Two-factor authentication (2FA) is the most impactful security upgrade available to the average person — and the most widely unimplemented one. A password alone, however strong, can be stolen through phishing, data breaches, keyloggers, or social engineering. A password combined with a second factor that only you physically possess is dramatically harder to compromise. Understanding how 2FA works, which types offer the best protection, and where to prioritise it protects you against the most common forms of account takeover without requiring any technical expertise.
What Two-Factor Authentication Is
Authentication factors fall into three categories: something you know (password, PIN), something you have (phone, hardware key), and something you are (fingerprint, face recognition). Single-factor authentication uses only one of these. Two-factor authentication requires two, from different categories — typically something you know (your password) plus something you have (your phone generating a code).
The critical property is that the two factors are independent. Compromising one does not compromise the other. A thief who steals your password cannot access your account without also physically possessing your second factor. A thief who steals your phone cannot access your account without also knowing your password.
SMS 2FA: Better Than Nothing, But Weak
The most widely deployed form of 2FA is an SMS text message containing a one-time code. After entering your password, the service sends a six-digit code to your registered phone number, which you then enter to complete the login.
SMS 2FA is significantly better than no second factor. However, it has known weaknesses. SIM swapping — where an attacker convinces your mobile carrier to transfer your number to a SIM they control — allows codes intended for you to be intercepted by them. SMS codes are also vulnerable to real-time phishing attacks where you are tricked into entering the code on a fake site that immediately uses it on the real one. For most personal accounts it is adequate; for high-value accounts like banking and email, stronger options are preferable.
Authenticator Apps: The Right Choice for Most Accounts
Time-based One-Time Password (TOTP) authenticator apps — Google Authenticator, Authy, Microsoft Authenticator — generate six-digit codes that change every 30 seconds. The code is generated locally on your device using a secret key shared with the service during setup. No SMS is sent and no network connection is needed to generate codes.
TOTP codes are not vulnerable to SIM swapping because they never travel through the phone network. They are harder to phish because the 30-second expiry window is very short. The main risk is losing access to your authenticator app — either by losing the device or because the app was not backed up before a factory reset. Store backup codes provided during 2FA setup securely, or use an authenticator app with encrypted cloud backup.
The principles behind TOTP code generation — combining a shared secret key with the current time and applying a cryptographic hash — connect directly to the concepts in our random string generator and the broader topic of cryptographic randomness.
Hardware Security Keys: The Strongest Option
Physical hardware keys (YubiKey, Google Titan, Feitian) provide the strongest available second factor. They use public-key cryptography — a mathematically related key pair where the private key never leaves the hardware device — to authenticate without sending any reusable secret over the network.
Hardware keys are completely immune to phishing because the authentication is domain-bound: the key will not authenticate for a fake domain even if it looks identical to the real one. They are the second factor of choice for high-value accounts, security-conscious individuals, and anyone who is a realistic target for sophisticated attacks.
Where to Enable 2FA First
Prioritise in order of impact: email accounts first (email resets every other account, so compromised email means all other accounts can be taken over), then financial accounts (banking, investment, PayPal), then password managers (which protect everything else), then social media and work accounts, then everything else.
A strong password without 2FA is vulnerable to breaches, phishing, and credential stuffing. A moderate password with TOTP authenticator 2FA is substantially more secure in practice than a strong password alone. Use our password generator to create strong unique passwords for every account, then add 2FA at every service that offers it.
Losing Access: The Risk to Manage
The scenario that causes most 2FA-related lockouts is losing access to the second factor — typically by replacing a phone without migrating the authenticator app first. Before enabling 2FA on any account, save the backup codes provided during setup in a secure location (a password manager or encrypted note) and verify you have a recovery method configured.
The NCSC (National Cyber Security Centre) at ncsc.gov.uk provides plain-English guidance on setting up two-step verification across common services — the UK government's recommended starting point for personal cyber security.