Passwords alone are not enough. It does not matter how strong your password is — if it gets leaked in a data breach, phished, or guessed, your account is compromised. Two-factor authentication (2FA) adds a second layer of proof that it is actually you logging in.
This guide explains how 2FA works, compares the different methods (SMS, authenticator apps, hardware keys, passkeys), and helps you set it up on the accounts that matter most.
What is Two-Factor Authentication?
Authentication factors are categories of proof:
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | Phone, hardware key, smart card |
| Something you are | Biometric | Fingerprint, face scan, iris |
Single-factor authentication uses just a password (something you know). Two-factor authentication requires two different categories — typically your password plus something you have (a code from your phone or a hardware key).
Why it works: An attacker who steals your password still cannot log in because they do not have your phone or hardware key. They would need to compromise both factors simultaneously.
2FA Methods Compared
SMS Codes
Your phone receives a text message with a 6-digit code.
| Pros | Cons |
|---|---|
| Easy to set up | SIM swapping attacks |
| No app needed | SMS can be intercepted |
| Works on any phone | Relies on cell service |
| Delayed or undelivered messages |
Security verdict: Better than nothing, but the weakest 2FA method. SIM swapping — where an attacker convinces your carrier to transfer your number — is a real and growing threat. High-value accounts (banking, crypto, email) should use a stronger method.
TOTP Authenticator Apps
An app on your phone generates time-based codes that change every 30 seconds. Common apps: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden.
| Pros | Cons |
|---|---|
| Codes generated offline | Lose phone = lose access (without backup) |
| Cannot be intercepted | Slightly more setup than SMS |
| No cell service needed | Manual entry of codes |
| Free |
How TOTP works:
- When you enable 2FA, the service gives you a secret key (usually shown as a QR code)
- Your authenticator app stores this key
- Every 30 seconds, the app combines the secret key with the current time to generate a 6-digit code
- The server does the same calculation — if the codes match, you are verified
The secret is shared once (during setup) and never transmitted again. Codes are calculated independently by both sides using the current time. This is why your phone's clock needs to be accurate.
Security verdict: Strong. The primary risk is losing your phone without backup codes. Always save your backup codes.
Hardware Security Keys
Physical devices (like YubiKey, Google Titan) that you plug into USB or tap via NFC. They use the FIDO2/WebAuthn standard.
| Pros | Cons |
|---|---|
| Strongest protection | Costs $25-50 per key |
| Phishing-proof | Can be lost/broken |
| Nothing to type | Not supported everywhere |
| Fast (tap and done) | Need a backup key |
How it works: The key performs a cryptographic challenge-response with the server. It also verifies the website's domain, so it will not authenticate on phishing sites — even if the fake site looks identical.
Security verdict: The gold standard. Google, which requires hardware keys for all employees, has had zero successful phishing attacks against employee accounts since deploying them.
Passkeys
The newest method. Passkeys replace both passwords and 2FA with a single cryptographic credential stored on your device (phone, laptop, hardware key).
| Pros | Cons |
|---|---|
| No passwords to remember | Still new, not universal |
| Phishing-proof | Ecosystem lock-in concerns |
| Biometric-protected | Cross-device can be confusing |
| Synced across devices |
How it works: Your device stores a private key (protected by biometrics or PIN). When you log in, the server sends a challenge, your device signs it with the private key, and the server verifies with the public key. The private key never leaves your device.
Security verdict: Excellent. Will eventually replace passwords entirely, but adoption is still growing.
What to Protect First
Not all accounts need hardware keys. Prioritize based on damage if compromised:
Critical (Use TOTP or Hardware Key)
- Email — the master key. Whoever has your email can reset every other password
- Banking and financial accounts
- Cloud storage (Google Drive, Dropbox) — may contain sensitive documents
- Password manager — protects everything else
- Domain registrar — an attacker could steal your website
- Hosting/cloud provider (AWS, DigitalOcean)
Important (Use TOTP at minimum)
- Social media (identity theft, reputation)
- Work accounts (Slack, GitHub, company tools)
- Cryptocurrency exchanges
- Developer accounts (npm, Docker Hub, PyPI)
Nice to Have (SMS is acceptable)
- Shopping sites
- Entertainment subscriptions
- Forums and communities
Setting Up TOTP
Step 1: Install an Authenticator App
Recommended apps:
| App | Backup/Sync | Platform |
|---|---|---|
| Authy | Cloud backup | iOS, Android, Desktop |
| Google Authenticator | Google account sync | iOS, Android |
| Microsoft Authenticator | Microsoft account sync | iOS, Android |
| Bitwarden | Integrated with password manager | All platforms |
| 1Password | Integrated with password manager | All platforms |
Step 2: Enable 2FA on the Service
Go to the security settings of your account. Look for "Two-factor authentication," "2-step verification," or "MFA." Select "Authenticator app."
Step 3: Scan the QR Code
The service shows a QR code. Open your authenticator app and scan it. The app will start generating 6-digit codes.
Step 4: Save Backup Codes
The service will give you a set of backup codes (usually 8-10 one-time codes). Save these somewhere safe — a password manager, printed paper in a safe, or an encrypted file. These are your recovery method if you lose your phone.
Step 5: Verify
Enter the current code from your app to confirm everything is working.
Backup and Recovery
The biggest risk with 2FA is locking yourself out. Plan for this:
Save Backup Codes
Every service that offers 2FA gives you backup codes. Save them in your password manager or print them.
Use an App with Cloud Backup
Authy and Google Authenticator (newer versions) sync your TOTP secrets across devices. If you lose your phone, install the app on a new phone and restore from backup.
Register Multiple Hardware Keys
If you use a YubiKey, buy two. Register both with your accounts. Keep one as a backup in a secure location.
Recovery Email/Phone
Make sure your recovery email and phone number are up to date on critical accounts.
Common Mistakes
Using SMS for critical accounts: SIM swapping is real. Use TOTP or hardware keys for email, banking, and crypto.
Not saving backup codes: You will eventually lose or break your phone. Without backup codes, account recovery can take days or weeks — or be impossible.
Using the same phone for passwords and 2FA: If your phone is stolen unlocked, the attacker has both factors. Use a password manager with a separate master password.
Disabling 2FA because it is inconvenient: The 5 seconds it takes to enter a code is nothing compared to the days it takes to recover a hacked account.
Related Tools
- Password Generator — create strong, unique passwords to use alongside 2FA
- Hash Generator — understand the hashing algorithms behind TOTP
- How to Generate a Strong Password
- Server Hardening Guide