What Is Two-Factor Authentication?
Two-factor authentication (2FA) is a security mechanism that requires you to provide two separate proofs of identity before gaining access to an account. Even if an attacker steals your password, they cannot log in without the second factor.
Types of Second Factors
| Method | How It Works | Security Level |
|---|---|---|
| SMS code | One-time code sent to your phone number via text | Low - Vulnerable to SIM swapping and SS7 attacks |
| Email code | One-time code sent to your email address | Low - Depends entirely on email account security |
| TOTP app (e.g. Authy, Google Authenticator) | Time-based 6-digit code generated locally every 30 seconds | High - Code never transmitted until you type it |
| Hardware key (FIDO2 / YubiKey) | Physical device you tap or insert; cryptographic challenge-response | Very High - Phishing-resistant by design |
| Push notification | App on your phone asks you to approve the login | Medium - Vulnerable to MFA fatigue attacks |
| Passkey (WebAuthn) | Device-stored cryptographic key pair; replaces password + 2FA | Very High - No shared secret to steal |
Setting Up 2FA Correctly
- Prefer a TOTP app or hardware key over SMS for any account that protects money, email, or sensitive data.
- Save your backup codes in a password manager or printed document stored securely offline.
- Enable 2FA on your email account first - It is the recovery path for most other accounts.
- Never approve a push notification you did not initiate - This is MFA fatigue phishing.
- If a site only offers SMS 2FA, it is still better than no 2FA at all.
Where to Enable 2FA First
Prioritize accounts in this order: email provider, password manager, bank and financial accounts, cloud storage (Google Drive, Dropbox, iCloud), social media, and domain registrars. Any account that could be used to reset another account is a high-priority target.