Passlock

What Is Two-Factor Authentication (2FA)?

2FA & Passkeys2 min read

Two-factor authentication, usually shortened to 2FA, is one of the most effective security steps you can take, and it takes about a minute to set up. The idea is simple: logging in requires two different kinds of proof, so a stolen password alone is not enough to break into your account. Here is how it works and how to use it well.

The three factors

Authentication factors fall into three categories:

  • Something you know: a password or PIN.
  • Something you have: your phone, a hardware key, or an app that generates codes.
  • Something you are: your fingerprint or face.

A password is a single factor — "something you know." Two-factor authentication adds a second factor from a *different* category, typically "something you have." Even if an attacker steals your password, they still lack the second factor.

How 2FA works in practice

After you enter your password, the site asks for a second proof. Common forms:

  1. A code from an authenticator app that changes every 30 seconds.
  2. A code sent by SMS to your phone.
  3. A push notification you approve on your phone.
  4. A hardware security key you tap or plug in.
  5. A biometric prompt like Face ID.

You provide the second proof, and only then are you let in.

Why it matters so much

The most common account takeovers start with a leaked or reused password. With 2FA enabled, that leaked password is not enough — the attacker would also need your phone or key. This single step blocks the overwhelming majority of automated attacks, including credential stuffing. See what is credential stuffing.

Which type should you use?

Not all 2FA is equal:

  • Best: a hardware security key or a passkey, which resist phishing. See passkeys explained.
  • Good: an authenticator app generating time-based codes.
  • Better than nothing: SMS codes, which are vulnerable to SIM-swapping but still far better than no 2FA.

We compare the two most common options in authenticator app vs SMS 2FA.

Do not forget recovery codes

When you enable 2FA, most sites give you backup recovery codes. Save these somewhere safe, because if you lose your phone, they may be your only way back in. See what is a recovery code.

2FA and password managers work together

2FA is not a replacement for strong, unique passwords — it is a second layer on top. The ideal setup is a password manager generating a unique strong password for every account, plus 2FA on the accounts that matter most. We unpack this in 2FA vs password manager. On a Mac, Passlock keeps your passwords offline in the Keychain, and you should pair it with 2FA on your important logins for defense in depth.

Turn on 2FA today for your email, banking, and primary accounts. It is one of the highest-impact, lowest-effort things you can do for your security.

Frequently asked questions

Is two-factor authentication really necessary?

For important accounts, yes. It blocks the vast majority of automated attacks, because a stolen password alone cannot get in without the second factor.

What is the most secure form of 2FA?

Hardware security keys and passkeys are the strongest because they resist phishing. Authenticator apps are a strong, convenient second choice; SMS is the weakest but still better than nothing.

Keep reading

2FA vs Password Manager: Do You Need Both?

It is not either-or. A password manager and 2FA defend against different attacks. Here is how they complement each other.

Authenticator App vs SMS 2FA: Which Is Safer?

Both add a second factor, but SMS has a real weakness: SIM-swapping. Here is why an authenticator app is the safer default.

What Is a Recovery Code and Why You Must Save It

Lose your phone and you can lose access to your 2FA-protected accounts — unless you saved your recovery codes. Here is how.