Threat Glossary

What is two-factor authentication (2FA)?

Two-factor authentication (2FA) is a security method that requires two different proofs of identity to log in: something you know (your password) plus a second factor — something you have (a code or a hardware key) or something you are (a fingerprint or face scan). It is a subset of multi-factor authentication (MFA).

Passwords fail constantly — they get phished, reused, and leaked in breaches. Two-factor authentication is the single most effective step most people can take to prevent account takeover, because it means a stolen password isn’t enough on its own. But not all second factors are equally strong. Here’s how 2FA works, the different types, and which to choose.

How two-factor authentication works

Authentication factors fall into three categories: something you know (a password or PIN), something you have (a phone, an authenticator app, a hardware key), and something you are (biometrics like a fingerprint). Two-factor authentication requires factors from two different categories. That is the key idea: an attacker who steals your password still can’t log in, because they don’t have your second factor. Requiring two of the same type — two passwords, say — is not true 2FA.

The types of second factor, from weakest to strongest

  • SMS text codes. Convenient and better than nothing, but the weakest option: vulnerable to SIM swapping and interception.
  • Authenticator apps (TOTP). Apps that generate a rotating 6-digit code on your device. Much stronger than SMS because there’s no phone number to hijack.
  • Push-approval apps. A prompt you approve on your phone. Convenient, but beware “MFA fatigue” attacks that spam approvals hoping you tap yes.
  • Hardware security keys (FIDO2 / passkeys). The strongest, phishing-resistant option. A physical key or passkey cryptographically verifies the real site, so it can’t be tricked by a look-alike phishing page.

Why 2FA matters so much

The majority of account takeovers rely on a stolen or reused password. Two-factor authentication breaks that model: even if your password is leaked in a data breach or captured by credential stuffing, the attacker still hits a wall at the second factor. Enabling it on your email, financial, and cloud accounts closes off the most common path to compromise — which is why it’s the highest-return security habit you can adopt.

How to protect yourself

Concrete steps you can take today to reduce your exposure.

Turn 2FA on for your email first

Your inbox resets everything else, so protect it first — with the strongest factor you can use.

Prefer an authenticator app over SMS

Switch important accounts from text-message codes to an authenticator app to remove the SIM-swap weakness.

Use a hardware key for critical accounts

For email, banking, and crypto, a FIDO2 security key or passkey gives phishing-resistant protection that fake login pages can’t defeat.

Save your backup codes

Store the one-time recovery codes each service provides somewhere safe so you don’t get locked out if you lose your device.

Beware approval-spam attacks

Never approve a push prompt you didn’t initiate. Repeated prompts can be an attacker trying to wear you down.

Pair 2FA with unique passwords

2FA is strongest alongside a unique password per account, so you’re never relying on a single control.

Frequently asked questions

What is the difference between 2FA and MFA?

Multi-factor authentication (MFA) means using two or more independent factors. Two-factor authentication (2FA) is MFA with exactly two factors. All 2FA is MFA, but MFA can also involve three or more factors.

Is SMS two-factor authentication safe?

SMS is much better than no second factor, but it is the weakest form because it can be defeated by SIM swapping, where an attacker hijacks your phone number to intercept the codes. For important accounts, use an authenticator app or a hardware security key instead.

What is the most secure type of two-factor authentication?

Hardware security keys using the FIDO2 standard (and passkeys built on it) are the most secure, because they are phishing-resistant — the key cryptographically confirms it is talking to the real website, so it cannot be tricked by a fake login page.

See what’s exposed about you — free

Attackers start with the data that’s already public: your leaked passwords, your breached accounts, and your address on data-broker sites. Run a free scan to see exactly what’s out there about you — then remove it.

The first scan is free with no signup. Broker removals are filed as your authorized agent under CCPA and state-equivalent law. Your results are private to you — we never sell your data.