Passwords protect your accounts by verifying that you know something — a secret only you should have. The problem is that "knowing" a password isn't exclusive. Attackers can know it too, if it's been leaked in a breach, phished, or guessed. Once they have the password, they have the account.
Two-factor authentication (2FA) changes this by adding a second requirement. Even if an attacker has your password, they can't log in without something they don't have — typically your phone. It's a simple concept with a disproportionate impact on account security.
The Three Factors
Authentication methods are grouped into three categories based on what they verify:
- Something you know — a password, PIN, or security question. Vulnerable to phishing, data breaches, and guessing.
- Something you have — a phone, a hardware key, a one-time code generator. Requires physical access to compromise.
- Something you are — biometrics: fingerprint, face, voice. Hard to replicate but not infallible.
Two-factor authentication combines at least two of these. The most common combination is a password (something you know) plus a temporary code delivered to or generated by your phone (something you have).
SMS Codes: Better Than Nothing, Weaker Than the Alternatives
The simplest form of 2FA sends a six-digit code to your phone via text message. You enter it alongside your password, and you're in.
This works, and it stops the vast majority of automated credential stuffing attacks cold. An attacker who has your username and password still can't access your account without access to your phone or phone number.
The weakness is SIM swapping: an attacker convinces your carrier's customer support to transfer your phone number to a SIM card they control. Once they have your number, they receive your SMS codes. SIM swapping requires social engineering the carrier — it's not trivial, and it's typically targeted rather than automated. But it's a real attack that has been used to take over high-profile accounts.
For most people's actual risk exposure, SMS 2FA is still a meaningful improvement over no 2FA. The accounts most at risk from SIM swapping tend to belong to people who are publicly visible, high-value targets. If you're not in that category, enabling SMS 2FA is a clear net positive. If you want stronger protection, use an authenticator app.
Authenticator Apps: The Right Choice for Most People
Authenticator apps generate time-based one-time passwords (TOTP) — six-digit codes that change every 30 seconds. When you set up 2FA on a site, you scan a QR code that shares a secret between your app and the service. Your app uses that secret plus the current timestamp to generate codes that match what the server expects.
The key security improvement over SMS: the code is generated locally and never transmitted over a network until you type it in. There's nothing to intercept via SIM swapping, because your phone number isn't involved. An attacker who wants your TOTP code needs physical access to your phone (or a device that has your authenticator backup).
A few options worth knowing:
Authy and Bitwarden Authenticator offer encrypted cloud backup of your TOTP secrets. If your phone is lost or damaged, you can restore access. The tradeoff is that your 2FA is tied to another account.
Google Authenticator also now supports account backup via Google account. Simple, widely supported.
Aegis (Android only) is open-source, supports encrypted local backup, and has no cloud component. The right choice if you want maximum control and are comfortable managing backups manually.
Any of these is significantly better than SMS 2FA. The difference between them matters less than the difference between having any authenticator app and not having one.
Hardware Security Keys: The Gold Standard
Physical security keys — devices like YubiKey or Google Titan — are the strongest widely available second factor. They communicate via USB, NFC, or Bluetooth and cryptographically verify both your identity and the legitimacy of the site you're logging into.
That last part is important: hardware keys use a protocol (FIDO2/WebAuthn) that verifies the domain before responding. If you're on a phishing site designed to look like your bank, the key won't authenticate — it checks that the domain matches what was registered and refuses if it doesn't. Authenticator apps and SMS codes don't have this property; they'll generate valid codes on a fake login page just as readily as on the real one.
Hardware keys cost around $25–$55 and require you to have the physical device available when logging in. For most people, this is unnecessary overhead for the level of protection they need. For people who handle sensitive information professionally, or who are at elevated risk of targeted attacks, they're worth the investment.
Save Your Recovery Codes
Every service that offers 2FA also provides recovery codes — single-use backup codes you can use if you lose access to your second factor. These need to be saved somewhere secure and accessible.
If you lose your phone, forget to back up your authenticator, and don't have recovery codes saved, you may be permanently locked out of your account. Services can sometimes recover access with identity verification, but it's a slow process and not guaranteed.
Save recovery codes in your password manager, or print them and keep them somewhere physically secure. Don't keep them in the same place as your password — the point is that they're a separate layer.
Where to Start
Enable 2FA in this priority order:
- Your primary email account. It's the recovery mechanism for everything else. If this falls, everything else is reachable through it.
- Your banking and financial accounts. Most banks support 2FA now; some require it.
- Your password manager. The vault that contains everything else deserves strong protection.
- Any account with saved payment information. Shopping accounts, subscription services, anything with a credit card attached.
After those, work through anything else that matters: social media accounts (which can be used for social engineering even if they don't contain financial data), work accounts, and cloud storage.
The bottom line: A strong password protects one layer of access. 2FA ensures that even a compromised password isn't enough. Most automated attacks can't handle a second factor at all — they move on immediately. Enabling 2FA on your most important accounts is the single highest-impact change you can make after switching to unique passwords.