What is two-factor authentication (2FA)?

Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA) that requires exactly two factors to authenticate. It combines something you know (password) with one other factor: typically something you have (phone/authenticator app) or something you are (biometric). Methods from least to most secure: SMS OTP (vulnerable to SIM swapping and SS7 attacks — use only if nothing else is available), Email OTP (depends on email account security), TOTP apps (Google Authenticator, Authy — time-based codes, not transmitted over SMS), Push notifications (Duo, Microsoft Authenticator — vulnerable to MFA fatigue/bombing attacks), Hardware security keys (YubiKey, FIDO2/WebAuthn — the most phishing-resistant — the key cryptographically proves it's on the right domain). Organizations should phase out SMS 2FA for privileged accounts and move to FIDO2 keys or TOTP apps.