Two-Factor Authentication (2FA), also called two-step verification, adds a second layer of security to the login process. Even if an attacker steals your password, they cannot access your account without the second factor.
The Three Authentication Factors
- Something you know — Password, PIN.
- Something you have — Phone, hardware token, smart card.
- Something you are — Fingerprint, face recognition, voice.
2FA combines any two of these categories. Most implementations use a password (know) plus a one-time code sent to a phone (have).
Types of 2FA
- SMS/Text code — A one-time code sent to your phone number. Convenient but vulnerable to SIM-swapping attacks.
- Authenticator app — Apps like Google Authenticator, Authy or Microsoft Authenticator generate time-based one-time passwords (TOTP). More secure than SMS.
- Hardware security key — Physical keys like YubiKey (FIDO2/WebAuthn). The most secure form. Phishing-resistant.
- Biometrics — Fingerprint or face recognition on a registered device.
- Email code — One-time code sent to an email address. Less secure if the email account is also compromised.
Why 2FA Matters
Over 80% of data breaches involve weak or stolen passwords. 2FA stops the vast majority of credential-based attacks even when the password is known. Enabling it on your most important accounts — email, banking, work tools — is one of the most impactful security steps you can take.