๐ Passwords & Secrets
What Is Two-Factor Authentication (2FA)?
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 Passwords get phished, guessed and leaked. Two-factor authentication (2FA) adds a second lock so that a stolen password isn't enough to break in. It's one of the highest-impact security steps you can take โ here's how it works and which type to use.
The three authentication factors
Authentication factors fall into three categories:
- Something you know โ a password or PIN.
- Something you have โ a phone, an authenticator app, or a hardware key.
- Something you are โ a fingerprint or face scan.
Two-factor authentication requires two of these from different categories. A password plus a code from your phone counts; a password plus a security question does not, because both are "something you know." (You'll also see "MFA" โ multi-factor authentication โ which simply means two or more factors; 2FA is the most common form.)
Why a password alone isn't enough
Even a strong, unique password can be stolen through a phishing site, a malware keylogger or a breach of the service itself. With 2FA, an attacker who has your password still can't log in without the second factor. That single extra step blocks the overwhelming majority of account-takeover attacks.
Types of 2FA, from weakest to strongest
- SMS codes. A one-time code texted to your phone. Better than nothing, but vulnerable to SIM-swapping (an attacker hijacks your number) and interception. Avoid for high-value accounts if you can.
- Authenticator apps (TOTP). An app like Google Authenticator or Authy generates a time-based code that changes every 30 seconds. The secret stays on your device, so there's no SMS to intercept. A strong, widely available choice.
- Push notifications. The service sends an "approve?" prompt to a trusted app. Convenient, but watch out for "MFA fatigue" attacks where you're spammed into approving by accident.
- Hardware security keys (FIDO2 / passkeys). A physical key (or a passkey stored in your device) that proves possession cryptographically. These are phishing-resistant โ the key won't authenticate to a fake site โ making them the gold standard.
How TOTP works (briefly)
Time-based one-time passwords combine a shared secret with the current time and run it through HMAC to produce a short code that both your app and the server compute independently. Because it's based on the clock, the code changes every 30 seconds and needs no network connection.
Practical advice
- Turn on 2FA everywhere it's offered, starting with email (your password-reset hub) and banking.
- Prefer an authenticator app or hardware key over SMS.
- Save your backup/recovery codes somewhere safe in case you lose your device.
- For organisations, mandate MFA in your password policy.
Related tools
Pair strong 2FA with strong credentials: generate them with our password generator, test them with the strength checker, and set organisation rules (including required MFA) with the password policy generator.
Frequently asked questions
What is two-factor authentication?
A login method that requires two different types of proof โ for example something you know (a password) plus something you have (a code from your phone). A stolen password alone isn't enough to get in.
Is SMS 2FA secure?
It's better than no 2FA, but weaker than the alternatives. SMS codes can be intercepted or stolen via SIM-swapping. Prefer an authenticator app or, best of all, a hardware security key.
What's the most secure form of 2FA?
Hardware security keys (FIDO2 / passkeys). They prove possession cryptographically and are phishing-resistant โ the key won't authenticate to a fake website, unlike codes a user can be tricked into entering.
Try the related tools
- Password Generator Create strong, random passwords with custom length and character sets โ generated securely in your browser.
- Password Strength & Entropy Checker Measure a password's entropy in bits and estimate how long it would take to crack.
- Password Policy Generator Turn your password rules into a written policy plus Linux PAM and Windows config.
Related guides
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.
- HMAC Explained: How Webhook Signatures Work How HMAC proves a message came from who you think it did โ the mechanism behind Stripe and GitHub webhook signatures, and how to verify them safely.
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.