Email has been one of the most widely used ways of sharing data among professionals. Therefore, hackers have also become experts at retrieving data by breaching email security. The problem arises when companies don’t pay much attention to updating their email security methods and end up getting scammed. Email multi-factor authentication is a method of authenticating a user using more than one method. It’s commonly used to secure online banking and other financial transactions but is also helpful for anything that needs a secure connection that can’t be accessed by just your password alone.
As recorded by the Internet Crime Report, in 2020, there were 19,369 complaints about the Business Email Compromise (BEC). It resulted in adjusted losses exceeding $1.8 billion.
Two-factor authentication is built to make email accounts secure by adding a layer of security over username and password. The second layer of security can be anything like a fingerprint, a code, or a security token. There are several different types of multi-factor authentication systems out there—some use two-factor authentication while others deploy a multilayered approach towards sender verification—but they all have one thing in common: they’re designed to make sure that only authorized users can access the service they’re trying to provide.
Here’s a guide on how to set up Two-factor authentication for emails and why it is important to make your accounts secure.
Key Takeaways
- Email security is paramount due to evolving threats like Business Email Compromise (BEC), costing billions annually.
- Multi-Factor Authentication (MFA), including Two-Factor Authentication (2FA), significantly boosts security by requiring multiple verification factors (e.g., something you know, something you have, something you are).
- Common MFA/2FA methods include SMS codes, authenticator apps (like Google Authenticator), biometrics, and hardware tokens, offering varied security and convenience.
- Implementing MFA/2FA is crucial across major platforms like Gmail, Microsoft 365, and Zoho Mail, with specific setup steps available for each.
- Combining MFA/2FA with email authentication protocols like DMARC provides comprehensive protection against unauthorized access, phishing, and domain spoofing.
What is About Two-factor authentication?
Multi-factor authentication (MFA) is a security measure that requires more than just a password to access a device or system, verifying a user’s identity with two or more different forms of identification. Two-factor authentication (2FA) is a specific type of MFA, an email security method that requires users to provide two different authentication factors to verify their identity. It’s used to enhance email security in addition to a strong password. It adds a randomly generated code to the login process, which you have to add every time before logging in to your account. In most cases, this includes something physical, like a phone number or fingerprint scan (something you have or are), but it can also include something digital, like a token that stores information on an app on your phone (like Google Authenticator). It’s also used for authentication in situations where the user’s password is compromised, such as through phishing attacks.
Once the code is activated, you can access your email accounts by entering this. This dual-factor authentication protects your associated email accounts as well as other applications. Even if someone else gets to know your password, they can’t log in without the code.
Simplify Two-Factor Authentication with PowerDMARC!
How Two-Factor Authentication (2FA) Works
Here is how 2FA typically works:
- The first thing you need to do is to enter your username and password. It is the most common form of authentication. It involves something the user knows.
- After the username and password are entered and verified, the system will request a second factor. This is usually something the user has (such as a phone receiving a text message or push notification, or a hardware token) or something the user is (like a fingerprint or face scan).
- Choose the method that seems most appropriate. Then enter the code from your phone, hardware token, or approve the push notification. If both the password and the second factor are correct, the system grants access to the user. In most cases, you’ll need to use two different forms of verification to complete the signup or login.
Common 2FA Methods
Here are some common methods used for 2FA:
- SMS Text Message: A code is sent to your phone via text message using an SMS verification API that automates secure delivery..
- Authentication App: Apps like Google Authenticator generate a code that changes every few seconds.
- Biometric Verification: This uses your fingerprint, face, or iris scan to verify your identity.
- Email Verification: A code is sent to your email address.
- Hardware Token: A small device generates a code you can use to log in.
- Push Notification: A notification is sent to your smartphone, and you approve the login by pressing a button.
Enabling Multi-Factor Authentication on Different Platforms
Setting up MFA ensures that only authorized individuals can access your accounts. Below are guides for enabling it on popular platforms.
Enabling Two-factor authentication for Gmail Google Workspace Emails
Here is a simple yet thorough guide on enabling 2FA (also called 2-Step Verification by Google) for your Gmail accounts.
Step 1: Open the two-step verification page
- Open a browser on your computer and navigate to the two-step verification page.
- Sign in to your Google account.
- Read the instructions given and click “Get Started” to proceed.
Step 2: Choose a verification method
- You will see the options for setting up two-step verification in Gmail.
(Through text messages/phone calls, Google prompts, an authenticator app, or a security key)
- Google will typically suggest using Google prompts first if you have a compatible smartphone signed in.
- Click on “Show more options” if you prefer a different method or want to set up additional methods.
Step 3: Set up phone verification (Text/Call)
- If you choose verification via text message or phone call, you will get a six-digit code every time you log into your Gmail on a new device or after clearing cookies.
