Understanding multi-factor authentication

Combine your password with an extra layer of security to keep your accounts safe.

Passwords alone aren’t enough

Because hackers and criminals can guess or steal passwords, they’re often not secure enough by themselves.

Multi-factor authentication (MFA)1 is one of the best ways to keep other people out of your online accounts. MFA adds an extra security step to the log in process, like a one-off code sent to your phone.

This makes it harder for someone to get into your accounts even if they do steal your passwords.

Use our tool below to learn about the different types of MFA, and then set it up to protect your online accounts.

Choose your MFA combo

No MFA - just a password

Hackers and criminals can steal or guess a password in many ways. That’s why a password alone isn’t secure enough. Turning on MFA helps avoid the following problems:

  • Passwords get stolen

    Your password can fall into the hands of criminals from a data breach, through phishing, scams, or malware. If someone has your password and there’s no MFA, they can get into that account easily.

  • We reuse passwords

    We often use the same password across different accounts, websites and services. If one account gets hacked, then they can break into your other accounts too.

  • Passwords can be guessed

    A lot of us choose weak passwords, like a birthday or 123456. Hackers use programs to rapidly crack these passwords in seconds.

When you turn on MFA, it means anyone trying to log into your account will need to complete a secondary step to get in. Common forms of MFA can include:

  • a one-time code sent to your phone or email address
  • a fingerprint or facial scan
  • using an authenticator app on your phone
  • having a physical USB you have to plug in to your device

If the service you’re using doesn’t support MFA, make sure you have a strong password. Long phrases that are easy to remember are best.

Learn more using our password strength tester.

Password strength tester


SMS or email one-time codes (OTC)

One-time codes (OTC), PINs or passwords are types of MFA that use a unique code sent to your phone or email. By entering this code after you put in your password, it helps prove it’s really you trying to log into that account.

OTC are easy to set up and use. They’re the most common security layer that websites and services support.

  • Easy to set up and use

    Many websites and services will ask you if you want to set up one-time code MFA. They’ll guide you through the process which is only a few quick steps.

  • Accessible

    You just need to have a phone number or email account to get going. No need for extra software or apps.

  • Simple

    One-time codes are typically about 4-8 digits long, so they’re quick to type in.

  • Time-limited

    One-time codes usually expire after a few minutes. So if someone else finds out what the code was, it won’t work by the time they try to log in.

  • Wide availability

    They’re the most common type of MFA, with lots of modern websites and services supporting it.

Things to think about

Not as secure as other MFA
While a one-time code is significantly better than just having a password, it isn’t perfect. If a hacker has access to your texts or emails, they could see the OTC and use it to log into your accounts.
If a more secure form of MFA is available, you should choose that instead. But OTC is still a good option that will increase your security.

May not come through right away
One-time codes can sometimes be delayed or not come through at all if the service is having issues. They can also be accidentally blocked by spam filters.

Can be tricky to unlink if you lose your device
If you lose access to your phone or email address, it can be very difficult to access to your accounts.
Back-up options are usually available but can be tricky to use.


Biometrics

Some devices and services let you use your biometrics to confirm your login. This is often in the form of a fingerprint or facial recognition. This is common on most modern phones.

  • Easy to use

    Just use your face or fingerprint to prove your identity and access your account.

  • Faster experience

    Unlocking an account with fingerprint or facial recognition can be faster than other MFA methods.

  • Less risk of loss or theft

    Biometrics are like snowflakes, no two are alike! As a result it’s impossible to replicate your biometrics. This makes it one of the most secure forms of MFA.

Things to think about

May be limited to a specific device
Biometric data is often tied to a specific device. If you can’t access that device you might not be able to easily access your accounts.

Privacy concerns
Some people may have concerns about where their data is stored and who can access it.

False positives and false negatives
False positives are extremely rare but could allow someone with similar features to access your accounts.
False negatives might happen if your phone doesn’t recognise you. This could be because of poor lighting, grime on your fingers or other hardware issues.


