2FA (Two-Factor Authentication)

2FA, short for two-factor authentication, is an authentication scheme that requires the user to present two independent factors of proof before access is granted. The classical taxonomy of authentication factors includes:

• Something you know — a password, PIN, or memorized phrase
• Something you have — a phone, hardware token, smart card, or registered device
• Something you are — a biometric trait such as fingerprint, face, or voice

A 2FA scheme combines two factors from different categories. The most common deployment in consumer software pairs a password (something you know) with an OTP delivered via SMS or generated by an authenticator app (something you have). Less common but stronger combinations include password + hardware key (FIDO2 / WebAuthn) or password + push notification.

The security premise of 2FA is that compromising both factors simultaneously is much harder than compromising one. If an attacker phishes a password, they still need physical or remote access to the user's second-factor device. If an attacker steals a phone, they still need to know the password.

In practice, 2FA delivery channels vary widely in actual security:

• SMS-delivered OTP is the weakest mainstream option. SIM-swap attacks, SS7 interception, and carrier-side compromise can all redirect the second factor to an attacker.
• TOTP via authenticator app (Google Authenticator, Aegis, 2FAS) is significantly stronger because the code is generated locally on a device the attacker does not have.
• Push-based 2FA (Duo, Microsoft Authenticator) is convenient but susceptible to push-fatigue attacks where the user accidentally approves a malicious request.
• Hardware keys (YubiKey, Feitian, SoloKey) are the strongest commonly available second factor, providing phishing resistance via origin-binding cryptographic challenges.

2FA is not the same as MFA (multi-factor authentication), which can require three or more factors. In casual usage the terms are often interchangeable. 2FA is also distinct from two-step verification, which historically referred to two-step processes that may use the same factor twice (such as a password followed by an emailed code), though this distinction has eroded in modern usage.

Notwithstanding its weaknesses, enabling 2FA on important accounts dramatically reduces the success rate of opportunistic attacks. Industry studies consistently report that 2FA blocks well over 99 percent of automated credential-stuffing attempts.