Back to guides

What is two-factor authentication?

Two-factor authentication (2FA), also called multi-factor authentication (MFA), adds a second security layer to your password: something you have, like a phone or a security key. Even if the password leaks, an attacker can't get in without the second factor. It is the cheapest single defence you can turn on.

The definition

Authentication factors come in three kinds: something you know (a password), something you have (a phone, a security key) and something you are (a fingerprint, your face). Two-factor authentication requires two different factors at sign-in, usually a password plus a confirmation on your phone. That's why a stolen password alone no longer opens the door.

Why a password alone isn't enough

Passwords leak. Data breaches at websites and services are routine events, and leaked passwords end up in collections that attackers replay automatically against other services. That technique is called credential stuffing and is one of the most common login attacks. Phishing also harvests passwords on fake login pages every day. Two-factor authentication turns a leaked password into half a key that opens nothing by itself.

The methods, strongest to weakest

Not all implementations are equally secure. In order:

  • Passkeys and hardware security keys: cryptographic keys bound to the device and the real website. Immune to phishing, because the key won't work on a fake page.
  • Authenticator apps: a rotating code on your phone, e.g. Microsoft or Google Authenticator. Strong and simple for most people.
  • Push confirmation with number matching: you type a number from the sign-in screen into your phone, which protects against approving by accident.
  • SMS codes: far better than nothing, but the weakest option. Phone numbers can be hijacked by SIM swapping and codes can be phished on fake pages.

MFA fatigue: attacking the confirmation itself

Attackers don't always try to break two-factor authentication; sometimes they wear it down. Someone who has your password sends approval prompts again and again, even in the middle of the night, hoping you'll approve one by accident or just to get peace. This is called MFA fatigue. The rule is simple: never approve a prompt you didn't trigger yourself. An unexpected prompt means someone else has your password; deny it, change the password and tell IT.

Where to start

The most important account is your email, because it is the reset key to almost everything else: whoever controls the inbox can reset passwords elsewhere. After that, your bank and your work accounts. On most services, enabling two-factor authentication takes a few minutes in the security settings, and an authenticator app is a better choice than SMS where offered.

Frequently asked questions

What is two-factor authentication?
Two-factor authentication (2FA/MFA) requires two different factors at sign-in, usually a password plus a confirmation on a phone or security key. A stolen password alone is then not enough to break in.
Is SMS verification good enough?
SMS is far better than no second factor, but the weakest form: phone numbers can be hijacked via SIM swapping and codes can be phished. Authenticator apps or passkeys are stronger where available.
What are passkeys?
Passkeys are cryptographic keys stored on your device that replace or strengthen passwords. They are bound to the real website and won't work on a fake login page, which makes them immune to phishing.
What is MFA fatigue?
An attack where someone with your password sends approval prompts repeatedly, hoping you'll approve one by accident. The defence: never approve a prompt you didn't trigger, deny it, change your password and tell IT.

Teach the whole team this in five minutes a month

Varhugi has dedicated modules on two-factor authentication and MFA fatigue, in Icelandic, with a quiz that confirms the material stuck.