Blog post

Two-factor authentication (2FA); new guidance from the NCSC

Created:  08 Aug 2018
Updated:  08 Aug 2018
Author:  Kate R
Woman setting up 2FA

Today the NCSC has published new guidance that describes how to set up two-factor authentication (2FA) - also called 'two-step verification'.

Now, you may be thinking we've already released this, but that guidance was only for organisations. We wanted to produce a separate piece of 2FA guidance for the personal accounts you use at home.

We all have online services that are important to us, and which are protected by passwords - perhaps email, social media accounts, online banking, or gaming accounts. I'm sure you can think of accounts where it would be really painful if you discovered that your passwords had been hacked by cyber-criminals.

Unfortunately, however good your passwords are, they can only provide so much protection. They could be stolen from your service provider or from your phone, tablet or laptop. Or you could get tricked into revealing them. This is why we want more people to use 2FA, both at work and at home.

Why do we want this? Because 2FA is the single best thing you can do to improve the security of your important accounts.

Accounts that have been set up to use 2FA will require an extra check, so even if a criminal knows your password, they won't be able to access your accounts. This is reassuring if you suspect some of your passwords aren't as strong as they could be, or you've re-used them across different accounts, or you worry that (like anyone) you may one day fall for a scam email that reveals your password to a criminal.

When setting up 2FA, the service will ask you to provide a 'second factor', which is something that you (and only you) can access. This could be a code that's sent to you by text message, or that's created by an app. Some types of 2FA provide more protection than others (because the second factor is more difficult to steal), but since any 2FA is better than none, you should use 2FA wherever you can. It only takes a few minutes to set up for each account, and it's well worth it for the amount of additional protection it gives you.

We hope you are now inspired to set up 2FA wherever you can, and that the option to set up 2FA becomes more widespread across services. Please let us know what you think of this guidance using the comments below, using our Contact us page, or by sending us a message on Twitter or LinkedIn.


Stuart Smiles - 11 Aug 2018
yubikeys are amazing, you mention them by name in the enterprise article but not even categorised in the personal one?
lastpass with them is brill.
lastpass family/enterprise? subsidised combination and bundle...
should be encouraged more with cloud providers applications and govt contracts requiring their availability if going to use the site.

if we can't use it, we won't use it.
Kate R - 13 Aug 2018
Hi Stuart,

Thanks for your comment.

We wanted to make this guidance as accessible as possible, so we focused on the options that were common, free and widely compatible. If you know Yubikey style tokens will work with your setup, then they are a great, easy to use solution.
Ernie J - 26 Dec 2018
And how do I know (for sure) that Stuart is not posting on behalf Yubikey to drum up business? Nor do i know if Stuart is knowledgeable in this area? I am recently retired now but used to continuously provide specialist software to 3 uk high street banks for 20 years, not specifically in this area but clearly security was an issue.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No