What is two-factor authentication, and which kind should you use?
A password is something you know — and anything you know can leak. Two-factor authentication (2FA) adds something you have: your phone, a key, a device. The result is simple but powerful — a stolen password alone stops being enough to steal the account. It's the single best security upgrade most people haven't finished making.
What 2FA actually protects you from
Most account takeovers aren't clever hacks; they're replays. Passwords leak from breached sites by the millions, and attackers automatically try each leaked email-and-password pair everywhere else — credential stuffing, the same threat that makes never reusing a password the golden rule. 2FA is the safety net for the day a password leaks anyway: the attacker types the correct password and still hits a wall, because they don't have your second factor. It blocks the overwhelming majority of automated takeover attempts outright.
The kinds of 2FA, weakest to strongest
- Text-message (SMS) codes. A code arrives by text; you type it in. Far better than nothing — but the weakest form, because phone numbers can be hijacked (SIM-swap attacks talk your carrier into moving your number to the attacker's SIM) and codes can be phished by fake login pages.
- Email codes. Similar strength to SMS, with one extra caveat: if the account being protected is your email, a code sent to that same inbox protects nothing.
- Authenticator apps (TOTP). An app on your phone shows six-digit codes that change every 30 seconds, generated on the device itself — no SIM to hijack, works offline. A fake site can still phish a current code out of you, but the window is 30 seconds.
- Push prompts. A notification asks "Is this you signing in?" Convenient and strong — just never approve a prompt you didn't trigger. Attackers deliberately spam prompts hoping you'll tap yes to make them stop (prompt fatigue).
- Hardware keys and passkeys. The gold standard. A physical security key, or a passkey stored on your phone or computer and unlocked with fingerprint, face or PIN, performs a cryptographic handshake that only works on the genuine website. There is no code to phish — a perfect fake login page gets nothing. This is the phishing-resistant tier, and passkeys now come built into the big phone and browser ecosystems for free.
The practical rule: any 2FA beats none; app beats SMS; keys and passkeys beat everything.
Try it in your browser
2FA is the second half of account security — the first is a long, random, unique password per site. Our Secure Password Generator creates them instantly in your browser, and nothing you generate ever leaves your device.
Turn it on in the right order
- 1. Email first. Password resets for everything else arrive there — whoever controls your inbox can take the rest of your accounts. Protect it with the strongest method the provider offers.
- 2. Money next. Banks, cards, payment apps, anything that moves funds.
- 3. Your password manager. It guards all the other keys, so it deserves a second lock of its own.
- 4. Everything else that offers it — social accounts, cloud storage, shopping accounts with saved cards.
When you enable 2FA, the service hands you backup codes — one-time codes that get you in if your phone is lost or dead. Don't skip past that screen: store them in your password manager (or printed somewhere genuinely safe). Losing the second factor with no backup codes can lock you out as effectively as it locks out attackers.
Frequently asked questions
Is SMS 2FA worth using?
Yes — it defeats the automated attacks behind most takeovers. Its weaknesses (SIM swaps, phishable codes) just mean important accounts deserve an upgrade to an app, key or passkey.
What if I lose my phone?
Use the backup codes the service gave you when you enabled 2FA — that's exactly what they're for. Store them in your password manager, and register a second method on critical accounts.
What's a passkey?
A cryptographic credential stored on your device, unlocked by fingerprint, face or PIN. It only works on the genuine site, so phishing pages get nothing to steal.
Related guides: how to create a strong password. Or browse all the guides.