ToolSec

๐Ÿ”‘ Passwords & Secrets

What Is Two-Factor Authentication (2FA)?

ยท 6 min read ยท Updated June 27, 2026

Passwords get phished, guessed and leaked. Two-factor authentication (2FA) adds a second lock so that a stolen password isn't enough to break in. It's one of the highest-impact security steps you can take โ€” here's how it works and which type to use.

The three authentication factors

Authentication factors fall into three categories:

  • Something you know โ€” a password or PIN.
  • Something you have โ€” a phone, an authenticator app, or a hardware key.
  • Something you are โ€” a fingerprint or face scan.

Two-factor authentication requires two of these from different categories. A password plus a code from your phone counts; a password plus a security question does not, because both are "something you know." (You'll also see "MFA" โ€” multi-factor authentication โ€” which simply means two or more factors; 2FA is the most common form.)

Why a password alone isn't enough

Even a strong, unique password can be stolen through a phishing site, a malware keylogger or a breach of the service itself. With 2FA, an attacker who has your password still can't log in without the second factor. That single extra step blocks the overwhelming majority of account-takeover attacks.

Types of 2FA, from weakest to strongest

  • SMS codes. A one-time code texted to your phone. Better than nothing, but vulnerable to SIM-swapping (an attacker hijacks your number) and interception. Avoid for high-value accounts if you can.
  • Authenticator apps (TOTP). An app like Google Authenticator or Authy generates a time-based code that changes every 30 seconds. The secret stays on your device, so there's no SMS to intercept. A strong, widely available choice.
  • Push notifications. The service sends an "approve?" prompt to a trusted app. Convenient, but watch out for "MFA fatigue" attacks where you're spammed into approving by accident.
  • Hardware security keys (FIDO2 / passkeys). A physical key (or a passkey stored in your device) that proves possession cryptographically. These are phishing-resistant โ€” the key won't authenticate to a fake site โ€” making them the gold standard.

How TOTP works (briefly)

Time-based one-time passwords combine a shared secret with the current time and run it through HMAC to produce a short code that both your app and the server compute independently. Because it's based on the clock, the code changes every 30 seconds and needs no network connection.

Practical advice

  • Turn on 2FA everywhere it's offered, starting with email (your password-reset hub) and banking.
  • Prefer an authenticator app or hardware key over SMS.
  • Save your backup/recovery codes somewhere safe in case you lose your device.
  • For organisations, mandate MFA in your password policy.

Related tools

Pair strong 2FA with strong credentials: generate them with our password generator, test them with the strength checker, and set organisation rules (including required MFA) with the password policy generator.

Frequently asked questions

What is two-factor authentication?

A login method that requires two different types of proof โ€” for example something you know (a password) plus something you have (a code from your phone). A stolen password alone isn't enough to get in.

Is SMS 2FA secure?

It's better than no 2FA, but weaker than the alternatives. SMS codes can be intercepted or stolen via SIM-swapping. Prefer an authenticator app or, best of all, a hardware security key.

What's the most secure form of 2FA?

Hardware security keys (FIDO2 / passkeys). They prove possession cryptographically and are phishing-resistant โ€” the key won't authenticate to a fake website, unlike codes a user can be tricked into entering.

Try the related tools

Related guides