What Is Two-Factor Authentication (2FA)? Complete Guide | PassGen
Two-factor authentication (2FA) adds a second verification step beyond your password. Even if your password is stolen, the attacker can't access your account without the second factor. It's the single most effective defense against credential stuffing and phishing — yet only 28% of users enable it. Here's everything you need to know.
How 2FA Works
Authentication factors fall into three categories:
- Something you know — your password
- Something you have — your phone, hardware key, or authenticator app
- Something you are — biometrics (fingerprint, face)
2FA requires any two of these. The most common combination: password (know) + TOTP code from authenticator app (have).
Types of 2FA — Ranked by Security
1. Hardware Security Keys (Best)
Examples: YubiKey 5, Google Titan, SoloKeys
Hardware keys use the FIDO2/WebAuthn protocol. You physically plug in (USB) or tap (NFC) the key to authenticate. This is phishing-resistant — the key cryptographically verifies the domain, so a fake login page can't intercept your credentials.
Pros: Phishing-proof, no codes to type, works offline, most secure option available.
Cons: Costs $25-50, need to carry it, limited service support (growing rapidly).
2. Authenticator Apps (Very Good)
Examples: Google Authenticator, Authy, Microsoft Authenticator, Ente Auth
Authenticator apps generate time-based one-time passwords (TOTP) — 6-digit codes that rotate every 30 seconds. The secret key is shared once during setup (via QR code) and never transmitted again.
Pros: Free, works offline, widely supported, much more secure than SMS.
Cons: Vulnerable to phishing (user can be tricked into entering the code on a fake site), device loss = lost access (backup codes critical).
See how TOTP works under the hood with our TOTP Generator.
3. SMS Codes (Better Than Nothing)
A one-time code sent via text message. While better than no 2FA, SMS is the weakest second factor:
- SIM swapping: Attackers social-engineer your carrier into transferring your number to their SIM
- SS7 interception: Telecom protocol vulnerabilities allow message interception
- No offline support: Requires cell service
NIST SP 800-63B explicitly recommends against SMS as a sole second factor. Use it only when no other option is available.
4. Email Codes (Weak)
A code sent to your email. This is essentially single-factor if the attacker already has your email password. Not recommended as a primary 2FA method.
Comparison Table
| Method | Phishing Resistance | SIM-Swap Safe | Offline | Cost | Setup Difficulty |
|---|---|---|---|---|---|
| Hardware key (FIDO2) | Immune | Yes | Yes | $25-50 | Easy |
| Authenticator app (TOTP) | No | Yes | Yes | Free | Easy |
| Push notification | Partial | Yes | No | Free | Easy |
| SMS code | No | No | No | Free | Easiest |
| Email code | No | Yes | No | Free | Easiest |
Where to Enable 2FA First
Prioritize these accounts — compromise of any one cascades to others:
- Email — the master key; password resets for everything go here
- Password manager — contains all your other passwords
- Banking & financial — direct monetary risk
- Cloud storage — Google Drive, iCloud, Dropbox (may contain sensitive documents)
- Social media — identity theft, social engineering against your contacts
- Work/employer accounts — compliance requirements, company data
How to Set Up TOTP 2FA
- Go to the service's security settings and find "Two-factor authentication" or "2-step verification"
- Choose "Authenticator app" (not SMS)
- Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.)
- Enter the 6-digit code to verify
- Save the backup/recovery codes — store them in your password manager or print them and store physically
Critical: Without backup codes, losing your phone means losing access. Always save them immediately.
Passkeys: The Future of Authentication
Passkeys (based on FIDO2/WebAuthn) are emerging as the successor to passwords + 2FA. They combine both factors into one: your device (have) authenticated by biometrics (are). Apple, Google, and Microsoft all support passkeys natively.
Passkeys are phishing-resistant (domain-bound), never leave your device, and can sync across devices via iCloud Keychain or Google Password Manager. They may eventually make both passwords and traditional 2FA obsolete — but adoption is still early.
Common 2FA Mistakes
- Only enabling SMS 2FA — it's better than nothing, but switch to an authenticator app
- Not saving backup codes — phone dies = account lockout
- Using the same phone for passwords and 2FA — if compromised, both factors are on one device. Consider a hardware key as your second factor
- Approving push notifications without checking — "MFA fatigue" attacks bombard you with push prompts hoping you'll approve one
- Not enabling 2FA on your email — this is the account that matters most
Your Action Plan
- Install an authenticator app (Authy for cloud backup, Google Authenticator for simplicity)
- Enable 2FA on your email right now — this is the highest-priority account
- Enable 2FA on your password manager
- Work through the priority list above over the next week
- Consider a hardware key ($25 YubiKey) for your email and password manager
- Store all backup codes in your password manager
Strong, unique passwords from our Password Generator plus 2FA on every account — this combination stops the vast majority of attacks. Generate your passwords, store them in a password manager, and protect them with 2FA.