Two-factor authentication and form security

Home / Everything About / Everything About Forms / Two-factor authentication and form security

A password alone is not enough. Even a strong password can be guessed, stolen, or cracked by an attacker. If someone knows your password, they can access your account. Two-factor authentication (2FA) is the security layer that stops this. It requires a second verification step beyond the password, proving that you are who you claim to be even if your password is compromised.

This article covers how 2FA works, where to use it on your forms, which 2FA methods are most secure, and how to implement it without creating friction for legitimate users.

What you'll learn: What two-factor authentication is and why it matters, the different types of 2FA, how each method works, which forms need 2FA protection, and how to choose the right 2FA method for your use case.

What is two-factor authentication?

Two-factor authentication requires two separate forms of proof before granting access. The factors are usually categorized as:

  • Something you know: A password or PIN
  • Something you have: A phone, security key, or authenticator app
  • Something you are: A biometric like a fingerprint or face scan

A 2FA login flow typically looks like this:

  1. User enters their username and password
  2. System verifies the password is correct
  3. System prompts for a second factor (e.g., "Enter the code from your phone")
  4. User provides the second factor (e.g., enters "123456")
  5. System verifies the second factor
  6. User is granted access

If someone steals the password, they still cannot access the account without the second factor. This is what makes 2FA so effective.

Why 2FA is essential for form security

Passwords are stolen constantly

Data breaches expose millions of passwords every year. If your password was in a breached database somewhere, attackers have it. A strong password helps, but it is still just a password.

Password attacks are common

Attackers use brute force (trying millions of combinations), dictionary attacks (trying common passwords), and credential stuffing (using passwords from other breaches). These attacks work if there is nothing beyond the password.

Phishing attacks target passwords

Attackers send fake login pages that look like your site. Users submit their credentials to the fake page. If your site only requires a password, the attacker now has access. If 2FA is required, the attacker cannot use the password alone.

Account takeovers are costly

If someone gains access to a customer account, they can change the password, reset the account, make unauthorized purchases, or steal information. With 2FA, unauthorized access becomes much harder.

Types of two-factor authentication

SMS (text message) codes

How it works: User enters username and password. System sends a 6-digit code via text message to their phone. User enters the code from the text message.

Pros: Simple for users. Works on any phone (no app needed).

Cons: SMS can be intercepted or re-routed. Not the most secure method. Costs money to send SMS.

Best for: Customer-facing applications where ease of use matters more than maximum security.

Authenticator apps

How it works: User installs an app like Google Authenticator, Microsoft Authenticator, or Authy. When logging in, the app generates a time-based code (usually 6 digits that changes every 30 seconds). User enters this code.

Pros: Very secure. Cannot be intercepted. Free for users.

Cons: Requires users to install an app. If they lose their phone, they lose access unless they have backup codes.

Best for: High-security applications (admin panels, financial accounts, sensitive data). Acceptable friction is higher.

Hardware security keys

How it works: User has a physical key (like a USB stick). When logging in, the system asks for the key. User plugs the key in or taps it to their device. The key proves ownership.

Pros: Extremely secure. Cannot be hacked remotely. Works across many websites.

Cons: Users must purchase keys (30-50 dollars). Can be lost or forgotten. Not widely supported yet.

Best for: Maximum security scenarios (government, military, high-value accounts). Used by tech-savvy users.

Push notifications

How it works: User attempts login. System sends a push notification to the user's phone: "Do you want to approve this login?" User taps "Approve" in the notification.

Pros: Very user-friendly. No code to type. Phishing-resistant (user sees where the login is coming from).

Cons: Requires a specific app or system. Cannot be used if the phone is not available.

Best for: Mobile-first applications, consumer apps where user experience is critical.

Email codes

How it works: User enters username and password. System sends a code to their email address. User enters the code from the email.

Pros: Works without a phone. Accessible to all users.

