What Is Two-Factor Authentication?
Two-factor authentication (2FA) is a security mechanism that requires you to provide two separate proofs of identity before gaining access to an account. Even if an attacker steals your password, they cannot log in without the second factor.
Types of Second Factors
| Method | How It Works | Security Level |
|---|---|---|
| SMS code | One-time code sent to your phone number via text | Low - Vulnerable to SIM swapping and SS7 attacks |
| Email code | One-time code sent to your email address | Low - Depends entirely on email account security |
| TOTP app (e.g. Authy, Google Authenticator) | Time-based 6-digit code generated locally every 30 seconds | High - Code never transmitted until you type it |
| Hardware key (FIDO2 / YubiKey) | Physical device you tap or insert; cryptographic challenge-response | Very High - Phishing-resistant by design |
| Push notification | App on your phone asks you to approve the login | Medium - Vulnerable to MFA fatigue attacks |
| Passkey (WebAuthn) | Device-stored cryptographic key pair; replaces password + 2FA | Very High - No shared secret to steal |
Setting Up 2FA Correctly
- Prefer a TOTP app or hardware key over SMS for any account that protects money, email, or sensitive data.
- Save your backup codes in a password manager or printed document stored securely offline.
- Enable 2FA on your email account first - It is the recovery path for most other accounts.
- Never approve a push notification you did not initiate - This is MFA fatigue phishing.
- If a site only offers SMS 2FA, it is still better than no 2FA at all.
Where to Enable 2FA First
Prioritize accounts in this order: email provider, password manager, bank and financial accounts, cloud storage (Google Drive, Dropbox, iCloud), social media, and domain registrars. Any account that could be used to reset another account is a high-priority target.
How TOTP Codes Actually Work
A shared secret plus the clock
When you scan a 2FA QR code, the site hands your authenticator app a secret key. From then on, the app computes a 6-digit code from that secret and the current time using the TOTP algorithm (RFC 6238, built on HMAC from RFC 4226). The server holds the same secret and does the same maths - If the codes match, you're in. Nothing travels over the network until you type the code, which is why TOTP works in airplane mode.
Why codes expire every 30 seconds
The time input is rounded to 30-second windows, so each code is valid only briefly (servers typically accept one window either side to absorb clock drift). A phished code is therefore useful to an attacker for under a minute - Vastly better than a static password, though not as phishing-proof as a hardware key, which verifies the site's identity cryptographically before answering at all.
Step by Step: Enabling TOTP on Any Account
| Step | Action |
|---|---|
| 1 | Install an authenticator app - Aegis or Google Authenticator (Android), Raivo or Google Authenticator (iOS), or your password manager's built-in TOTP feature |
| 2 | In the account's settings, find Security → Two-Factor Authentication (sometimes "2-Step Verification" or "MFA") and choose Authenticator app |
| 3 | Scan the QR code with the app - It will immediately start showing 6-digit codes for that account |
| 4 | Type the current code back into the site to confirm the pairing |
| 5 | Save the backup codes the site offers - Print them or store them in your password manager, not in screenshots on the same phone |
| 6 | Log out and back in once to verify the flow works before you forget the recovery details |
When You Lose Your Second Factor
Phones break and keys get lost - Recovery planning is part of 2FA. Backup codes are the universal answer; a second hardware key kept at home is the robust one; and TOTP apps with encrypted cloud backup (or export/import) let you migrate to a new phone in minutes. What to avoid: SMS as your only fallback (it reintroduces the SIM-swap weakness the stronger factor was protecting against) and email fallback on an account whose email itself lacks 2FA. Pair all of this with a strong, unique password - See how to create a strong password and test candidates with the password strength checker - And check whether your existing credentials have already leaked with the breach check tool.
What This Means for You
Stolen and reused passwords - Not exotic hacking - Are how most accounts fall, and 2FA breaks exactly that attack. You do not need to secure everything at once: enable it on your email first (it can reset every other account), then your password manager, then finance. A TOTP app costs nothing and removes the SIM-swap risk of SMS; a pair of hardware keys removes phishing risk almost entirely. Whichever tier you choose, store the backup codes the moment they are shown - The single most common 2FA disaster is self-lockout, and it is entirely preventable.
Frequently Asked Questions
Is SMS two-factor authentication still worth using?
Yes, if it is the only option - It still defeats bulk password-stuffing attacks. But SMS codes can be intercepted through SIM-swapping and SS7 weaknesses, so for email, banking, and crypto accounts, switch to an authenticator app or hardware key whenever the site supports one.
What happens to my 2FA codes if I lose my phone?
The accounts remain locked to anyone without your second factor - Including you. That is what backup codes are for: each site issues single-use recovery codes when you enable 2FA. Store them in a password manager or printed somewhere safe, and prefer authenticator apps that support encrypted backups or export.
What is the difference between 2FA and a passkey?
2FA adds a second check on top of your password. A passkey (WebAuthn) replaces the password entirely with a cryptographic key pair stored on your device and unlocked by biometrics or a PIN - Phishing-resistant by design, because the key only answers the genuine site. Many services now offer both.