Two-factor authentication (2FA) is a security mechanism that requires a user to verify their identity using two distinct pieces of evidence before gaining access to an account or system. Rather than relying on a password alone, 2FA combines something the user knows (their password) with something they have or are, such as a physical device or a biometric trait.
The core principle behind 2FA is that a stolen password is not enough on its own to compromise an account. Even if an attacker obtains a user's credentials through phishing or a data breach, they would still need to pass the second verification step. This dramatically reduces the risk of unauthorized access, and security researchers consistently find that enabling 2FA blocks the vast majority of automated credential-stuffing and account takeover attacks.
Common Types of Second Factors
The most widely used form of 2FA on the web is TOTP (Time-based One-Time Password), also called an authenticator app code. An app such as Google Authenticator or Authy generates a six-digit code that refreshes every 30 seconds, derived from a shared secret and the current timestamp. Because the code expires so quickly, intercepting it is far less useful to an attacker.
SMS-based 2FA sends a one-time code to the user's registered phone number via text message. While it offers a meaningful improvement over a password alone, SMS is considered the weakest second factor because phone numbers can be hijacked through SIM-swapping attacks, where a malicious actor convinces a mobile carrier to transfer the victim's number to a new SIM card.
Hardware security keys, such as those conforming to the FIDO2 or WebAuthn standard, represent the strongest form of 2FA. These physical devices - typically small USB or NFC tokens - perform a cryptographic challenge-response that is bound to the specific website, making them inherently resistant to phishing. Even if a user is tricked into visiting a fraudulent site, the hardware key will not authenticate because the domain does not match.
2FA in the Broader Authentication Landscape
2FA is often discussed alongside related concepts. Multi-factor authentication (MFA) is the broader term that encompasses any combination of two or more factors, making 2FA technically a subset of MFA. Passkeys represent an emerging alternative that folds both factors into a single step using device-based cryptography, effectively replacing the traditional password-plus-code model. OAuth-based login flows, which allow users to sign in with an existing identity provider, can also enforce 2FA at the provider level, extending that protection across connected applications.
For developers and site owners, offering 2FA - particularly TOTP or hardware key options - is considered a foundational security measure. For end users, enabling any form of 2FA on critical accounts such as email, banking, and domain registrars provides a substantial reduction in account compromise risk compared to password-only authentication.