How Two-Factor Authentication Works: Security, Types, and Why It Matters

What Is Two-Factor Authentication?

Two-factor authentication (2FA), also called multi-factor authentication (MFA), is a security process that requires users to verify their identity using two distinct types of credentials before gaining account access. The three categories of authentication factors are:

• Something you know: Password, PIN, security question answer
• Something you have: Smartphone, hardware security key, smart card
• Something you are: Biometric — fingerprint, face scan, retina scan

A password alone is "single-factor authentication." 2FA combines any two of the above categories. The most common combination is a password (something you know) plus a time-based code from an authenticator app or SMS (something you have).

The security benefit is straightforward: even if an attacker steals or guesses your password, they cannot access your account without also possessing the second factor. According to Microsoft, MFA blocks over 99.9% of account compromise attacks on accounts that use it.

Types of Second Factors

SMS / Text Message Codes

The most widely deployed 2FA method. When you log in, the service sends a 6-digit code to your phone number via SMS. You enter the code to complete login.

Weaknesses:

• SIM swapping: Attackers socially engineer mobile carriers into transferring a victim's phone number to an attacker-controlled SIM. Once successful, all SMS codes are routed to the attacker. High-profile SIM swap attacks have compromised cryptocurrency accounts, social media accounts, and email accounts worth millions of dollars.
• SS7 vulnerabilities: Weaknesses in the Signaling System 7 protocol (used by global phone networks since the 1970s) allow sophisticated attackers to intercept SMS messages without physical access to the SIM card.
• Malware: Banking trojans on Android can silently forward SMS messages to attackers.

SMS 2FA is substantially better than no 2FA, but it is the weakest form of the second factor.

Authenticator Apps (TOTP)

Time-based One-Time Password (TOTP) apps — Google Authenticator, Authy, Microsoft Authenticator, Apple's built-in authenticator — generate 6-digit codes that change every 30 seconds. The codes are computed using a shared secret key (delivered via QR code when you set up 2FA) and the current Unix timestamp, using the HMAC-SHA1 algorithm specified in RFC 6238.

Since the code is generated locally on your device using a secret key (not transmitted via SMS), it is immune to SIM swapping and SS7 attacks. Authenticator apps are the recommended minimum for most accounts.

Backup consideration: If you lose your phone without backing up recovery codes, you can lose access to all accounts. Authy supports encrypted cloud backup; Google Authenticator added cloud backup in 2023. Recovery codes provided at setup should be stored securely offline.

Hardware Security Keys (FIDO2 / WebAuthn)

Physical devices (YubiKey, Google Titan Key, Thetis) that you plug into a USB port or tap via NFC. Authentication uses public-key cryptography:

1. During registration, the key generates a public-private key pair for each service. The public key is stored with the service; the private key never leaves the hardware device.
2. During login, the service sends a cryptographic challenge. The key signs it with the private key; the signature is verified with the stored public key.

Hardware keys are phishing-resistant: they verify the domain of the site requesting authentication. Even if an attacker tricks you into entering credentials on a fake site, the key will not authenticate because the domain doesn't match. They are the gold standard for security-critical accounts and are required for high-risk employees at Google, Microsoft, and government agencies.

The FIDO2/WebAuthn standard is maintained by the FIDO Alliance and is supported by all major browsers and operating systems.

Passkeys

Passkeys are the next evolution of authentication, replacing passwords and 2FA with a single seamless process. Like hardware keys, passkeys use public-key cryptography, but the private key is stored in the device's secure enclave (protected by biometric or PIN verification) rather than a separate hardware device. Passkeys are synchronized across your devices via iCloud Keychain or Google Password Manager.

Passkeys are phishing-resistant, immune to credential stuffing, and require no password. Apple, Google, and Microsoft began deploying passkey support in 2022–2023. Major services including GitHub, Google, Apple, PayPal, and eBay now support passkeys.

Comparing 2FA Methods

Phishing Attacks Against 2FA

Real-time phishing attacks can bypass TOTP-based 2FA. A sophisticated phishing site acts as a proxy: when the victim enters their credentials and TOTP code, the attacker's server forwards them to the real service immediately, logging in before the 30-second TOTP window expires. This is why TOTP is not technically phishing-resistant — only FIDO2/passkeys provide true phishing resistance through cryptographic domain binding.

The 2022 Twilio/Okta breach, in which dozens of major companies were compromised in a supply chain attack, involved real-time phishing against employees using SMS and TOTP 2FA.

Which Accounts Need 2FA?

Priority accounts for 2FA (in order of importance):

1. Email accounts (recovery method for all other accounts; email compromise = all account compromise)
2. Password manager
3. Financial accounts (banking, brokerage, cryptocurrency)
4. Work accounts (Microsoft/Google Workspace)
5. Social media (identity theft vector)
6. Domain registrar and hosting (control of websites)

The single highest-impact security action most individuals can take is enabling 2FA — ideally hardware keys or passkeys — on their primary email account and password manager.