What is two-factor authentication (2FA), and which kind should I use?
Quick answer
Two-factor authentication adds a second step after your password — a code from an app, a tap on your phone, or a passkey — so that a stolen password alone is no longer enough to log in; in 2026 the best option for most people is a passkey, then an authenticator app, then SMS only as a last resort.
What it's NOT
Two-factor authentication is NOT just for tech experts or paranoid people, and it is NOT 'unbreakable'. SMS codes can be intercepted by SIM-swap attacks, and even authenticator apps can be defeated if you approve a push notification you did not request (this is called MFA fatigue). The strongest form — passkeys — defeats almost all phishing because the device itself refuses to log into a fake site.
More context
Two-factor authentication (2FA) — also called multi-factor authentication (MFA) or two-step verification — adds a second proof of identity on top of your password. The password is something you know; the second factor is something you have (your phone, a hardware key) or something you are (your fingerprint, your face). A stolen password alone is no longer enough.
There are three common kinds, in order from weakest to strongest:
- SMS code. The website texts you a six-digit number. Convenient, supported by almost every service, vulnerable to SIM-swap attacks where a criminal convinces your phone operator to port your number to a new SIM. Use it if nothing better is available, but assume it can be bypassed by a determined attacker.
- Authenticator app (TOTP). Google Authenticator, Microsoft Authenticator, Authy, Proton Authenticator, or the built-in TOTP feature of your password manager — they all generate a six-digit code on your phone every 30 seconds, locally, without needing a signal. Much safer than SMS because it does not depend on your phone number.
- Passkey. The newest and strongest. Instead of typing a code, your phone or laptop logs in using a private cryptographic key it stores in a secure chip. Passkeys are phishing-resistant by design: even if you click a fake link and end up on a convincing fake login page, your phone refuses to log in because the site is not the real one. Major providers (Apple, Google, Microsoft, Amazon, PayPal, Adobe, eBay, LinkedIn, GitHub, X, banks, …) all support them.
The practical upgrade path for most people:
- Turn on 2FA on your primary email account today — that one account controls every “forgot password” link.
- Turn on 2FA on your password manager, your bank, and your phone carrier account (to slow down SIM-swap attacks).
- Switch from SMS to an authenticator app where you have a choice.
- Replace authenticator codes with passkeys wherever you see the option (“Sign in faster with a passkey”, or in the security settings).
- MFA fatigue: if an authentication prompt shows up on your phone and you did not just try to log in, tap Deny and change the password — that prompt means someone is trying with your password right now.
2FA does not make every attack impossible. A scammer on the phone can still trick you into reading them a code, an attacker can still phish a vulnerable user into approving a malicious push. But it raises the bar enormously: tens of millions of automated credential-stuffing attempts per day fail at the second factor instead of succeeding at it. For a household in 2026, turning on 2FA on five accounts buys more security than any single other change.
People also ask
What is the difference between SMS, an authenticator app, and a passkey? +
SMS sends a six-digit code by text. It is better than nothing but it can be intercepted: a SIM-swap attack tricks your operator into moving your phone number to the attacker's SIM. An authenticator app (Google Authenticator, Microsoft Authenticator, Authy, 1Password's built-in TOTP) generates the code locally on your phone, so SIM swaps do not help. A passkey goes further: instead of typing a code, your phone or laptop proves itself to the website using cryptography, and refuses to do so on a fake site. Passkeys are the strongest of the three by a wide margin.
What is MFA fatigue? +
MFA fatigue is when attackers, having stolen your password, send dozens of push-notification prompts to your phone hoping that you will eventually tap 'Approve' to make them stop — or that you will approve one thinking it is yours. Several major breaches in 2022-2024 (Uber, Cisco, banks in 2024) started this way. The defence is: if you see an MFA prompt you did not trigger, tap 'Deny' and change your password — that single prompt means someone already has the password.
Do I need 2FA on every account? +
No, but you should put 2FA on the accounts that other accounts depend on: your primary email (because anyone who controls your email can reset every other password), your password manager, your bank, your phone-carrier account (to make SIM-swap harder), and your social networks. Loyalty programs and forum accounts you barely use are lower priority.
What happens if I lose my phone with all my 2FA codes? +
Set up backup codes when you enable 2FA, and store them with your password manager or on paper. Most authenticator apps now sync to your cloud account (Google, iCloud, Authy cloud backup), so a new phone restores them. Passkeys sync between your devices automatically through your platform account. The horror story of losing 2FA forever was mostly a Google Authenticator problem before cloud sync arrived.
Also explained
What is a password manager, and is it safe to use one?
A password manager is an app that generates a unique strong password for every account and remembers them for you behind one master password — yes, it is much safer than reusing the same password, even though all your passwords sit in one place.
What is phishing, and how do I recognise it?
Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.