JavaScript is required

Turn on multi-factor authentication (MFA)

Learn how multi-factor authentication (MFA) and 2FA can add greater protection to your online accounts.

Imagine if there was an easy way to add an extra layer of protection to your online accounts.

There is it’s called multi-factor authentication (MFA).

Read on to learn everything you need to know about MFA.

What is multi-factor authentication (MFA)?

MFA is an extra layer of security that requires you to authenticate (or prove) in 2 or more ways that you’re the real owner of an online account. It's designed to make it harder for hackers (cybercriminals) to get into your account.

We call these ways of proving an account is really yours ‘authentication factors’.

Using a password alone is called ‘single factor authentication’. This is because you’re using only one type of authentication factor to log into your online accounts.

The problem is that passwords can be guessed or stolen.

MFA is when you use your password and at least one other authentication factor.

Top tip

Online services may use various terms to describe multi-factor authentication (MFA). Some might call it two-factor authentication (2FA), two-step authentication, two-step verification or use a term like ‘security key’. While they all share the purpose of protecting your accounts, they’re technically different. MFA refers to the use of two or more authentication factors.

Types of MFA

MFA requires you to use 2 or more authentication factors to access your accounts.

Look at the table below to learn more about different authentication factors:

Authentication factorExampleAdditional information

Something you know

A password, passphrase or PIN.

This is the standard authentication factor on most accounts.

Using a password alone is called ‘single factor authentication’.

Something you have

Smartcard, physical token, authenticator application (app), SMS or email.

These tools use a random code (sometimes called a ‘one time password’ or ‘one time PIN (OTP)) for you to enter to access your online account.

Authenticator apps are mobile applications that make random OTPs.

You can download an authenticator app on your device. Check with each service provider to see which type you need to use.

Something you are

Your fingerprint, facial recognition, iris (eye) scan or voice recognition.

Many phones have built-in technology that can scan some part of your body as a way of proving your identity (biometrics). For example, you may be able to scan your fingerprint to access your account or device.

Biometrics is a convenient type of MFA because it’s always with you and can’t be lost or forgotten.


How does MFA provide better protection than just a password?

MFA provides stronger protection to your online accounts than just a password because it adds an extra layer of account security.

Imagine you are trying to log into one of your social media accounts that doesn’t have MFA enabled.

If a hacker figures out your password, they can easily gain access to your account.

Now let’s say you have MFA enabled. To access your account, you need to enter your password and a unique code that’s sent to your phone.

Even if a hacker enters your password, they won’t be able to access your account unless they have that unique code too.

As you can see, it’s very hard for a hacker to complete the MFA process.

Which types of MFA are most secure?

Using an authentication app or a security key is more secure than receiving a text message or email authentication.

That said, using any type of MFA is better than none!

We recommend using the more secure types of MFA if you can.

If you choose to receive an OTP by email, make sure that your email account itself is secure. You can do this by enabling MFA for this email account too.

If you receive an OTP for an account you weren’t trying to log into, change your password. Someone might have accessed your password details and be attempting to access your account without your knowledge.

How do I enable MFA?

It only takes a few minutes to set up most MFA, and you can enable it at any time. We recommend turning on MFA for your most important accounts, such as your:

  • user and email accounts. For example, Microsoft and Gmail.
  • financial services. For example, online banking and PayPal.
  • accounts that save or use your payment details. For example, eBay and Amazon.
  • social media accounts. For example, Facebook and Instagram.
  • gaming accounts. For example, PlayStation and Nintendo.
  • government services and other accounts that hold personal information. For example, myGov and Service Victoria.

Each service provider will have their own process for enabling MFA. The good news is that the steps tend to be similar.

You can usually find instructions in the privacy settings of your online accounts. If you get stuck, search for help articles on the service provider’s website or app on how to set up MFA.

MFA isn’t available everywhere yet. If an online service adds MFA as a security option, they’ll often notify you and encourage you to use it.

If MFA isn’t an option, make sure you create strong passwords for all of your accounts.

Top tip

The Cyber.gov.au website has a list of links that explain how to enable MFA on a range of popular services.

More security tips

Like any security measure, MFA isn’t bulletproof. Make sure you’re still using strong passwords and have good security practices when using your devices.

Keep your account secure and remember these important “don’ts”:

Have you received a sign-in link or OTP that doesn’t look quite right? Or maybe you’ve received one from out of the blue?

If you’re not 100% sure if it’s really from your service provider, don’t respond to it or click any links.

The message, call or email could be from a scammer. Scammers may pretend to be from your bank, a government department or another service provider to steal your most personal information.

Protect yourself by learning:

Don’t share your MFA codes or approve unknown sign-in attempts

It’s important to keep your MFA codes secret. Don’t share them with anyone else, including your family or friends. Never approve unknown sign-in attempts.

Don’t make your passwords predictable

Short, predictable passwords are easy to hack. Instead, make your passwords long, strong and unique. Read our good passwords guide to learn how.

Updated