- Enter your mobile phone number. Choose whether to get codes via text message or phone call. Click “Next”.
Step 4: Complete the verification process
- You will get a code sent to your phone via the method selected.
- Enter the received code and click “Next” again.
Step 5: Turn on 2-factor authentication
- After successfully verifying your chosen method, you can activate the two-step verification process.
- Click “Turn on” to activate it.
Step 6: Set up Google prompts
- Google prompts display an approval screen on your trusted smartphone or tablet when you sign in.
- If not set up initially, select “Google prompt” from the verification options.
- Ensure you are signed in to your Google account on a compatible Android or iOS device (with the Google app or Gmail app installed). Google will automatically detect eligible devices. Follow the on-screen prompts to confirm.
Step 7: Use a security key
- A security key is a physical device (USB, NFC, or Bluetooth) that provides strong authentication.
- Select “Security Key” from the verification options (you might find it under “Show more options”).
- Click “Next” and follow the instructions to register your key by inserting it or bringing it near your device.
You can also set up the Google Authenticator app or backup codes as additional or alternative methods.
How to turn off 2FA for Gmail
To turn off 2-Step Verification for your Google account:
- Go to your Google Account.
- On the left navigation panel, select “Security”.
- Under the section “How you sign in to Google”, find and select “2-Step Verification”. You might need to log in again here.
- Select “Turn off”.
- Confirm your choice by tapping “Turn off” again.
- Destroy or delete any backup codes you have saved for this account to ensure they can’t be used.
These steps help ensure that 2FA is completely disabled, and all backup access methods are removed.
Setting up Gmail 2FA on Android or iOS devices
Setting up Two-factor authentication on Android or iOS is similar to the desktop process but initiated through device settings or the Gmail app.
Step 1: Access Google Account settings
- On Android: Go to Settings > Google > Manage your Google Account.
- On iOS: Open the Gmail app, tap your profile picture in the top-right corner, then tap “Manage your Google Account”. (Alternatively, use the Google app or visit myaccount.google.com in a browser).
Step 2: Navigate to Security settings
- Swipe over or tap to the “Security” tab.
- Scroll down to the “How you sign in to Google” section and tap “2-Step Verification”.
- Tap “Get started”. You might be asked to sign in again.
Step 3: Follow setup prompts
- Google will likely suggest Google Prompts first, recognizing the device you’re using. Tap “Continue”.
- It will ask for a backup option. Provide your phone number and choose to receive codes via text or call. Tap “Send”.
Step 4: Enter verification code
- Enter the code sent to your phone and tap “Next”.
Step 5: Turn on 2FA
- Review the settings and tap “Turn On” to activate 2-Step Verification.
After turning it on, you can add other methods like Authenticator apps or security keys via the 2-Step Verification settings page.
How to set up Email Multi-Factor Authentication for Microsoft 365
Step 1: Ensure you have the necessary administrative privileges (e.g., Global Administrator) to manage MFA settings.
Step 2: Microsoft recommends using Security Defaults or Conditional Access policies instead of legacy per-user MFA. If enabling Security Defaults:
- Sign in to the Microsoft 365 admin center.
- Navigate to the Azure Active Directory admin center (You might find this under Show all > Admin centers > Azure Active Directory).
- In the Azure AD admin center, select Azure Active Directory > Properties.
- Click on Manage Security defaults.
- Set the “Enable Security defaults” toggle to Yes.
- Click Save. (Note: This enables baseline security features, including MFA for admins and eventually all users).
Alternatively, for more granular control, use Conditional Access policies (requires Azure AD Premium P1 or P2 license).
Step 3: If you were previously using per-user MFA and are switching to Security Defaults or Conditional Access, you may need to disable it first.
- In the Microsoft 365 admin center, go to Users > Active users.
- Click on Multi-factor authentication near the top.
- Select users and change their MFA status to Disabled if necessary.
Step 4: Users will be prompted to register for MFA upon their next sign-in after Security Defaults or relevant Conditional Access policies are enabled. They will typically use the Microsoft Authenticator app.
How to set up Email Multi-Factor Authentication for Zoho Mail
Step 1: Login to your Zoho account settings (accounts.zoho.com).
Step 2: In the left-side menu, click on Security, then select Multi-Factor Authentication.
Step 3: Choose your preferred MFA method. Options typically include:
- Zoho OneAuth App: (Recommended) Download the app (available for iOS and Android). You can set it up for push notifications, QR code scanning, or time-based one-time passwords (TOTP). Follow the on-screen instructions to link the app to your account, often involving scanning a QR code.
- Authenticator App (TOTP): Use other apps like Google Authenticator or Microsoft Authenticator. Select this option, scan the provided QR code with your chosen app, and enter the code displayed in the app to verify.
