Two Factor Authentication Explained

Passwords alone fail because databases leak and humans reuse. Two-factor authentication requires something you have (phone, key) or something you are (biometrics) plus something you know.

SMS codes are better than nothing but vulnerable to SIM swap attacks. Authenticator apps (Aegis, Authy, vendor apps) generate time-based codes on device.

Hardware security keys (FIDO2/WebAuthn) resist phishing best—sites verify the physical token. Use at least two keys stored separately.

Backup codes matter. Store them offline when you enroll—otherwise a lost phone locks you out.

Workplaces increasingly require MFA; personal life should too for email and cloud storage.

If a site only offers SMS, still enable it. Upgrade when they add apps or keys.

Pair with secure-your-accounts field guide for rollout night.