Two-Factor Authentication Explained — The One Security Step Most People Skip
Affiliate disclosure: This article contains affiliate links. If you click a link and make a purchase, we may earn a commission at no extra cost to you. Our editorial recommendations are never influenced by commissions — read our full disclosure policy.
What 2FA Actually Is
Authentication has three possible factors:
- Something you know — a password.
- Something you have — a phone, a hardware key.
- Something you are — a fingerprint, a face.
This is the single highest-leverage security control available. A strong password manager + 2FA on your important accounts blocks the vast majority of real-world attacks on individuals. Everything else is refinement around those two.
The Types, Ranked
SMS Codes — The Weakest Useful Form
A code is texted to your phone. You type it in. This is the most common 2FA and the weakest. Two problems:
- SS7 vulnerabilities let attackers intercept SMS without touching your device.
- SIM swapping — an attacker convinces your carrier to port your number to a SIM they control. Once they have your number, they receive your codes.
Authenticator Apps — The Right Default
Apps like Authy, Google Authenticator, and Microsoft Authenticator generate time-based one-time passwords (TOTP) on your device. The codes are never transmitted. An attacker who intercepts your network traffic gets nothing useful. An attacker who SIM-swaps you gets nothing useful.
This is the right baseline for nearly every account.
Hardware Keys — The Strongest
YubiKey and Google Titan are physical devices that plug into USB or tap via NFC. They implement FIDO2 — cryptographic authentication where the key verifies the website's identity before responding. This makes hardware keys phishing-resistant by design. Even if you type your password into a convincing fake site, the hardware key refuses to authenticate because the domain does not match.
Appropriate for high-value targets: journalists, executives, anyone with account access worth serious attack effort. Get two — a primary and a backup. Lose your only key without a backup and account recovery is painful.
Passkeys — The Future
Passkeys are the emerging standard. A cryptographic key pair stored on your device, unlocked with biometrics. Phishing-resistant by design. No shared secret, no typing anything, no code to steal. Apple, Google, and Microsoft all support them natively, and adoption by services is accelerating through 2026. Use them wherever offered.
Where to Turn It On First
In this order:
1. Email. Your email is the master key — every password reset flows through it. This is the single most important account to protect. 2. Financial accounts. Banks, brokerages, payment services. 3. Password manager. Protects everything downstream. 4. Work accounts. Especially if you have admin privileges on anything. 5. Social media. Because recovery through a hijacked social account is an established attack path.
Setting Up Authy in Ten Minutes
We recommend Authy over Google Authenticator for one reason: Authy backs up your TOTP seeds to the cloud, encrypted with a password you set. Lose your phone and your 2FA survives. Google Authenticator can be migrated manually but historically has lost users their codes after device changes.
1. Install Authy on your phone. 2. Create an account with a strong Authy password. 3. Go to the security settings on the account you are securing. 4. Choose "authenticator app" as the 2FA method. 5. Scan the QR code with Authy. 6. Enter the first generated code to confirm. 7. Store the backup codes the service provides in your password manager as a secure note. These are your escape hatch if you lose your phone before setting up a second device.
Repeat for every important account. Takes about three minutes per account after the first.
Related reading: Complete Security Stack, How to Create a Master Password.
Reviewed by Thomas — NorwegianSpark · Last updated: 15 April 2026