Authenticator app

Instead of getting a code via email or SMS, you can add more security with an authenticator app. It’s a dedicated app on your phone which will prompt you to confirm any log in.

This means anyone else trying to log in to your accounts from their own phone or computer won’t be able to.

  • More secure

    Unlike SMS or email codes, the codes generated by authenticator apps can’t be intercepted by hackers. This makes them a more secure form of MFA.

  • Convenience

    Many services allow you to link many accounts to just one authenticator app. This makes managing and using all your logins easy.

  • User-friendly

    Authenticator apps are user-friendly, with very short setup times and few steps. You can often add an account just by scanning a QR code.

Things to think about

Needs a second device
Using an authenticator app means you’ll always have to have your phone on hand to log in to your accounts on another device.

Can be tricky if you get a new device or lose one
If you get a new phone, you’ll have to transfer your authenticator app over to your new device. Make sure you don’t throw out your old device until you do, otherwise you may be locked out of your authenticator-protected accounts.
If you lose your phone, recovering authenticator-protected accounts can be tricky. We recommend saving your backup codes for your authenticator app and storing these securely in case you lose your phone or accidentally delete your authenticator app. Do this on the first day you begin using an authenticator app so you’re prepared in any event.

There’s always still a risk
Authenticator apps are safer than texts or emails, but hackers can still steal codes if you accidentally install viruses your device or trick you into sending them the codes.
Never share codes or accept unexpected notifications. Always read notifications carefully and, if unsure, reject and change your password.


Physical security keys

A security key is another device — for example a USB stick — that you plug into your computer or phone to confirm your login. It may require a second password, but usually it just needs you to plug it in.

An example of a security key is a Yubikey.

  • A more secure form of MFA

    Even if someone manages to steal your password, they won’t be able to get in without the physical security key which you have.

  • Simple

    Once set up, you just enter your password and plug in your security key to access your account.

Things to think about

Additional cost
While other authentication methods are often free, buying a security key can cost between $30 to $150. You may even need a backup in case you lose your key, doubling the cost.

Inconvenient and can be lost
You need to carry security keys on you any time you might need them. They can also be small and fragile, which means they’re easier to damage or lose.

Less common
Physical security keys are fairly uncommon compared to other types of MFA.
You’ll often have to use them in high-level government, business or finance settings. So you may not have a choice to use them or not.


Disclaimer: Please note the purpose of this tool is purely educational. The aim of Service Victoria is to increase general awareness of password security. Creating a strong password does not guarantee all of your accounts will be protected in all situations. For the most up-to-date and reliable information, you should consult with a qualified data security expert.

Service Victoria accepts no liability for errors, does not guarantee protection of your accounts across the web, nor do we offer any kind of warranty or guarantee from using this tool. Service Victoria does not commit to the information included in this tool being the most up-to-date and accurate. The standards and recommendations for cyber security change rapidly, and it is your responsibility to ensure that your practices are the best they can be in all situations now and in the future.

By using the content and tools included on this page, all users acknowledge and release the creators and operators of this password strength tester from any associated risks. Service Victoria does not authorise the copy or disclosure of any information included on this page.

1 - Online services may use various terms to describe multi-factor authentication (MFA). Some might call it two-factor authentication (2FA), two-step authentication, two-step verification or use a term like ‘security key’. While they all share the purpose of protecting your accounts, they’re technically different. MFA refers to the use of two or more authentication factors.

Read more and improve your skills

Protect your passwords

Having a strong password helps keep your accounts safe and secure. Check the strength of a password.

Check password strength

Cyber Safety Check

Answer a few questions to get a customised action plan to help you become safer online.

Cyber Safety Check

How to spot a scam

Stay safe from scams, learn how to spot a scam and avoid getting scammed online.

Spot a scam

Visit vic.gov.au/stay-safe-online for more information on MFA and how to stay safe online.

Visit Stay Safe Online