Turn on multi-factor authentication (MFA)

Imagine if there was an easy way to add an extra layer of protection to your online accounts.

There is – it’s called multi-factor authentication (MFA).

Read on to learn everything you need to know about MFA.

What is multi-factor authentication (MFA)?

MFA is an extra layer of security that requires you to authenticate (or prove) in 2 or more ways that you’re the real owner of an online account. It's designed to make it harder for hackers (cybercriminals) to get into your account.

We call these ways of proving an account is really yours ‘authentication factors’.

Using a password alone is called ‘single factor authentication’. This is because you’re using only one type of authentication factor to log into your online accounts.

The problem is that passwords can be guessed or stolen.

MFA is when you use your password and at least one other authentication factor.

Top tip

Online services may use various terms to describe multi-factor authentication (MFA). Some might call it two-factor authentication (2FA), two-step authentication, two-step verification or use a term like ‘security key’. While they all share the purpose of protecting your accounts, they’re technically different. MFA refers to the use of two or more authentication factors.

Types of MFA

MFA requires you to use 2 or more authentication factors to access your accounts.

Look at the table below to learn more about different authentication factors:

Authentication factor	Example	Additional information
Something you know	A password, passphrase or PIN.	This is the standard authentication factor on most accounts. Using a password alone is called ‘single factor authentication’.
Something you have	Smartcard, physical token, authenticator application (app), SMS or email.	These tools use a random code (sometimes called a ‘one time password’ or ‘one time PIN’ (OTP)) for you to enter to access your online account. Authenticator apps are mobile applications that make random OTPs. You can download an authenticator app on your device. Check with each service provider to see which type you need to use.
Something you are	Your fingerprint, facial recognition, iris (eye) scan or voice recognition.	Many phones have built-in technology that can scan some part of your body as a way of proving your identity (biometrics). For example, you may be able to scan your fingerprint to access your account or device. Biometrics is a convenient type of MFA because it’s always with you and can’t be lost or forgotten.

How does MFA provide better protection than just a password?

MFA provides stronger protection to your online accounts than just a password because it adds an extra layer of account security.

Imagine you are trying to log into one of your social media accounts that doesn’t have MFA enabled.

If a hacker figures out your password, they can easily gain access to your account.

Now let’s say you have MFA enabled. To access your account, you need to enter your password and a unique code that’s sent to your phone.

Even if a hacker enters your password, they won’t be able to access your account unless they have that unique code too.

As you can see, it’s very hard for a hacker to complete the MFA process.

Are you still confused about what MFA is? Think about it like having two locks on your front door for extra security. To enter your home, you will need to:
- Use a key. This is something only you have, like your house key. It's a unique item that allows you to unlock the door.
- Enter a secret code. This is something only you know, like a password or PIN. It's a secret combination that proves you're the real owner.
Now imagine that someone gets your key or picks your lock. They still won’t be able to enter because they don’t know your secret code.
Multi-factor authentication works the same way online. Even if a hacker figures out your password, they won’t be able to hack your account unless they can also crack your MFA.
In short, MFA adds extra layers of security to your accounts to make it extra tricky for hackers to access them.

Which types of MFA are most secure?

Using an authentication app or a security key is more secure than receiving a text message or email authentication.

That said, using any type of MFA is better than none!

We recommend using the more secure types of MFA if you can.

If you choose to receive an OTP by email, make sure that your email account itself is secure. You can do this by enabling MFA for this email account too.

If you receive an OTP for an account you weren’t trying to log into, change your password. Someone might have accessed your password details and be attempting to access your account without your knowledge.

How do I enable MFA?

It only takes a few minutes to set up most MFA, and you can enable it at any time. We recommend turning on MFA for your most important accounts, such as your:

user and email accounts. For example, Microsoft and Gmail.
financial services. For example, online banking and PayPal.
accounts that save or use your payment details. For example, eBay and Amazon.
social media accounts. For example, Facebook and Instagram.

gaming accounts. For example, PlayStation and Nintendo.
government services and other accounts that hold personal information. For example, myGov and Service Victoria.

Each service provider will have their own process for enabling MFA. The good news is that the steps tend to be similar.

You can usually find instructions in the privacy settings of your online accounts. If you get stuck, search for help articles on the service provider’s website or app on how to set up MFA.

MFA isn’t available everywhere yet. If an online service adds MFA as a security option, they’ll often notify you and encourage you to use it.

If MFA isn’t an option, make sure you create strong passwords for all of your accounts.

Top tip

The Cyber.gov.au website has a list of links that explain how to enable MFA on a range of popular services.

More security tips

Like any security measure, MFA isn’t bulletproof. Make sure you’re still using strong passwords and have good security practices when using your devices.

Keep your account secure and remember these important “don’ts”:

Have you received a sign-in link or OTP that doesn’t look quite right? Or maybe you’ve received one from out of the blue?

If you’re not 100% sure if it’s really from your service provider, don’t respond to it or click any links.

The message, call or email could be from a scammer. Scammers may pretend to be from your bank, a government department or another service provider to steal your most personal information.

Protect yourself by learning:

how to avoid getting scammed

the phishing red flags to look out for

It’s important to keep your MFA codes secret. Don’t share them with anyone else, including your family or friends. Never approve unknown sign-in attempts.

Don’t make your passwords predictable

Short, predictable passwords are easy to hack. Instead, make your passwords long, strong and unique. Read our good passwords guide to learn how.

Safety & emergencies

Updated 1 May 2024

Turn on multi-factor authentication (MFA)

On this page

What is multi-factor authentication (MFA)?

Top tip

Types of MFA

How does MFA provide better protection than just a password?

Which types of MFA are most secure?

How do I enable MFA?

Top tip

More security tips

Don’t click on account sign-in hyperlinks that you receive via SMS or emails

Don’t share your MFA codes or approve unknown sign-in attempts

Don’t make your passwords predictable