Two-factor authentication (2FA)
Also known as: 2FA, two-step verification, multi-factor authentication, MFA
Two-factor authentication (2FA) requires a second proof of identity beyond your password — usually a code from your phone or an app — so a stolen password alone is not enough to sign in. It is one of the strongest, simplest defenses for any account.
- Adds a second proof beyond your password
- App codes and security keys beat SMS codes
- Save backup codes to avoid being locked out
The two factors
Authentication factors fall into categories: something you know (a password), something you have (a phone, security key, or authenticator app), and something you are (a fingerprint or face). 2FA combines two of these so one leaked factor is not enough.
The most common setup pairs your password with a six-digit code. Codes from an authenticator app or a hardware security key are more resistant to interception than codes sent by SMS, though SMS is still far better than no second factor.
Why it matters for your accounts
Most account breaches start with a reused or leaked password. With 2FA on, an attacker who has your password still cannot get in without your second factor. Apple ID, Google, and major services strongly encourage or require it.
Keep backup codes somewhere safe, because losing your second-factor device can lock you out. Many people store these in an encrypted password manager.