Cons: Email can be hacked. User must check email, which is slower than other methods. Less secure than authenticator apps.

Best for: Low-security applications or as a fallback when other methods are unavailable.

Biometric (fingerprint, face)

How it works: User's device (phone or computer) uses built-in biometric sensors. User scans their fingerprint or face to approve login or action.

Pros: Very convenient. Very secure. Unique to the individual.

Cons: Requires device with biometric sensor. Biometric data storage raises privacy concerns.

Best for: Mobile apps, modern devices. Increasingly common as biometric hardware becomes standard.

Which forms need 2FA?

High-value forms (must have 2FA)

  • Login forms (admin panel, customer account, email)
  • Password reset forms
  • Account settings changes (especially email or password)
  • Payment or financial forms
  • Data deletion or sensitive operations

Medium-value forms (should have 2FA)

  • Account signup (to prevent account takeover from the beginning)
  • Forms that modify user data or preferences
  • Admin-only forms

Low-value forms (optional 2FA)

  • Contact forms (only collecting public information)
  • Newsletter signup (non-account form)
  • Survey forms

The rule: if the form can change the user's account, access sensitive data, or perform irreversible actions, use 2FA.

Implementing 2FA without excessive friction

Make 2FA optional initially, then mandatory for sensitive actions

Allow users to sign up without 2FA. But require 2FA when they try to access sensitive areas, change payment information, or change their password.

Provide multiple 2FA methods

Some users have phones, others do not. Some prefer authenticator apps, others prefer hardware keys. Offering multiple methods ensures everyone can use 2FA.

Provide backup codes

If 2FA is required and users lose their phone or authenticator app, they cannot access their account. Provide backup codes (single-use codes generated during setup) so users can log in if they lose their primary 2FA method.

Remember trusted devices

After a user completes 2FA on a device once, optionally "remember" that device so they do not need to complete 2FA every single time. This reduces friction while maintaining security for suspicious logins from unknown devices.

Use risk-based 2FA

If a user logs in from their normal location at their normal time using their normal device, maybe 2FA is not necessary. If a user logs in from a different country at 3 AM from a new device, require 2FA. This balances security and usability.

Recovery and backup plans

Users will lose their phones, forget apps, and lock themselves out. Have a plan:

  • Backup codes: Generate 10 single-use codes during 2FA setup that can be used if the primary method is unavailable
  • Account recovery: Allow users to verify their identity using security questions or email to regain access
  • Support process: Train support staff on how to verify identity and help locked-out users

2FA attack vectors and how to prevent them

SIM swapping

An attacker convinces a phone carrier to transfer the victim's phone number to a new SIM card. They then use SMS 2FA codes that are sent to the attacker's phone.

Prevention: Use authenticator apps or hardware keys instead of SMS. SMS is vulnerable to SIM swapping.

Phishing 2FA codes

An attacker creates a fake login page that asks for a 2FA code. The user enters the code. The attacker uses the code immediately to log into the real account.

Prevention: Use methods that show context (push notifications show "login at www.example.com") or hardware keys (which verify the website's domain). Code-based methods are vulnerable to this.

Lost or stolen devices

If the device with the 2FA app is lost or stolen, an attacker might be able to use it to access accounts.

Prevention: Require a device PIN or biometric to unlock the device. Require a PIN to open the authenticator app. Use backup codes and account recovery options.

What WEMASY does for 2FA

WEMASY supports multiple 2FA methods for admin accounts and customer accounts. You can require 2FA for login, password resets, and sensitive actions. WEMASY provides authenticator app integration, SMS codes, and email codes. Users can enable backup codes for recovery. You can optionally remember trusted devices to balance security and friction.

Learn more about security features and 2FA options in your account settings or on the pricing page.

Frequently asked questions

Is SMS 2FA better than nothing?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

Can 2FA be bypassed?

What if users forget to set up 2FA?

How do backup codes work?

Should I require 2FA for all users or make it optional?