What is the difference between 2FA and MFA?

2FA (two-factor authentication) uses exactly two factors. MFA (multi-factor authentication) uses two or more factors. In practice, the terms are often used interchangeably. Most consumer accounts use 2FA — a password plus one additional factor.

SMS 2FA is better than no 2FA, but it is the weakest form. SIM-swapping attacks allow attackers to receive your SMS codes by convincing your carrier to transfer your number to their SIM. For accounts that support it, use an authenticator app (TOTP) or hardware key instead.

All forms of 2FA can theoretically be bypassed. SMS codes can be stolen via SIM-swapping or phishing. TOTP codes can be phished if a fake site captures and immediately replays them. Hardware keys (FIDO2/passkeys) are resistant to phishing because they verify the site origin. For most users, TOTP is sufficient — hardware keys add extra protection for high-value accounts.

What Is Two-Factor Authentication (2FA)?

Q: What is two-factor authentication?

Two-factor authentication (2FA) is a security method that requires two separate forms of verification to access an account: something you know (password) and something you have (phone, hardware key) or something you are (biometric). Even if your password is stolen, an attacker cannot log in without the second factor.

Q: What is TOTP?

TOTP (Time-Based One-Time Password) is an algorithm defined in RFC 6238 that generates a 6-digit code that changes every 30 seconds. It's calculated from a shared secret key and the current time using HMAC-SHA1. Apps like Google Authenticator, Authy, and Microsoft Authenticator implement TOTP.

Two-factor authentication (2FA) adds a second layer of security to your accounts. Even if someone steals your password, they still can't log in without your second factor. Here's how it works — and which type you should use.

How 2FA works

When you log in with 2FA enabled, the process has two steps:

First factor: Your password — something you know.
Second factor: A code from your phone, a hardware key, or a biometric scan — something you have or are.

An attacker who steals your password in a data breach still can't access your account without the second factor. According to Google's research, 2FA blocks 100% of automated bot attacks and 99% of bulk phishing attacks.

Types of 2FA — ranked by security

🔑

Hardware Key (FIDO2)

Strongest

Physical USB/NFC key (YubiKey, Google Titan). Immune to phishing — verifies the real site domain. Best for high-value accounts.

📱

Authenticator App (TOTP)

Very Strong

6-digit code that changes every 30 seconds. Generated offline on your device. Used by Google Authenticator, Authy, Microsoft Authenticator.

📧

Email Code

Moderate

A code sent to your email. Only as secure as your email account. Better than nothing but weaker than TOTP.

💬

SMS Text Code

Weakest

Vulnerable to SIM-swapping attacks. Still much better than no 2FA, but upgrade to TOTP when the option exists.

What is TOTP?

TOTP stands for Time-Based One-Time Password (RFC 6238). It's the 6-digit code generated by authenticator apps. The code is calculated from two inputs:

A shared secret key — set up when you scan the QR code during 2FA enrollment.
The current time — codes are valid for 30-second windows.

Because the code is generated on your device using math (not a server lookup), it works without internet. The algorithm is open and standardized, meaning any TOTP app produces the same code for the same secret.

Generate and test TOTP codes

Use our free TOTP generator to create 2FA codes directly in your browser — no app required.

Open TOTP Generator →

Which accounts should have 2FA enabled first?

Email — your email can be used to reset every other account. Protect it first.
Password manager — protects all your other passwords.
Banking and financial accounts
Social media — account takeover can damage your reputation and contacts.
Work accounts — email, Slack, GitHub, cloud services.

2FA vs MFA — what's the difference?

2FA (two-factor) uses exactly two verification factors. MFA (multi-factor) uses two or more. In practice, most consumer accounts implement 2FA — password + one additional factor. Enterprise systems sometimes require three factors for sensitive operations. The terms are often used interchangeably.

More 2FA guides

Frequently Asked Questions

What is two-factor authentication?

Two-factor authentication (2FA) requires two separate forms of verification: something you know (password) and something you have (phone, hardware key). Even if your password is stolen, an attacker cannot log in without the second factor.

Is SMS 2FA safe?

SMS 2FA is better than no 2FA, but it is the weakest form. SIM-swapping attacks allow attackers to receive your SMS codes. For accounts that support it, use an authenticator app (TOTP) or hardware key instead.

What is TOTP?

TOTP (Time-Based One-Time Password) generates a 6-digit code that changes every 30 seconds. It's calculated from a shared secret key and the current time. Apps like Google Authenticator and Authy implement TOTP.

Can 2FA be hacked?

All 2FA types can theoretically be bypassed. SMS codes are vulnerable to SIM-swapping. TOTP codes can be phished if a fake site captures and immediately replays them. Hardware keys (FIDO2) are resistant to phishing. For most users, TOTP is sufficient.

Recommended

Looking for a full password manager?

2FA is your second line of defense — but your first line (your passwords) needs to be strong too. A password manager handles that automatically.

Top Pick

1Password

Secret Key + zero breach history. $2.99/mo.

Try 1Password Free →

Best Free

Bitwarden

Unlimited free tier, open source, audited.

Get Bitwarden Free →

Affiliate disclosure: links above may earn a commission at no cost to you.