Two-Factor Authentication
Also known as: 2FA, multi-factor authentication, MFA, two-step verification
A second verification step (typically a code from your phone) required to log in after entering your password, blocking attackers who only know your password.
Two-factor authentication — usually written as 2FA — is the single most effective defense against password theft. After you enter your password, the service asks for a second proof of identity: a 6-digit code from an authenticator app, a code sent via SMS, a fingerprint, a hardware key, or a push notification. Even if a thief has your password, they cannot log in without that second factor.
The gold standard is an authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password) or a hardware key (YubiKey). SMS-based 2FA is better than none but can be defeated by SIM-swap attacks where the scammer convinces your carrier to transfer your phone number to their device.
Every account that connects to money, email, identity, or work should have 2FA enabled: bank accounts, email, password manager, social media, tax filing, work platforms. Setting up 2FA on five accounts takes 15 minutes and prevents the vast majority of real-world account takeovers.