How to use two-factor authentication to protect your account

Contents

Two-factor authentication (2FA) is a security process that secures access to an account by requiring a second form of identification, such as a code on a smartphone, in addition to a password. This significantly increases protection against unauthorized access, even if the password gets into the wrong hands.

What is two-factor authentication?

Two-factor authentication combines two different and independent components of identification to identify a legitimate user. You come across a simple everyday example for two-factor authentication every day at the ATM or a supermarket checkout. To withdraw money or pay with a card at the store, two components are needed: Your debit or credit card and your pin (or signature). Only when the two are correctly combined is the two-factor authentication successful. The same principle can also be applied to the securing of email accounts, online shop accounts, or other large web portals.

Unfortunately, much of the web still depends on a single layer of protection: the password. In many cases, a password alone is enough to access email accounts, cloud services, or online stores. If cybercriminals gain access to these credentials, they can easily retrieve sensitive emails, personal data, or private files. To address this risk, more providers—including Dropbox, Google, and Amazon—are adopting two-factor authentication (2FA) to enhance security. The implementation of 2FA can vary widely, as different elements can be combined to form the second step of the authentication process.

Business Email

Discover a new way to email

Write perfect emails with optional AI features
Add credibility to your brand
Includes domain, spam filter and email forwarding

How does two-factor authentication work?

The components or factors necessary for access in a two-factor authentication can be a number of different things. The most important and most widely used factors are:

Token or access card
PIN (Personal Identification Number)
TAN (Transaction Number)
Passwords
Biometric characteristic (e.g. fingerprint, voice, or iris)

All of these factors rely on identifying an authorized person through something they either know, possess, or are inherently linked to (“knowledge,” “possession,” or “inherence”). A common example is using an ATM, where a physical token (the card) is typically combined with another factor (a PIN). The downside of this method is that even authorized users must always carry the token with them—meaning that a simple mistake, such as entering the wrong PIN, can still result in denied access.

For this reason, two-factor authentication (2FA) on the web is increasingly moving toward identification methods that avoid physical tokens altogether or minimize the risk of loss. Typically, a password is combined with an automatically generated code, known as a one-time password (OTP). This OTP is sent to the user’s smartphone—via SMS, email, or a dedicated authenticator app. This ensures that only the person in possession of the secondary security code can gain access. The key benefit: the OTP is valid for a single use and automatically expires after a short period, reducing the risk of misuse.

Note

There are two main types of one-time passwords: TOTP (Time-based One-Time Password), which are time-based and generate a new code every 30 seconds regardless of whether it was used, and HOTP (HMAC-based One-Time Password), which are counter-based and generate a new code each time one is requested. HOTP codes remain valid until they are used.

Two-factor authentication without a physical token or access card also has the advantage of allowing secondary delivery methods for the security code. For example, if the user cannot access the app, it is possible to configure an alternative method such as receiving the code via SMS or through an automated phone call that reads the code aloud.

Why use two-factor authentication?

It’s well known that absolute security for an account is never guaranteed—so why bother setting up two-factor authentication at all? The answer is clear: 2FA adds an additional layer to the identification process—a second hurdle that unauthorized users must first overcome. Moreover, almost all common phishing-attacks fail against two-factor authentication like this.

The numbers of cybercrime remain consistently high. Particularly, the previously mentioned phishing attacks, but also identity theft and account takeovers, are affecting more and more individuals and businesses. Attackers often use stolen credentials or weak passwords to obtain sensitive information. This is where two-factor authentication comes in: it provides an additional layer of security that makes it significantly harder to access an account even with a known password. Therefore, 2FA is an essential protection against identity theft and other cybercrimes.

Does two-factor authentication have any disadvantages?

Two-factor authentication (2FA) provides a stronger layer of security and is widely recommended by cybersecurity experts and organizations such as the National Institute of Standards and Technology (NIST). By requiring two separate components—typically something the user knows (like a password) and something the user has (such as a mobile device)—2FA significantly reduces the risk of unauthorized access. However, this added protection can also pose challenges for legitimate users. For example, losing access to the device that receives authentication codes, such as a smartphone, can result in temporary lockouts. Similarly, technical issues with authentication apps or network connectivity can occasionally prevent successful logins. While 2FA greatly improves account security, it’s important to have fallback options in place, such as backup codes, secondary phone numbers, or alternative verification methods, to minimize the risk of being locked out.

