What Is 2FA?
Two-factor authentication, in one sentence: instead of just a password, you also need something else to sign in — usually a 6-digit code from your phone. This guide explains the methods, the trade-offs, and the fastest way to turn it on.
The two factors
"Two-factor" means two different categories of proof:
- Something you know — your password.
- Something you have — your phone, a hardware key, a backup code.
- Something you are — fingerprint, Face ID. (Usually only counts on the device, not for online accounts.)
A password alone is one factor. A password + a 6-digit code from your phone is two factors. That's why even if your password leaks in a breach, an attacker still can't sign in.
The 2FA methods compared
| Method | Strength | Best for |
|---|---|---|
| Hardware security key | Highest | Email, password manager, GitHub admin |
| Passkey | Very high | Where supported (Apple, Google, GitHub) |
| Authenticator app (TOTP) | High | Everywhere — the default recommendation |
| Push notification | Medium | When the service supports it |
| SMS code | Low | Last resort — better than no 2FA |
How TOTP authenticator codes work
TOTP (Time-based One-Time Password, RFC 6238) is the standard behind Google Authenticator, Authy, and 2FAA. The recipe is simple:
- The service gives you a secret key (a short Base32 string) when you set up 2FA — usually as a QR code.
- Your authenticator stores that secret and combines it with the current time to generate a 6-digit code.
- The code changes every 30 seconds. The service runs the same math on its end to check whether your code matches.
- The secret never leaves your device after setup. There's nothing to intercept over the network.
Try 2FA in 60 seconds
2FAA is a free, browser-based TOTP authenticator. No install, no account. Add a secret, get codes.
FAQ
What is 2FA in simple terms?
2FA (two-factor authentication) means you need two different things to sign in: something you know (your password) and something you have (a phone with a 6-digit code, a hardware key, etc.). Even if someone steals your password, they can't get in without the second factor.
Is 2FA the same as two-step verification?
Yes, in everyday use. Some services say '2FA' (Discord, GitHub), others say '2-step verification' (Google, PayPal). They mean the same thing — a second check after your password.
Which 2FA method is the safest?
Ranked safest to weakest: (1) hardware security key like YubiKey, (2) passkey, (3) authenticator app (TOTP), (4) push notification, (5) SMS. SMS is the weakest — SIM-swap attacks can intercept text codes — but it's still much better than no 2FA at all.
Do I need 2FA on every account?
Turn it on for accounts that would hurt if compromised: email, banking, password manager, social media, GitHub, Discord, gaming accounts with stored payment. For low-value accounts (e.g., a forum you barely use), it's optional.
Can 2FA be hacked?
SMS 2FA can be defeated by SIM swap or phishing. Authenticator-app 2FA can be defeated by phishing sites that proxy the login. Hardware security keys and passkeys are phishing-resistant — they verify the actual domain. 2FA is not bulletproof, but it raises the cost of attack enough to block almost all opportunistic threats.
Related reading: 2FA vs MFA, Is a passkey the same as 2FA?