How two-factor authentication works
Authentication factors fall into three categories: something you know (a password or PIN), something you have (a phone, an authenticator app, a hardware key), and something you are (biometrics like a fingerprint). Two-factor authentication requires factors from two different categories. That is the key idea: an attacker who steals your password still can’t log in, because they don’t have your second factor. Requiring two of the same type — two passwords, say — is not true 2FA.
The types of second factor, from weakest to strongest
- SMS text codes. Convenient and better than nothing, but the weakest option: vulnerable to SIM swapping and interception.
- Authenticator apps (TOTP). Apps that generate a rotating 6-digit code on your device. Much stronger than SMS because there’s no phone number to hijack.
- Push-approval apps. A prompt you approve on your phone. Convenient, but beware “MFA fatigue” attacks that spam approvals hoping you tap yes.
- Hardware security keys (FIDO2 / passkeys). The strongest, phishing-resistant option. A physical key or passkey cryptographically verifies the real site, so it can’t be tricked by a look-alike phishing page.
Why 2FA matters so much
The majority of account takeovers rely on a stolen or reused password. Two-factor authentication breaks that model: even if your password is leaked in a data breach or captured by credential stuffing, the attacker still hits a wall at the second factor. Enabling it on your email, financial, and cloud accounts closes off the most common path to compromise — which is why it’s the highest-return security habit you can adopt.