Fortunately, most services offer a safety net in case users lose access to their primary authentication method. This typically includes the option to specify a recovery method, such as an alternate phone number where the authentication code can be sent. Services may also provide backup codes that can be saved or printed, or ask for a secondary email address to help restore account access if needed. These fallback options largely offset the potential drawbacks of two-factor authentication. However, it’s important to actively set up and securely store these recovery methods—especially when they are optional rather than mandatory—to reduce the risk of being locked out of your own account.

MyDefender

Easy cyber security

Regular virus and malware scans
Automatic backups and simple file recovery

What 2FA methods and tools are available?

There are several methods and tools available to implement two-factor authentication (2FA). One of the most common approaches is the use of an authenticator app, which generates time-based one-time passwords (TOTP). These apps work even without an internet connection and offer a good balance between security and usability.

Another widely used method is SMS verification, where a code is sent to the user’s mobile phone. While convenient, this method is considered less secure since SMS messages can be intercepted or redirected. Hardware tokens, such as USB security keys, provide a very secure option, although they tend to be more expensive and less user-friendly. Some services also offer push notifications, where users must actively approve login attempts on their smartphone. The choice of method often depends on the desired level of security and the available technology. In general, the more independent the second factor is from the password, the more secure the authentication process.

Below is a list of the most common and widely used authenticator apps:

Google Authenticator
Microsoft Authenticator
Authy
FreeOTP
LastPass Authenticator

How to set up two-factor authentication for IONOS Mail

To enable 2FA for your IONOS Mail account, you have two convenient options: using a standard authenticator app or directly through the IONOS Mobile App.

Set up with an authenticator app

Setting up an authenticator app for your IONOS Mail account takes just a few steps:

Download one of the listed authenticator apps—or an app of your choice—on your smartphone.
Log in to your IONOS account via your web browser.
Go to “My Account” > “Login & Account Security” > “Two-step verification (2FA)” and choose the option to set up using an authenticator app.
Scan the displayed QR code with your app.
Enter the generated 6-digit code to confirm the setup.

Two-factor authentication is now permanently enabled for your account.

Set up using the IONOS Mobile App

Alternatively, you can use the official IONOS Mobile App, available for Android and iOS. Once setup is complete, you’ll receive a push notification on your smartphone each time you log in to your IONOS account for approval.

A detailed step-by-step guide is available in the IONOS Help Center.

Tip

IONOS offers Microsoft 365 and Google Workspace with built-in two-factor authentication—ensuring secure and GDPR-compliant communication for your business.

What to do if your email is hacked? Steps to follow asap

E-Mail accounts are one of our most important communication tools: we use them to register for online portals, for private and business exchanges, and as an organizer and digital address book. It is therefore all the more important to make sure your account is well-protected. But…

Data Protection
Security

How to use PGP encryption for email

Online privacy is a sensitive issue that affects everyone from security experts to casual internet users. Whether you’re posting on social networks, carrying out banking transactions or buying from an online store, your data may not be sufficiently protected. The same applies to…

SSL
Data Protection

How to encypt your emails with SSL/TLS

Are the emails that you send and receive encrypted? If not, it’s about time you started. Only by encrypting the transmission and content of emails can you ensure that your data is secure while being sent. Otherwise, unauthorized persons can read your email traffic easily and…

SSL
Security

agsandrewShutterstock

What is CSRF? (Cross-site request forgery attack)

Criminals are constantly trying to exploit Internet vulnerabilities and harm users. One common type of cyberattack is a cross-site request forgery attack, or CSRF. Hackers use these attacks to make purchases and transfer money on a user’s behalf without the victim noticing. How…

Tutorials

What is the CTAP (Client to authenticator Protocol)?

Try and imagine a world where you don’t have to memorize passwords: Thanks to FIDO2, this could soon become a reality. Authentication in online stores or for online banking can be done through a fingerprint or hardware token. The latter can communicate with laptops of PCs through…

Security