Signing in to a service

Multi-factor authentication using a code generator

A code is generated on a device and entered into a computer.


Multi-factor authentication adds an extra layer of security on top of a username and password. In this type of multi-factor authentication, an app or a device generates a code which a person can use to access a service. The code is specific to the person and their device. It’s single use, and expires after a short amount of time. It is also known as Time-based One-Time Password (TOTP). A user can set up multi-factor authentication for their email account and use an authenticator app for generating codes.

IF thinks this pattern is useful because it adds a layer of security to accounts without adding too much friction to the experience. Codes are usually short enough to type quickly. But it does require people having access to a smartphone and opening a separate app. If used too frequently, this can be frustrating. Give people the option to choose different multi-factor authentication patterns depending on their context, like multi-factor authentication using text message.


  • If one security factor is compromised, the attacker has another barrier to get through.
  • No need for an internet connection or phone signal.
  • No delay with receiving codes.


  • People might need recovery codes for when they lose or upgrade their phone, or run out of battery.
  • Requires a smartphone with a code generator app installed.
  • Generator apps can be lost if something happens to the device.
  • Doesn’t prevent phishing attacks.
  • Can be hard to find the code you need if you have a large number of services in the generator app.
  • Requires people to navigate away from the service and open up a separate app.