Advertisements

← All guides

What is two-factor authentication, and which kind should you use?

A password is something you know — and anything you know can leak. Two-factor authentication (2FA) adds something you have: your phone, a key, a device. The result is simple but powerful — a stolen password alone stops being enough to steal the account. It's the single best security upgrade most people haven't finished making.

What 2FA actually protects you from

Most account takeovers aren't clever hacks; they're replays. Passwords leak from breached sites by the millions, and attackers automatically try each leaked email-and-password pair everywhere else — credential stuffing, the same threat that makes never reusing a password the golden rule. 2FA is the safety net for the day a password leaks anyway: the attacker types the correct password and still hits a wall, because they don't have your second factor. It blocks the overwhelming majority of automated takeover attempts outright.

The kinds of 2FA, weakest to strongest

The practical rule: any 2FA beats none; app beats SMS; keys and passkeys beat everything.

Try it in your browser

2FA is the second half of account security — the first is a long, random, unique password per site. Our Secure Password Generator creates them instantly in your browser, and nothing you generate ever leaves your device.

Open the Secure Password Generator →

Advertisements

Turn it on in the right order

When you enable 2FA, the service hands you backup codes — one-time codes that get you in if your phone is lost or dead. Don't skip past that screen: store them in your password manager (or printed somewhere genuinely safe). Losing the second factor with no backup codes can lock you out as effectively as it locks out attackers.

Frequently asked questions

Is SMS 2FA worth using?

Yes — it defeats the automated attacks behind most takeovers. Its weaknesses (SIM swaps, phishable codes) just mean important accounts deserve an upgrade to an app, key or passkey.

What if I lose my phone?

Use the backup codes the service gave you when you enabled 2FA — that's exactly what they're for. Store them in your password manager, and register a second method on critical accounts.

What's a passkey?

A cryptographic credential stored on your device, unlocked by fingerprint, face or PIN. It only works on the genuine site, so phishing pages get nothing to steal.


Related guides: how to create a strong password. Or browse all the guides.