Passwords aren’t enough anymore
You’ve probably heard this before, and it’s true. Passwords, on their own, are a weak way to protect an account.
People reuse them across sites. They pick ones that are easy to guess. Data breaches leak millions of credentials at a time. And phishing attacks trick people into handing over their passwords willingly.
Two-factor authentication (2FA) exists because even a good password can be compromised. The idea is straightforward: require a second piece of proof before granting access.
Something you know, something you have
Authentication factors fall into three categories:
- Something you know - a password, PIN, or security question answer
- Something you have - a phone, a hardware key, an authenticator app
- Something you are - a fingerprint, face scan, or other biometric
Standard login uses one factor: your password (something you know). Two-factor authentication adds a second one, usually something you have. So even if someone steals your password, they can’t get in without also having your physical device.
That’s the whole concept. Two separate proofs, from two separate categories.
Types of 2FA
Not all second factors work the same way. Here are the most common ones.
SMS codes
The service sends a text message with a numeric code to your phone. You type it in to complete the login. This is the most widely available form of 2FA and the easiest to set up, since you just need a phone number.
The downside is that SMS has known security weaknesses. Text messages can be intercepted, and attackers can hijack phone numbers through SIM swapping. It’s still better than no 2FA, but there are stronger options.
Authenticator apps (TOTP)
Apps like Google Authenticator, Authy, or 1Password generate temporary codes on your device. These codes change every 30 seconds and are calculated using a shared secret and the current time. No text message, no network connection needed.
This is called TOTP, or Time-Based One-Time Password. It’s more secure than SMS because the codes never travel over a network. They’re generated and used locally. If you want to understand the mechanics, there’s a detailed explanation in What is TOTP?.
Hardware security keys
Physical devices like a YubiKey or Google Titan key plug into your computer’s USB port (or connect via NFC or Bluetooth). When prompted during login, you tap the key to authenticate.
Hardware keys are considered the strongest form of 2FA. They’re resistant to phishing because the key communicates directly with the website using cryptographic protocols. An attacker would need to physically steal your key to use it.
The trade-off is cost (typically $25-$50 per key) and the need to carry the device with you.
Push notifications
Some services send a push notification to your phone asking you to approve or deny a login attempt. You tap “Approve” and you’re in. Microsoft Authenticator and Duo use this approach.
It’s convenient, but push-based 2FA has been targeted by “MFA fatigue” attacks, where an attacker repeatedly triggers login attempts until the user approves one just to stop the notifications. Some implementations now require you to enter a number shown on screen to mitigate this.
Why 2FA matters
The numbers make a pretty clear case. Google reported that adding any form of 2FA blocks 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks. Microsoft found similar results: accounts with 2FA enabled are 99.9% less likely to be compromised.
These aren’t security-vendor marketing claims. They’re based on data from billions of login attempts across real accounts.
Even if you use a strong, unique password for every account (and most people don’t), 2FA provides a safety net. Your password can show up in a breach, get captured by a keylogger, or leak through a phishing site. The second factor stops the attacker from actually getting in.
How to set it up
Setting up 2FA varies slightly by service, but the general process is the same:
- Go to your account’s security settings
- Look for “Two-factor authentication,” “2-step verification,” or “Multi-factor authentication”
- Choose your method (authenticator app is recommended)
- If using an authenticator app, scan the QR code the service shows you
- Enter the code from your app to confirm it’s working
- Save the backup codes the service provides, somewhere safe and separate from your password
The whole thing takes about a minute per account.
Which accounts to prioritize
You probably have dozens of online accounts. Start with the ones that matter most:
- Email (if someone gets into your email, they can reset passwords for everything else)
- Banking and financial services
- Cloud storage (Google Drive, iCloud, Dropbox)
- Social media accounts
- Password manager (if yours supports 2FA, and it should)
Common concerns
“What if I lose my phone?” This is the most common worry. That’s what backup codes are for. When you set up 2FA, the service gives you a set of one-time recovery codes. Print them or save them in a secure location. Some authenticator apps also offer cloud backup.
“Isn’t it annoying?” A little. Logging in takes an extra 10 seconds. Most services remember your device for 30 days, so you won’t need the code every time. The inconvenience is minor compared to dealing with a compromised account.
“I’m not important enough to be targeted.” Most account breaches aren’t targeted. They’re automated. Attackers buy leaked credential lists and try them across thousands of sites. 2FA stops these bulk attacks cold.
Get started
If you’ve been putting this off, pick one account right now, your email is a good place to start, and turn on 2FA. The process is quick, and you’ll meaningfully reduce your risk.
If you want to try generating TOTP codes before setting anything up, you can experiment with 2fa.zip. It runs in your browser, doesn’t store anything on a server, and gives you a feel for how authenticator codes work.