⌘K
We use cookies to improve your experience
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience.
Definition
Two-Factor Authentication (2FA) is a security method that requires two different types of verification to access an account: something you know (password) and something you have (phone, hardware key) or something you are (fingerprint). 2FA dramatically reduces the risk of unauthorized access.
Standard login requires only a password — something you know. If that password is stolen (through phishing, data breaches, or guessing), your account is compromised. 2FA adds a second factor: after entering your password, you must also provide a code from your phone (TOTP app like Google Authenticator), tap a push notification, insert a hardware key (YubiKey), or scan a fingerprint. An attacker who steals your password still cannot log in without the second factor.
TOTP (Time-based One-Time Password) apps like Google Authenticator and Authy generate a new 6-digit code every 30 seconds. SMS-based 2FA sends a code via text message — this is better than no 2FA but vulnerable to SIM swapping attacks. Hardware security keys (FIDO2/WebAuthn) like YubiKey provide the strongest protection and are phishing-resistant because they verify the website's identity before responding. Biometrics (fingerprint, face recognition) serve as a convenient second factor on personal devices.
Adding 2FA to a web application typically involves generating a shared secret during setup (displayed as a QR code for the user to scan with their authenticator app), then verifying TOTP codes during login. Libraries exist for every major language (speakeasy for Node.js, pyotp for Python). For highest security, support WebAuthn/FIDO2 hardware keys alongside TOTP. Recovery codes (one-time backup codes) should be generated during setup so users are not permanently locked out if they lose their 2FA device.