Two-factor authentication (2FA) requires a second proof of identity beyond your password — typically something you have (a phone or hardware key) or something you are (a fingerprint). This means that even if your password is stolen, an attacker still cannot access your account without that second factor. Common methods include SMS codes, authenticator apps (which generate time-based codes), and hardware security keys, each offering different levels of convenience and protection.
Enable 2FA on one important account (email or banking) using an authenticator app. Walk through the setup process, save the recovery codes in a secure location, and practice logging in with the second factor. Then try disabling and re-enabling it to understand the full lifecycle.
You already know from your work on password security that passwords are a single point of failure: if someone learns your password — through a data breach, guessing, or phishing — they own your account. Two-factor authentication (2FA) addresses this by requiring a second, independent proof of identity. The logic is that an attacker who steals your password in a breach likely does not also have physical access to your phone. The two factors together are far harder to compromise than either alone.
The three categories of factors are something you know (password), something you have (your phone or a hardware key), and something you are (biometrics like a fingerprint). 2FA combines any two of these. In practice, the most common combination is password + phone. When you log in, you enter your password as usual, and the service then sends a code to your phone or you retrieve one from an authenticator app. That code is valid for only 30 seconds, generated by a time-based algorithm (TOTP) that your app and the server compute independently. No network request is needed — both sides calculate the same number from the same shared secret and the current time.
The three common delivery methods have different security properties. SMS codes are convenient but vulnerable: an attacker can sometimes hijack your phone number through a carrier-level "SIM swap," redirecting your texts to their device. Authenticator apps (like Google Authenticator or Authy) generate codes locally on your phone without going through a network, making them resistant to SIM swapping. Hardware security keys are physical devices — small USB or NFC tokens — that cryptographically prove you have the key in hand. They are the only method resistant to phishing, because the key communicates directly with the legitimate website's cryptographic identity and will not authenticate a fake site that merely looks identical.
The one setup step people skip is saving recovery codes. When you enable 2FA, the service generates a set of one-time backup codes you can use if you lose your phone. These codes are as powerful as the 2FA itself — store them somewhere secure but separate from your phone (a password manager or a printed copy in a safe place). Losing your 2FA device without recovery codes often means permanent account lockout, because services correctly treat this as a security boundary. Setup takes five minutes; the investment protects you against the most common and damaging form of account takeover.