| Security Education Companion Skip to main content
Security Education Companion
A free resource for digital security educators
Planner (0)

Two-Factor Authentication

Last modified February 4, 2019
  • English
Duration: 1 hour(s)

Learning Objectives

Learners will:

  • Understand what two-factor authentication is and how it helps protect accounts from unauthorized access.

  • Know the various ways two-factor authentication is referred to.
  • Be able to tell the difference between a two-factor authentication app and receiving codes via text message, and be able to describe the pros and cons of each.


Instructor: Learners

The knowledge share is potentially a lecture-format discussion.

Finding the two-factor authentication settings page for each individual service can be difficult, so  having helpers to assist learners (1 helper to 5 students) is helpful

Turning on two-factor authentication will require closer pairing, similar to installing an app (1 helper to 1-2 students).

Lesson Content

Knowledge share: What is two-factor?

Some services offer “two-factor authentication,” which is to say they can be set up to ask for something else other than a password.

Usually, they ask for a number or code that they’ve texted separately, or ask you to use a separate app that helps to verify your identity. It demonstrates that not only do you know your password, but you also have access to something—like your phone with the right phone number, or an app you set up previously.

This protects you against passwords getting stolen. Even if someone gets your password, they won’t be able to get into your account without also having your phone.

CAUTION! If you use the kind of 2FA that texts a code to your phone, you will need to give the service or platform your phone number—or, at least, a phone number at which you can reliably receive texts. For some people, this may not be the right choice.  This may be of special concern for those wishing to create anonymous accounts on platforms that only support 2FA by text.

Activity: “The Annoying Security Guard”

Ask the attendees, "Has anyone been in a situation where they are supposed to be let into a party, or an office, or an event, but there’s a bouncer or security guard or official who is really demanding and doesn’t believe you?

Pick someone to be the "annoying security guard," or, if you have a small group, encourage everyone to be the "guard."

"I’m going to try and prove that I should be allowed past you. Whatever I say, you should come up with a reason why that isn’t enough and you can’t let me in. My name really is on the guest list though!

“Hello, my name is XXX, and I’ve come here to teach people about digital security. Do you see my name on the list?”

The guard should make up a reason like “I don’t see your name,” or “How do I know it’s really you?” Go through, in turn, other possible identifications, each more ridiculous: “Well, here’s my credit card, it’s got my name on it,” or “Here’s my passport, there’s a photo of me,” or “If you ask anyone who knows me, they know I’m a really good dancer, so here’s my signature dance,” or “Here’s an Instagram photo of me with your boss,” etc.).

What this shows is that there is no single perfect way to prove your identity, but the more ways in which you can prove you are who you say you are, the more likely it is to be true. The security guard isn’t wrong to be skeptical. Eventually, the weight of the evidence reasonably proves someone is who they claim to be.

Once you're done with the "annoying security guard" activity, explain how this relates to the lesson:

"Now apply this to logging into an account. Most logins only ask users to prove their identity in one way: passwords. The problem with passwords is that someone else might get ahold of them. That’s what the annoying security guard would say.

"You’ve all run into this in other parts of life. An ATM is a great example: you need both your pin number and your card to be allowed to withdraw or deposit money. Someone else could find out your pin or they could steal your card, but it’s less likely that they will be able to do both.

"So two-factor just means 'something other than the password, as well as the password.' Your password is your first 'factor' of identification, and then you need to provide one more to be let in."

Ask: "What other things could a website ask you for when you log in?" Emphasize that it has to be in addition to a password.