Authentication & Password

Two-Factor Authentication (2FA)

About 4 min read

Last updated: 2026-03-22

What Is Two-Factor Authentication

Two-factor authentication (2FA) is a security mechanism that strengthens account protection by requiring an additional authentication factor beyond your password when logging in.

Authentication factors fall into three categories: "knowledge (passwords, etc.)," "possession (smartphones, etc.)," and "biometrics (fingerprints, etc.)." Two-factor authentication combines two different factors from these categories. The most common combination is a password (knowledge) + a smartphone authenticator app (possession).

Even if your password is compromised through credential stuffing or a data breach, an attacker cannot log in if two-factor authentication is enabled. According to Google's research, even SMS-based 2FA can prevent 96% of account takeovers.

Types and Strength of Two-Factor Authentication

SMS Authentication
Sends a one-time code to your phone number. The most widely adopted method, but vulnerable to SIM swap attacks and interception via SS7 protocol vulnerabilities. No phishing resistance.
TOTP (Authenticator App)
Apps like Google Authenticator or Authy generate a 6-digit code every 30 seconds. More secure than SMS, but the risk of entering a code on a phishing site remains.
Security Key (FIDO2)
Physical devices like YubiKey that connect via USB or NFC for authentication. Offers the highest phishing resistance. Authentication only succeeds on the legitimate domain, so it won't work on fake sites.
Passkeys
An evolution of FIDO2. Uses smartphone biometrics (fingerprint, face) for passwordless authentication. High phishing resistance with an excellent user experience.

The Importance of Phishing Resistance

When choosing a type of two-factor authentication, the most critical factor to consider is phishing resistance.

SMS authentication and TOTP can be bypassed if a user enters their code on a phishing site. Attackers relay user input to the legitimate site in real time using "real-time phishing," circumventing 2FA. This technique has been automated with tools like Evilginx, lowering the technical barrier significantly.

In contrast, FIDO2 security keys and passkeys verify the domain during authentication, so authentication cannot succeed on a phishing site. For accounts requiring high security (email, financial, admin accounts, etc.), authentication methods with phishing resistance are strongly recommended.

Implementation Considerations

  • Store Recovery Codes Safely: In case you lose your authentication device, store recovery codes in a secure location (printed on paper and kept in a safe, saved in a password manager, etc.). Without a recovery method, you'll lose access to your account.
  • Backup Authentication Methods: If you use a security key as your primary authentication method, keep a spare key or set up TOTP as a backup.
  • Enable on All Accounts: Set up 2FA on all important accounts including email, social media, cloud storage, and financial services. Email accounts should be the top priority since they're used for password resets on other services.
  • Combine with SSO: Setting up strong 2FA on your SSO provider protects all connected services.

To learn more about this topic, see Two-Factor Authentication (2FA): The Best Defense for Your Accounts.

Common Misconceptions

SMS authentication is secure enough
SMS can be bypassed through SIM swap attacks and real-time phishing. While far safer than having no 2FA at all, stronger methods like TOTP or security keys are recommended for important accounts.
With two-factor authentication enabled, a simple password is fine
Two-factor authentication is an additional layer of defense, not a substitute for a weak password. Maximum security is achieved by combining a strong password with two-factor authentication.

SMS Authentication vs. TOTP Authentication

SMS Authentication

Sends a code to your phone number. Easy to use with no additional app required, but vulnerable to SIM swap attacks. Cannot receive codes outside of cellular coverage. No phishing resistance.

TOTP Authentication

Authenticator app generates codes on the device. Works offline without network connectivity. Not affected by SIM swap attacks. No phishing resistance, but more secure than SMS.

Share

Related Terms

Passkey A passwordless authentication technology based on the FIDO2/WebAuthn standard th… TOTP (Time-Based One-Time Password) An algorithm defined in RFC 6238 that generates a new 6-digit one-time password … Phishing An attack method that impersonates legitimate organizations, banks, or individua… Credential Stuffing An automated attack that takes leaked username and password combinations from pa… Single Sign-On (SSO) A mechanism that allows users to access multiple related services and applicatio… SIM Swap Attack A fraud technique where an attacker convinces a mobile carrier's customer servic…

Related Articles

Two-Factor Authentication (2FA): The Best Defense for Your Accounts Understand how 2FA works, the different types (SMS, TOTP, FIDO2), how to set it up, and why password… Password Security: How to Create Strong Passwords and Manage Them Learn what makes a strong password, how to use password managers, how to check for breaches, and com… Two-Step Verification Explained - SMS, Authenticator Apps, and Security Keys Compare three two-step verification methods (SMS, TOTP authenticator apps, FIDO2 security keys) by s…
← Glossary