What 2FA is
Two-factor authentication requires, in addition to 'something you know' (a password), 'something you have' (a phone or security key) or 'something you are' (biometrics) at login. You must pass both factors to log in.
So even if one password leaks, an account can't be accessed without the second factor.
How safe each method is
2FA methods differ in how safe they are.
- SMS text: convenient but vulnerable to interception and SIM swapping (still better than nothing)
- Authenticator app (TOTP): a 6-digit code that changes periodically, safer than SMS
- Security key (FIDO2/passkey): phishing-resistant and the safest method
- Backup codes: keep them somewhere safe in case you lose your device
Setup recommendations
Turn on 2FA first for important accounts like email, banking, cloud and social media. Use an authenticator app or security key rather than SMS when possible, and always store your backup codes separately.
Together with your password
2FA doesn't replace your password. Account security is strongest when you use a different strong password for every site together with 2FA.