Home/Guides/Two-Factor Auth

Two-Factor Authentication

Your Second Line of Defense

10 min read Updated 2025

What is Two-Factor Authentication?

Two-factor authentication (2FA) requires two different types of verification to access your account. Even if someone steals your password, they can't log in without the second factor.

The three types of authentication factors are:

  • Something you know - Password, PIN
  • Something you have - Phone, security key
  • Something you are - Fingerprint, face

2FA Methods Ranked

MethodSecurityConvenienceRecommendation
Hardware KeyExcellentGoodBest option
TOTP AppVery GoodGoodRecommended
Push NotificationGoodExcellentAcceptable
SMS CodePoorExcellentAvoid if possible
Email CodePoorGoodLast resort

TOTP Authenticator Apps

Time-based One-Time Password (TOTP) apps generate 6-digit codes that change every 30 seconds. This is the recommended 2FA method for most users.

Recommended TOTP Apps

Aegis

Open source, Android only, encrypted backups

2FAS

Open source, iOS & Android, cloud sync

Authy

Cloud backup, multi-device, easy setup

Backup Your 2FA

Always save backup codes when setting up 2FA. If you lose your phone without backups, you could be locked out permanently.

Hardware Security Keys

Physical security keys provide the strongest protection against phishing. They use cryptographic protocols that verify the website is legitimate.

Phishing-Proof

Hardware keys won't work on fake websites. Even if you're tricked by a perfect phishing page, the key knows it's not the real site.

Popular Security Keys

  • YubiKey 5 - Most versatile, supports all protocols
  • Google Titan - Good value, Google ecosystem
  • SoloKeys - Open source hardware

Why SMS 2FA is Risky

SMS-based 2FA is vulnerable to several attacks and should be avoided when better options exist:

  • SIM swapping - Attackers convince carriers to transfer your number
  • SS7 vulnerabilities - Flaws in phone network protocols
  • Interception - Messages can be intercepted in transit
  • Social engineering - Carrier employees can be manipulated

However, SMS 2FA is still better than no 2FA at all. Use it if it's your only option.

2FA Setup Checklist

  • Enable 2FA on email accounts first (they're recovery for everything)
  • Use TOTP or hardware keys instead of SMS
  • Save backup codes in your password manager
  • Register multiple hardware keys if using them
  • Enable 2FA on financial accounts, social media, cloud storage

Related Guides

Password Security

Create strong, unique passwords

Phishing Attacks

Learn to spot fake login pages