FA?

For a really non-technical explanation, 2FA is an extra step that tech companies take to make sure it’s really you logging into a website or service. There are several problems, as you don’t always know when 2FA is turned on, and it feels like you are hitting a brick wall for some sites if you can’t get to a device for verification.

2FA is an extra step that tech companies take to make sure it’s really you logging into a website or service.

I know you really might be here at HeartWork Organizing because you want to see pretty shelves and organized containers, but organizing passwords and tech is part of all of our lives now. 2FA security might feel like something that is being done to you, not for you, and it’s very frustrating. I hope this info helps you when you are standing in line or trying to get through an online checkout for those new organizing goodies, and instead end up looking at a login screen asking yourself, what the heck is 2FA?

Types of 2FA

You’ve already likely experienced the most common type of 2FA challenge: you try to log in using a valid password, you immediately get a text, and you are supposed to put in a 6-digit code from that text into the website you started at, and voila, you’re in.

There are alternate versions of this as well.

Google will call you with a voice-generated code. You must answer the phone, which many people just don’t do. Recently when he attempted to log in, a client was frustrated because he was getting “spammed” from a Washington, DC number while we were working. It wasn’t spam; it was his Google 2FA code. We had to attempt it a few times before we got the info we needed to log in. Actually, Google has several ways to verify that you are who you are, but they may send it to one of your other devices, so be on the lookout for their messages, like this one:

Google and others are also moving to “passkeys”, which do require additional action but might not involve codes. Mylio, for instance, recently implemented passkeys that required you to log in to your admin account using an email they sent to you on the spot when you attempt to login. After testing this for some months, Mylio made changes again because users weren’t familiar or successful with this process.

Apple 2FA will often ask you for information about your other Apple devices, such as your Mac password or the 6-digit code you use to open your iPhone.

Third-party authenticator apps generate a random code for you (or token), which you then provide when challenged, and if your app code matches in the tech company’s system, you’re in. These apps are free and available to download on your phone. There’s Microsoft Authenticator, Google Authenticator, and apps like 2FAS. Try to stick with one authenticator. For instance, if you subscribe to Microsoft 365, you should be able to use the Microsoft Authenticator for other companies who also require a token-based authenticator app. If you are all Google, all the time, then try stick with their authenticator app for your convenience. The Microsoft Authenticator goes the other way and generates a code when you log in that you have to enter on your phone app.

While you are asking, what the heck is 2FA, the different tech companies are all trying to stay one step ahead of the bad guys. As a result, they all manage passwords and 2FA security different ways, so it’s up to you to be ready for their various challenges.

User Misconceptions about 2FA

Passwords already stink, let’s be honest, but they’ve been the way to keep the bad guys out of your accounts up until now. How many times have you said, I wish there were something better than passwords? Biometrics like using your fingerprint or face scan have their own issues, like not being available on all devices, and being a little too invasive for some of us.

There are some common misconceptions with 2FA.

2FA User Misconception #1

I’m getting a text when I log in, so my password must be wrong. Nope, probably not. Your correct password is what got you this far. You need to provide that code back to the login page to complete your login.

2FA User Misconception #2

I don’t need to open the text to get the code. Definitely open the text.Some authentication requires tapping a link instead of inputting a code. Some texts arrive with a 5-digit code in the header that you see in the preview, but the 6-digit token is actually in the body of the text. I know, ridiculous.  Very tricky.

2FA User Misconception #3

I’m not (or grandma is not) important enough to need all of this security. Can’t I just turn it off? Weeeelllll, we all have something hackers want: an identity. The companies you rely on have put 2FA in place to protect you. I recommend playing along to reduce or eliminate the chance of leaking your info.

User Challenges with 2FA

2FA User Challenge #1

The biggest challenge, by far, is not slowing down enough to take the right next step. When you get challenged with 2FA:

Step 1: SLOW DOWN and read the message on the screen. It will tell you whether you need to go to email, your texts, and authenticator app, or your voicemail for the next step.

Step 2: Read the entire message, top to bottom, on the email/text/or popup that you just received. The first code or link you see isn’t always the first one you need to work with.

Step 3: Don’t get frustrated. If you don’t receive the 2FA message you were expecting, go back to the original website or page and look for a way to request another message.

Bonus step: If you do change your password, be sure to immediately write down or capture your password on your digital keychain. Going too fast now will cause trouble later.

2FA User Challenge #2

Remember that some 2FA challenges will come through your email, so now is a good time to consolidate your email to just the addresses you actually use. Activate all of your email addresses on your mobile device. It’s super frustrating to need a 2FA code that’s sending to an email you never set up on your newest device.

2FA User Challenge #3

If your spouse or partner owns or manages the account you are working on, the 2FA challenge may be going to them. They’ll be surprised to get a code out of the blue, and it might look like spam, so communicate with them before logging into shared accounts. Attempt logins at a time when they can get back to you with the code within a few minutes, as those codes quickly expire. Then you’ll have to start all over again.

2FA User Challenge #4

Not having the right device on you. If your authenticator is on your phone, but you don’t have your phone at the moment for some reason, you might be locked out of accessing some site or service until you retrieve your phone again.

2FA User Challenge #5

2FA codes, also called tokens, expire within minutes, so you have to complete the login process quickly, which is why I can safely show you all these images in this article. Getting distracted or confused might mean you have to start all over. Take a calming breath and start again, focusing on getting all the way through a login process before doing something else. In other words, don’t check your other texts or emails on the way to get your 2FA code.

2FA User Challenge #6

We’re all trying to avoid playing into the bad guys’ hands. You get used to providing a code back to the system to get in. How do you know you aren’t doing something you shouldn’t? It’s pretty confusing to older folks, who constantly get spam or malicious requests to provide their credit card number or social security number. You should only provide a 6-digit code that was provided to you when you requested access. If it feels fishy, don’t keep going.

Getting Stuck with 2FA Problems

Hopefully you never get stuck with 2FA, but now you know that online security might take require a bit more time and energy than those boring and annoying passwords. If you are trying to log into a service and don’t get it on the first try, slow down, read the on-screen instructions, and try again. This might be especially hard for those with ADHD or neurodiverse conditions, so ask for help if you need it.

This also explains why you might have to help Grandma and Grandpa with their accounts and logins more and more these days. Healthcare companies and government agencies are adding 2FA security, too, and it’s really frustrating for people who aren’t on computers or phones all the time. They just assume their password is wrong, and they take literally hours to log in, often usually unsuccessfully. If you are trying to log in on their behalf remotely, it can be really challenging to direct someone to go from a website to their email to a text message and back again, especially if they only have a phone to work on.

I hope that now instead of asking, what the heck is 2FA, you are more successful and faster getting into your online accounts safely.

Need to brush up on how to organize and manage passwords? Start here.