United States Edition Write for Us   About   Contact
Newsmotion
The story behind the headlines
Contribute
Explainer

How Two-Factor Authentication Protects You

A stolen password is often all an attacker needs. Two-factor authentication adds a second lock, but not all second factors are equal. Here is how 2FA works and which method to choose.

By Newsmotion·Updated July 2026

Photo: Wikimedia Commons, via Wikimedia Commons (CC BY-SA)

Passwords get stolen constantly, in breaches, through phishing, by reuse across sites. Two-factor authentication is the single most effective thing most people can do to protect their accounts anyway. Here is how it works and which version to turn on.

The three kinds of factor

Authentication factors come in three categories:

  • Something you know: a password or PIN.
  • Something you have: your phone, an authenticator app, or a hardware key.
  • Something you are: a biometric, like a fingerprint or face scan.

Real two-factor authentication combines factors from two different categories. A password plus a code from your phone qualifies. Two passwords do not, because they are both "something you know."

You will also see the term MFA, or multi-factor authentication. It is the umbrella term for two or more factors. All 2FA is MFA; MFA just is not limited to two.

The methods, ranked

Not all second factors offer the same protection. From weakest to strongest:

  • SMS text codes are better than nothing, but they are the weakest option. Attackers can hijack your phone number through a SIM-swap, intercept messages through telecom flaws, or trick you into handing over the code. US security agencies have advised moving away from SMS for higher-risk accounts.
  • Authenticator-app codes (TOTP), from apps like Google Authenticator, Microsoft Authenticator, or Aegis, are a clear step up. They cannot be SIM-swapped and work with no signal. Their one weakness: the six-digit code can still be phished if a fake site tricks you into typing it in real time.
  • Hardware security keys and passkeys are the strongest option, and they are phishing-resistant. The login is cryptographically bound to the real website's address, so a look-alike phishing site simply cannot capture anything usable. Passkeys are the consumer-friendly version of the same underlying technology (the standard is called FIDO2 or WebAuthn).
If a service offers passkeys or a hardware key, that is the strongest choice. If not, an authenticator app beats SMS. Any second factor beats none.

How the authenticator code works

The six-digit codes in an authenticator app are not sent to you; your app generates them. When you set up 2FA, the site shares a secret key with your app, usually by showing a QR code you scan. From then on, your app combines that shared secret with the current time, in 30-second windows, using a standard algorithm to compute a code. The server runs the same calculation with the same secret and clock. If the two match, you are in. Because it relies on the shared secret and the time, your phone can generate valid codes even with no internet connection.

Turn it on where it matters most

Start with the accounts that unlock everything else: your primary email, your password manager, and your bank. Your email is the master key, because password resets for other sites are sent there.

The bottom line

Two-factor authentication means that a stolen password, on its own, is no longer enough to break into your account. Turn it on everywhere it is offered, choose an authenticator app or a passkey over SMS when you can, and protect your email account first. It is a few minutes of setup for a large reduction in risk.

This is general security guidance, not a substitute for the specific advice of the services you use.

Get the explainer, not the noise

Newsmotion breaks down how the US actually works, one clear explainer at a time. Know a topic worth explaining? Pitch us.

Write for Us