How to use two-factor authentication to protect your account
Two-factor authentication (2FA) is a security process that secures access to an account by requiring a second form of identification, such as a code on a smartphone, in addition to a password. This significantly increases protection against unauthorized access, even if the password gets into the wrong hands.
What is two-factor authentication?
Two-factor authentication combines two different and independent components of identification to identify a legitimate user. You come across a simple everyday example for two-factor authentication every day at the ATM or a supermarket checkout. To withdraw money or pay with a card at the store, two components are needed: Your debit or credit card and your pin (or signature). Only when the two are correctly combined is the two-factor authentication successful. The same principle can also be applied to the securing of email accounts, online shop accounts, or other large web portals.
Unfortunately, much of the web still depends on a single layer of protection: the password. In many cases, a password alone is enough to access email accounts, cloud services, or online stores. If cybercriminals gain access to these credentials, they can easily retrieve sensitive emails, personal data, or private files. To address this risk, more providers—including Dropbox, Google, and Amazon—are adopting two-factor authentication (2FA) to enhance security. The implementation of 2FA can vary widely, as different elements can be combined to form the second step of the authentication process.
How does two-factor authentication work?
The components or factors necessary for access in a two-factor authentication can be a number of different things. The most important and most widely used factors are:
- Token or access card
- PIN (Personal Identification Number)
- TAN (Transaction Number)
- Passwords
- Biometric characteristic (e.g. fingerprint, voice, or iris)
All of these factors rely on identifying an authorized person through something they either know, possess, or are inherently linked to (“knowledge,” “possession,” or “inherence”). A common example is using an ATM, where a physical token (the card) is typically combined with another factor (a PIN). The downside of this method is that even authorized users must always carry the token with them—meaning that a simple mistake, such as entering the wrong PIN, can still result in denied access.
For this reason, two-factor authentication (2FA) on the web is increasingly moving toward identification methods that avoid physical tokens altogether or minimize the risk of loss. Typically, a password is combined with an automatically generated code, known as a one-time password (OTP). This OTP is sent to the user’s smartphone—via SMS, email, or a dedicated authenticator app. This ensures that only the person in possession of the secondary security code can gain access. The key benefit: the OTP is valid for a single use and automatically expires after a short period, reducing the risk of misuse.
There are two main types of one-time passwords: TOTP (Time-based One-Time Password), which are time-based and generate a new code every 30 seconds regardless of whether it was used, and HOTP (HMAC-based One-Time Password), which are counter-based and generate a new code each time one is requested. HOTP codes remain valid until they are used.
Two-factor authentication without a physical token or access card also has the advantage of allowing secondary delivery methods for the security code. For example, if the user cannot access the app, it is possible to configure an alternative method such as receiving the code via SMS or through an automated phone call that reads the code aloud.
Why use two-factor authentication?
It’s well known that absolute security for an account is never guaranteed—so why bother setting up two-factor authentication at all? The answer is clear: 2FA adds an additional layer to the identification process—a second hurdle that unauthorized users must first overcome. Moreover, almost all common phishing-attacks fail against two-factor authentication like this.
The numbers of cybercrime remain consistently high. Particularly, the previously mentioned phishing attacks, but also identity theft and account takeovers, are affecting more and more individuals and businesses. Attackers often use stolen credentials or weak passwords to obtain sensitive information. This is where two-factor authentication comes in: it provides an additional layer of security that makes it significantly harder to access an account even with a known password. Therefore, 2FA is an essential protection against identity theft and other cybercrimes.
Does two-factor authentication have any disadvantages?
Two-factor authentication (2FA) provides a stronger layer of security and is widely recommended by cybersecurity experts and organizations such as the National Institute of Standards and Technology (NIST). By requiring two separate components—typically something the user knows (like a password) and something the user has (such as a mobile device)—2FA significantly reduces the risk of unauthorized access. However, this added protection can also pose challenges for legitimate users. For example, losing access to the device that receives authentication codes, such as a smartphone, can result in temporary lockouts. Similarly, technical issues with authentication apps or network connectivity can occasionally prevent successful logins. While 2FA greatly improves account security, it’s important to have fallback options in place, such as backup codes, secondary phone numbers, or alternative verification methods, to minimize the risk of being locked out.
Fortunately, most services offer a safety net in case users lose access to their primary authentication method. This typically includes the option to specify a recovery method, such as an alternate phone number where the authentication code can be sent. Services may also provide backup codes that can be saved or printed, or ask for a secondary email address to help restore account access if needed. These fallback options largely offset the potential drawbacks of two-factor authentication. However, it’s important to actively set up and securely store these recovery methods—especially when they are optional rather than mandatory—to reduce the risk of being locked out of your own account.
- Regular virus and malware scans
- Automatic backups and simple file recovery
What 2FA methods and tools are available?
There are several methods and tools available to implement two-factor authentication (2FA). One of the most common approaches is the use of an authenticator app, which generates time-based one-time passwords (TOTP). These apps work even without an internet connection and offer a good balance between security and usability.
Another widely used method is SMS verification, where a code is sent to the user’s mobile phone. While convenient, this method is considered less secure since SMS messages can be intercepted or redirected. Hardware tokens, such as USB security keys, provide a very secure option, although they tend to be more expensive and less user-friendly. Some services also offer push notifications, where users must actively approve login attempts on their smartphone. The choice of method often depends on the desired level of security and the available technology. In general, the more independent the second factor is from the password, the more secure the authentication process.
Below is a list of the most common and widely used authenticator apps:
- Google Authenticator
- Microsoft Authenticator
- Authy
- FreeOTP
- LastPass Authenticator
How to set up two-factor authentication for IONOS Mail
To enable 2FA for your IONOS Mail account, you have two convenient options: using a standard authenticator app or directly through the IONOS Mobile App.
Set up with an authenticator app
Setting up an authenticator app for your IONOS Mail account takes just a few steps:
- Download one of the listed authenticator apps—or an app of your choice—on your smartphone.
- Log in to your IONOS account via your web browser.
- Go to “My Account” > “Login & Account Security” > “Two-step verification (2FA)” and choose the option to set up using an authenticator app.
- Scan the displayed QR code with your app.
- Enter the generated 6-digit code to confirm the setup.
Two-factor authentication is now permanently enabled for your account.
Set up using the IONOS Mobile App
Alternatively, you can use the official IONOS Mobile App, available for Android and iOS. Once setup is complete, you’ll receive a push notification on your smartphone each time you log in to your IONOS account for approval.
A detailed step-by-step guide is available in the IONOS Help Center.
IONOS offers Microsoft 365 and Google Workspace with built-in two-factor authentication—ensuring secure and GDPR-compliant communication for your business.