- SMS/Voice Call: Enter your phone number and verify it with a code sent via SMS or call.
- Security Key (YubiKey): Register a U2F/FIDO2 compliant hardware key.
Step 4: Follow the specific setup instructions for your chosen method to activate it.
Step 5: Zoho also provides backup verification codes and allows setting up trusted browsers to reduce the frequency of MFA prompts on familiar devices.
Google Authenticator
A mobile security application, named Google Authenticator, is used to enhance the protection of email apps and websites by Two-factor authentication. It generates random Time-based One-Time Passwords (TOTP) on the user’s mobile device. These codes provide a second layer of security for verification, enhancing the overall security.
Google Authenticator doesn’t rely on SMS or network connectivity after initial setup. It generates a time-based, one-time code that is locally stored on the user’s device for sign-in purposes. It works as a decentralized approach to reduce unauthorized access to the email account, especially compared to potentially interceptable SMS codes.
Benefits of 2FA/MFA
The benefits of 2FA/MFA include:
- Extra Security: MFA adds another layer of security, making it significantly harder for unauthorized users to access your account, even if they have your password.
- Reduces Fraud and Phishing Impact: It helps prevent unauthorized access stemming from stolen credentials (e.g., via phishing), reducing the risk of identity theft, financial fraud, and data breaches. It helps prevent hackers from using simple brute force attacks on weak passwords.
- Relatively Easy to Use: Once set up, using MFA is often straightforward. Methods like push notifications require just a tap, while authenticator apps provide readily available codes.
Downsides of 2FA/MFA
The downsides of using 2FA/MFA include:
- Inconvenience: It adds an extra step to the login process, which can be slightly slower, especially when accessing accounts frequently.
- Dependency on Devices: If your second factor is tied to a specific device (like a smartphone for app codes or SMS), losing, breaking, or having a dead battery on that device can lock you out of your account unless you have backup methods configured. It’s important to note that if someone steals your phone or SIM card, they might gain access to your second factor.
- Technical Issues: Delays in receiving SMS codes, issues with authenticator app time synchronization, or problems with push notifications can occasionally occur, hindering login attempts.
- Setup Complexity: While generally straightforward, the initial setup might seem daunting for less tech-savvy users.
Importance of Email security
It is important to invest in the security of email communications. While MFA/2FA secures account access, other layers are needed to protect against different threats. Email security helps in identifying and filtering out malicious or spam emails, that may bypass standard spam filters. DMARC is one such added layer of security that prevents phishing attacks and unauthorized domain abuse by verifying the sender’s authenticity. Major email service providers like Gmail, Outlook and Zoho Mail recommend domain owners enable email authentication protocols like DMARC for protection against spoofing, phishing and ransomware attacks perpetrated through fake emails. A multi-layered security approach, including both strong authentication like MFA and sender verification like DMARC, helps organizations maintain productivity and protect data even when email threats prevail.
Spoofing and phishing are significant threats to the data shared through emails and can spread malware. Businesses can reduce the risk of having credentials and personal data compromised through various attacks by updating their email security procedures, including implementing MFA and configuring DMARC, SPF, and DKIM.
To enable authentication for your emails with DMARC:
- Sign up on a DMARC analyzer portal.
- Register your domains on the dashboard.
- Generate the necessary SPF, DKIM, and DMARC records (often with expert guidance or tools provided by the service).
- Publish these records in your DNS.
- Monitor DMARC reports through the portal to analyze email traffic, identify legitimate and fraudulent sources, and gradually enforce a stricter policy (p=reject or p=quarantine) to block unauthorized emails.
Conclusion
Using passwords alone to log into email accounts is no longer sufficient to protect against sophisticated cyber threats. It is important to enhance the security of email accounts using all available methods.
One crucial method is Multi-Factor Authentication (MFA), often implemented as Two-Factor Authentication (2FA), which provides an additional layer of security by requiring more than just a password for login. Whether through SMS codes, authentication apps, biometric methods, or hardware tokens, MFA ensures that even if your password is compromised, your account and information remain significantly more secure.
Implementing MFA across your email platforms (Gmail, Microsoft 365, Zoho, etc.) and combining it with robust email authentication protocols like DMARC creates a strong defense against unauthorized access, phishing, and spoofing. Make MFA a standard practice and encourage others to do the same, fostering a more secure online environment for everyone. Remember that in the current digital landscape, a little extra effort in security goes a long way in protecting what matters most.
- MSP Case Study: How PowerDMARC Became a Game-Changer for HispaColex Tech Consulting - May 26, 2025
- DMARC MSP Case Study: ImpactQuill Enhances Email Security and Visibility for Clients with PowerDMARC - May 23, 2025
- DMARC MSP Case Study: 1-MSP Elevates Client Security & Brand Identity with PowerDMARC - May 19, 2025