Two-Factor Authentication (2FA)

Two-factor authentication (2FA, also called MFA) requires a second proof of identity beyond the password. The factors are categorized as something you know (password), something you have (phone, hardware key), and something you are (biometric). 2FA combines two distinct categories. The defense it provides: a stolen password alone does not unlock the account.

What it means in practice

The 2FA tiers in order of resistance to attack. Tier 0 (worst): SMS-based 2FA. The attacker SIM-swaps the phone number and intercepts the code. NIST has formally deprecated SMS 2FA since 2017; banks and brokerages still offer it as the default. Tier 1: TOTP (Time-based One-Time Password), generated by an app like Aegis (Android), Raivo (iOS), Google Authenticator, Authy. Codes rotate every 30 seconds and live only on the device. Tier 2: push-based 2FA (Duo, Microsoft Authenticator). Better UX, vulnerable to MFA fatigue attacks where the attacker spams push notifications until the user approves one. Tier 3 (best): hardware security keys implementing FIDO2/WebAuthn (YubiKey, Titan Security Key, SoloKey). Phishing-resistant by design because the cryptographic protocol binds to the domain, so a phishing site cannot harvest the credential.

Where it shows up

The high-leverage application is the keystone accounts: primary email, password manager, financial accounts, social media that hosts your audience, and cloud storage. For these, the marginal cost of moving from SMS to TOTP to hardware key is small; the marginal protection is large. Most account takeovers documented in breach reports start with a stolen password and end with bypass of weak 2FA, not with breaking a hardware key. The categories where SMS 2FA is still the only option (some US banks, some legacy enterprise tools) require either provider pressure or compensating controls (a port-out PIN with the carrier, a SIM-swap-resistant carrier like Google Fi or US Mobile RIDE, account-takeover monitoring).

What you can change today

Open the security settings of your primary email and your password manager. Switch from SMS to TOTP via Aegis (Android) or Raivo (iOS) for both. Buy two YubiKey 5 NFC keys (around $50 each), enroll both on the email and the password manager, store the second in a different physical location (safe deposit box, parent’s house, work locker). Generate and download the recovery codes for each account, print them on paper, store with the backup YubiKey. The whole pass takes 90 minutes; the result is that an attacker who phishes your password cannot get in, period.

Related articles