Two-factor authentication, in plain English

Two-factor authentication is the single highest-impact security setting most people aren't using. Microsoft's published numbers say it blocks more than 99% of automated account takeovers. Yet it has a reputation for being awkward — partly because the three common types ("SMS code", "authenticator app", "security key") get talked about as if they're interchangeable. They aren't. Here's the practical version.

What 2FA actually does

Passwords leak constantly. Database dumps, phishing pages, browser malware, password reuse — there are too many ways for one of yours to end up in someone's spreadsheet. 2FA adds a second check that's tied to something you have, not just something you know. Attackers stealing your password also need to steal that second factor, in real time, on the same device — much harder.

SMS 2FA

A six-digit code arrives by text. You type it in. It's the easiest to use because every phone already has it, and that's also why it's the floor of acceptable security: enough to stop credential-stuffing bots, but vulnerable to SIM-swap attacks (an attacker convinces a carrier to move your number) and to silent SMS interception on weaker networks.

Good for: low-value accounts where you'd rather not install another app. Forums, shopping sites, mailing lists.

Bad for: email, banking, government portals, anything that controls other accounts.

Authenticator apps (TOTP)

Apps like Google Authenticator, 1Password, Bitwarden, and Authy generate a fresh six-digit code every 30 seconds, derived from a secret stored only on your device. There's no SMS, no carrier involved — the codes work offline. Phishing attacks that capture your password and a single code can still work, but SIM-swap is no longer relevant.

Setup tip: when a site shows you the QR code, save the textual seed alongside it (most authenticator apps export this). If you lose your phone without the seed and without recovery codes, you'll need to reset every account from scratch.

Good for: almost everything. Most email providers, social platforms, crypto exchanges and developer tools support TOTP, and it's free.

Security keys (FIDO2 / WebAuthn / passkeys)

A USB or NFC key (YubiKey, Titan, recently also "passkeys" built into iOS and Android keychain) that cryptographically signs the login challenge. Crucially, it's bound to the site's domain — a phishing page that looks identical to the real one will simply not get a signature. This is the only common 2FA method that defeats well-built phishing.

Good for: primary email, password manager, anything you can't afford to lose. Buy two keys; register both; keep one in a drawer.

Where temporary numbers fit

Temporary SMS numbers are great for the initial signup step, but they're not suitable for ongoing SMS 2FA — by the time you'd need to receive a code, the number has been returned to the pool. Best practice: sign up with a temporary number, immediately set up TOTP in the account's security settings, and store the recovery codes somewhere safe. Then the temporary number can vanish.

Recovery codes deserve a mention

Almost every 2FA setup screen offers you a list of single-use recovery codes. Print them or store them in your password manager. They're how you get back in if you lose every device. Don't skip past this step — recovering an account without them often requires identity documents that take weeks.

Quick recommendations

• Email and password manager: security key first, TOTP as backup.
• Bank, broker, exchange: whatever the highest tier they offer is.
• Social, dev tools, work SaaS: TOTP.
• Random forum that demands a phone number: temporary SMS, then TOTP after signup.