What Is Two-Factor Authentication?

In plain English

Two-factor authentication, or 2FA, adds a second step at login on top of your password. It means a stolen password on its own is not enough to get into your account.

The idea

A password is one secret. If somebody learns it, they are you.

And passwords leak constantly. They turn up in a data breach at a company you forgot you had an account with. They get typed into a convincing fake login page after a phishing email. They get reused across sites, so one leak opens twenty doors.

2FA takes the password and adds a second thing. Now knowing the secret is not enough. The attacker also needs the object in your pocket. That one change stops the overwhelming majority of account takeovers, because most attacks are someone far away with a list of passwords, not someone standing next to you.

The common types

They are not equal. It is worth knowing which one you are using.

  • An app generated code. An authenticator app on your phone produces a rotating code. Good, free, and it works offline. The sensible default for most people.
  • A hardware key. A small physical device you plug in or tap. The strongest option, because it checks the site is the real one and simply refuses to work on a lookalike. It is the only common type that shrugs off phishing.
  • A passkey. Increasingly offered instead of a password entirely, using your phone or laptop to prove it is you. Strong, and pleasant to use.
  • SMS codes. A code texted to your number. Better than nothing, and much better than no second step at all. But it is the weakest of the group.

Why SMS is the weak one

Because your phone number is not really yours. It belongs to your mobile operator, and it can be moved.

In a SIM swap, an attacker persuades the operator that they are you and that they need your number on a new SIM. Sometimes with details scraped from your social accounts. Sometimes with a bribed employee. When it works, your texts start arriving on their phone. Your second factor is now theirs, and you find out when your phone goes dead.

SMS codes still block the bulk attacks. If it is the only option a site offers, take it. But if there is an app or a key on the menu, take that instead.

If you are a shopper, start with email

If you do one thing after reading this, turn on 2FA for your email account.

Not your bank. Not your favourite shop. Email.

Your inbox is the master key. Every "forgot password" link on the internet lands there. Someone who owns your email can walk through your bank, your shops, your domain and your social accounts one at a time, resetting as they go, and they never need to know a single one of those passwords. Protecting the shopping account while leaving the inbox open is locking the safe and leaving the key in the door.

Do email first. Then the accounts with money or cards saved in them.

If you run a site, three accounts matter most

Owners have a wider blast radius. Three accounts deserve 2FA before anything else, and the third is the one people forget.

  • Your store admin. The obvious one. It holds your orders, your customers and your ability to change your own checkout.
  • Your domain registrar. Where the domain itself is owned. Lose this and you do not lose an account, you lose the name.
  • Your DNS host. The one that gets overlooked. Control of DNS is control of the domain, because DNS decides where your name points.

Why DNS is the crown jewels

Your DNS records decide where your visitors and your email actually go. Someone who can edit them can point your domain at their server, take your mail, and get certificates issued in your name. Your site would be untouched. Your customers would still be handing over card details, to somebody else.

That is why the registrar and the DNS host belong on the same shortlist as the admin panel. Records like DNSSEC and a CAA record harden what sits on top. 2FA is what stops someone logging in and changing the lot.

Want to see what your domain currently looks like from the outside? Run a free check.

Need to fix this on your own site?

We have step by step instructions for every major platform, including the ones that will not let you.

See how to turn on 2FA on your platform

Related terms

Browse the full glossary →

See where your site stands.

Run a free check and find out which of these your site already passes, in seconds.

Run a free check Browse the fixes