What is two-factor authentication and why to use 2FA

It’s always best to do everything you can to keep your online accounts safe. Stolen login credentials are a huge problem – and 2FA is a technical solution that can help with that. Read on to learn what two-factor authentication is, why you should use it, and how to turn it on for Patelco and your other accounts.

What is two-factor authentication or 2FA?

Two-factor authentication, or 2FA, requires that you provide 2 things to authenticate (or prove) your identity when logging in to an app or online account. In the past, there was only single factor authentication, typically a password.
 
Today, the first factor is something you know (like your password or a security question).
 
The second factor is often a one-time code or password delivered to something you have (like your mobile phone). The second factor changes every time you log in, unlike the first factor, which remains the same over time until you update it.
 
For almost all websites and apps (including Patelco), you’ll also need your username (or User ID as it’s known in Patelco Online™) or email address – but since most websites and apps can remember this, it’s not a good way to prove your identity.
 
Sound confusing? Here’s how it works in simple terms:

1. Open a website or app (such as Patelco Online™ or our Mobile App)
2. If the website or app doesn’t remember your username (User ID) or email address, you’ll enter that (many times, you won’t need to enter this)
3. You’ll be asked for your password, which is the first authenticating factor
4. 2FA, if it’s activated or turned on permanently, will need a second authenticating factor, such as a 2FA code
5. You can choose to receive that code through a text message, an authenticator app (such as Google Authenticator or Authy), or a phone call

There are certain situations in which a website or app (like Patelco) might use 2FA to make sure it’s really you – especially if you’re logging in for the first time from a new location or a new device. 2FA is also used when you’re doing a transaction that requires extra confirmation. 
 
If you have 2FA turned on, or if it’s a special situation, the website or app will send you a 2FA code, usually via phone call, text message, or authentication app. (Email is not a preferred way, though it is still used.) Then you’ll need to enter that 2FA code to complete your login. 
 
You can also set up Patelco Online™ and our Mobile App to always ask you for a 2FA code. (Check out the steps at the end of this article).

Good to Know

2FA acts as extra protection to prevent a hacker from logging in to your account.

Why you should Why you should

Two-factor authentication is the best way to assure that you – and not a fraudster – are the person who is logging in to your account.
 
Without it, anyone who has your username (User ID) and password would be able to log in. Here are a few ways that fraudsters could discover your username and password:

• You share it – This is the #1 way that a scammer gets ahold of your User ID and password to log in to your online banking. No one needs to know your online banking credentials, ever – so don’t share them! Patelco will never call to ask for them.
• Password reuse – If you use the same password on multiple websites and one website gets breached, the fraudsters may then test that username (User ID) and password combo anywhere they think you have an account. The best protection against this is using strong passwords that are unique for every site.
• Malware on your device – If you visit a phishing website or otherwise compromise your computer or mobile device, you can end up with malware on your device. Malware is dangerous software that criminals use to steal your data or damage your device. The best way to avoid this is to maintain and update the antivirus software on your computer. For your phone, keep its software up to date.
• Shoulder surfing – If someone watches you type in your password at a coffee shop or other public place, they might then try to log in to your account.

 
If one of these situations happens to you and your credentials are compromised, 2FA acts as extra protection to prevent the hacker from logging in to your account. The hacker doesn’t have your phone, so they can’t get a 2FA code.

How to make two factor-authentication always on for your Patelco account

Two-factor authentication can be turned on at all times, if you wish. This is the safest setup for any account (including your Patelco account). When you have 2FA turned on all the time, you’ll need to provide your 2FA code every time you log in. 
 
Here’s how to set up 2FA at Patelco (which will apply to logins from both a computer and from our Mobile App).

1. Log in to Patelco Online™ from a computer
2. In the upper right, select your icon
3. Select Settings
4. Select Security
5. Under Two-Factor Authentication, slide the button to ON

 
If you haven’t yet set up your options (more on that below), you may be asked to set up one or more options for receiving your 2FA code.

The strongest methods The strongest methods

Here are three ways to receive your 2FA code. All of them are safe, but using an app or text message is the safest.

• An authenticator app like Authy or Google is best. An authenticator is the best way to receive your 2FA code because it’s the hardest for a fraudster to get access to. Make sure to download the app from your device’s official app store.
• A text message is the second-best way to receive your 2FA code, because it’s very difficult for scammers to intercept texts.
• A voice call also works. In rare instances, calls can be forwarded by a scammer. This is why text messages are safer, as they’re difficult to intercept and very difficult to forward.

(Email is not a great way to get a 2FA code, as email addresses are more easily compromised as compared to text messages and phone calls.)

What if my phone gets stolen?

First, ensure that you have a strong PIN or passcode on your device now, so it will be difficult for someone to access your phone if it’s stolen or lost.
 
If your phone is lost or stolen, don’t panic. Here’s what to do:

1. Immediately report it as stolen to your cellular provider.
2. Reset (change) any passwords you had stored on your phone.
3. Block any cards you had stored in your phone’s wallet, such as Apple Pay or Google Pay (you can do this by calling the bank or credit union that issued the card).
4. Contact our call center at 800.358.8228 – we’ll help you lock down your online banking account, so it can’t be accessed improperly.
5. Alert your contacts (to help protect friends and family from scammers).
6. File a police report.
7. If you’re able to, lock and erase your phone – major brands such as Samsung and Apple offer this service.

The future of two-factor authentication

Right now, Patelco offers 2FA to keep your account safer.
 
We are looking for ways to add passkey capability in the future. This is a new technology that allows you to use the biometrics of your device (laptop or phone) to authenticate yourself on an app or a website via a phishing-resistant technology. This could include using a fingerprint scanner on your laptop or the facial scanner on your mobile device.
 
Some apps and websites also support physical tokens such as FIDO2 passwordless authentication. That way, your login information is stored only on your device. Cybercriminals can’t log in using their own devices. FIDO2 offers a high level of safety. As we make more security features and services available, we’ll keep you informed.
 

 
This article was created in accordance with the Patelco editorial policy.