Two-factor authentication (2FA / MFA)
A security method requiring two separate proofs of identity — typically a password plus a code from your phone — before granting access to an account.
Also known as: 2FA, MFA, multi-factor authentication, two-step verification
Last reviewed: 1 June 2026
Two-factor authentication (2FA) adds a second verification step to the login process. Even if an attacker has your password, they also need the second factor — something you physically possess (a phone with an authenticator app, a hardware security key) or something tied to your biology (fingerprint, face scan).
Multi-factor authentication (MFA) is the broader term covering more than two factors. The three classic categories are: something you know (password), something you have (phone/token), and something you are (biometric).
Not all 2FA is equally strong. SMS-based 2FA is vulnerable to SIM swap attacks. App-based TOTP codes are better. Hardware security keys (e.g. FIDO2/WebAuthn) are the most phishing-resistant option available to consumers. Despite its imperfections, any form of 2FA is vastly better than a password alone.