What is two-factor authentication (2FA) and why is it important? Link to heading
Even if someone obtains your password, it should not be enough to gain access. Two-factor authentication provides exactly that - a second barrier that cannot be crossed without knowing the password.
What are the two factors? Link to heading
Authentication can be built from three possible components:
- What you know - password, PIN
- What you have - phone, hardware key
- What you are - fingerprint, facial recognition
Simple password-based access uses only the first category. Two-factor authentication (2FA) combines two of these - most often a password and a code generated on a phone.
How does TOTP work? Link to heading
The most common 2FA method is TOTP (Time-based One-Time Password) - a time-based, single-use code. How it works:
- The website and your phone share a secret key (when you scan the QR code).
- Both parties calculate a 6-digit code from the same key and the current time.
- The code changes every 30 seconds.
- When logging in, you must enter the code displayed on your phone.
The code is only generated on the phone that has the secret key. Even if someone steals your password, they cannot log in without the code.
What is the difference between an SMS code and a TOTP? Link to heading
| SMS code | TOTP (e.g., Aegis) | |
|---|---|---|
| Where is it generated? | Service provider’s server | Your phone |
| Internet connection required? | Yes | No |
| Can it be obtained through a SIM swap attack? | Yes | No |
| Security level | Medium | High |
SMS-based 2FA is better than nothing - but weaker than a dedicated authentication app. In a SIM swap attack, the criminal obtains your phone number from your mobile service provider and thus receives the SMS codes. This does not work with TOTP.
Hardware key - the strongest solution Link to heading
Physical hardware keys (e.g., YubiKey) are USB or NFC devices that verify identity with a cryptographic signature. Their advantages:
- They cannot be stolen remotely
- They protect against phishing sites - they only work on the original domain
- There is no code to read or type in
The disadvantages are the higher price and the need to make a backup in case of loss.
What happens if I lose my phone? Link to heading
This is the biggest practical risk of 2FA. Solutions:
- Backup codes - most services provide one-time emergency codes, which should be stored in a safe place
- TOTP app backup - Aegis, for example, supports encrypted export
- Multiple devices - the TOTP secret key can be added to multiple devices at once
Never store backup codes on the same device as the 2FA app.
Where should you enable it? Link to heading
Everywhere it’s available - but especially:
- Email accounts
- Password managers
- Banking and financial services
- Social media
- Work accounts
Summary Link to heading
Two-factor authentication is a simple but extremely effective layer of protection. A leaked password alone is not enough to break in if 2FA is active. It takes a few minutes to set up - and the protection it provides is disproportionately high.
This article is part of a series that aims to explain the basics of online security in simple terms.