Two-Factor Authentication (2FA)
2FA adds a second layer of security. Even if someone steals your password, they still need the second factor to log in.
Simple idea
Password = something you know. 2FA = something you have (phone/app) or something you are (biometrics).
Common 2FA methods (best to worst)
2FA options
- Authenticator app (recommended): Google Authenticator, Microsoft Authenticator, Authy
- Passkeys / device prompts: ‘Approve sign-in’ on your phone
- Hardware key: YubiKey (very strong)
- SMS codes: better than nothing, but can be intercepted
Important
Never share a 2FA code/OTP with anyone — not even ‘support’ or ‘bank staff’.
Best practice
- Use an authenticator app where possible
- Save backup codes in a safe place
- Turn on 2FA for email first (email controls resets for other accounts)
Key takeaways
- 2FA blocks account takeovers even if password is stolen
- Authenticator apps are safer than SMS
- Backup codes are your recovery plan
- Never share OTP codes with anyone