A strong password is no longer enough. In 2025, 86% of web application breaches involved stolen credentials, according to Verizon's annual Data Breach Investigations Report. Two-factor authentication (2FA) — also called multi-factor authentication (MFA) — adds a second layer of security that makes stolen passwords useless to attackers. Accounts with 2FA enabled are 99.9% less likely to be compromised, according to Google's own security research. But not all 2FA methods are equal, and understanding the differences matters.
2FA requires two of three possible "factors" to log in:
Without 2FA, an attacker only needs your password (something you know) to take over your account. With 2FA, they also need physical possession of your phone or security key — a much higher bar that stops virtually all automated attacks.
The most common form of 2FA — a 6-digit code sent via SMS — is also the least secure. SIM swap attacks, where an attacker convinces your mobile carrier to transfer your phone number to their SIM card, allow criminals to intercept your 2FA codes. The FBI reported a 25% increase in SIM swap attacks in 2025, with losses exceeding $200 million. SMS 2FA is infinitely better than no 2FA, but you should upgrade to an authenticator app or hardware key whenever possible.
Apps like Google Authenticator, Microsoft Authenticator, Authy, and 2FAS generate time-based one-time passwords (TOTP) directly on your device. The algorithm works like this: your phone and the server share a secret key (the QR code you scan during setup). Both sides feed that secret plus the current 30-second time window into a cryptographic hash function. If the resulting six digits match, you're authenticated — with no network transmission required.
TOTP is immune to SIM swapping because the codes are generated offline on your device. However, it's still vulnerable to real-time phishing: if an attacker tricks you into typing your current code into a fake login page, they can relay it to the real site before it expires (a "man-in-the-middle" or "evilginx" attack). Despite this limitation, TOTP is a massive upgrade over SMS.
Physical keys like YubiKey, Google Titan, and Nitrokey are the gold standard of 2FA. Instead of sending a code you have to type, the key performs a cryptographic challenge-response directly with the website. The browser sends a challenge, you tap the key, and the key signs the challenge with its private key — proving you're physically holding it.
Hardware keys are phishing-proof by design. The FIDO2 protocol ties the cryptographic response to the website's domain (the "origin"), so a key sitting on "paypa1-login.com" will refuse to authenticate on "paypal.com." Even if an attacker tricks you into visiting a fake site, your hardware key won't help them. As of 2026, FIDO2 hardware keys support passkeys and passwordless login on supported platforms.
Passkeys are the newest and most user-friendly form of 2FA — though they can also replace passwords entirely. Built on the same FIDO2/WebAuthn standard as hardware keys, passkeys store the private key on your device (protected by your phone's biometric or PIN) and sync across your devices via iCloud Keychain, Google Password Manager, or third-party password managers. When you log in, your device authenticates locally with your face or fingerprint, then cryptographically signs the login request.
Passkeys eliminate both password theft and phishing. However, they require platform support: as of August 2026, passkeys work seamlessly across Apple, Google, and Microsoft ecosystems but still have gaps on Linux, some Android forks, and legacy browsers. We'll cover passkeys in more depth in a separate article.
Time-based One-Time Passwords (TOTP) are defined by RFC 6238. Both your authenticator app and the server share a base32-encoded secret key (typically 160 bits). The algorithm then computes:
HMAC-SHA1(secret, floor(unix_time / 30))
The result is truncated to 6 or 8 decimal digits. Because the time window is 30 seconds, the code changes every half-minute. If your phone's clock drifts more than a few seconds, codes won't match — most authenticator apps can compensate for small drifts, but significant clock skew will break TOTP entirely. This is why some services offer "grace windows" (accepting the code from the previous and next 30-second windows as well).
Every time you enable 2FA, you should receive a set of one-time backup codes — typically 8 to 10 codes, each usable exactly once. Store these somewhere safe: a printed copy in your wallet, an encrypted note in your password manager, or a physical safe. If you lose your phone, break it, or wipe it without transferring your authenticator app, these backup codes are the only way to regain access to your accounts.
Many services also provide account recovery options via email or pre-configured trusted devices. Review your recovery options every six months — a locked-out account is a security risk you don't want to face during an emergency.
Losing your phone with an authenticator app and no backup codes is a nightmare — but not a death sentence. Here are your options, in order of effectiveness:
While 2FA benefits every account, these categories are non-negotiable:
Pair 2FA with strong, unique passwords for maximum protection.
Generate truly random passwords instantly — free, no sign-up, runs entirely in your browser.
Generate Strong Passwords Now →