RUNWEBTOOLS
English
Security & Privacy

Two-Factor Authentication (2FA) Explained

Updated 2026-07-06

Two-factor authentication is the single most effective thing you can do to protect your accounts — and it takes a couple of minutes to set up. This guide explains what it is, why a password alone isn't enough, and how to choose between the different methods.

What 2FA is

Two-factor authentication (2FA), sometimes called two-step verification, means proving your identity with two different kinds of evidence instead of one. The classic three categories are:

  • Something you know — a password or PIN.
  • Something you have — your phone or a hardware key.
  • Something you are — a fingerprint or face scan.

A password is one factor. 2FA adds a second, so a stolen password isn't enough on its own to get in.

Why a password isn't enough

Passwords leak — through data breaches, reuse across sites, and phishing. As covered in our guide to strong passwords, when one site is breached, attackers try those same credentials everywhere else. 2FA breaks that chain: even with your exact password, an attacker still can't log in without your second factor.

The methods, worst to best

SMS codes

A code texted to your phone. Far better than nothing, but the weakest option — codes can be intercepted, and “SIM-swap” attacks let criminals hijack your phone number. Use it only if it's the sole choice.

Authenticator apps

An app on your phone generates a fresh 6-digit code every 30 seconds (this is called TOTP). The codes are created on your device and never sent over the network, so they can't be intercepted like SMS. Setup usually means scanning a QR code that carries the shared secret. This is the sweet spot for most people — free, easy, and much stronger than SMS.

Hardware security keys

A small physical device (like a YubiKey) you tap or plug in. Based on modern standards (FIDO2/WebAuthn), these are the gold standard — essentially immune to phishing, because the key verifies the real website before it responds. Ideal for your most important accounts.

Don't skip the backup codes

When you enable 2FA, the service gives you a set of one-time backup codes. Save them somewhere safe (a password manager, or printed and stored). They're your way back in if you lose your phone — without them, losing your second factor can mean losing the account.

Where to turn it on first

Start with the accounts that can unlock the others: your email first (it can reset most of your other passwords), then banking, and any account tied to your identity or money. Combined with a unique strong password per site, 2FA puts you ahead of the overwhelming majority of accounts online. For protecting your data in other ways, see our guide to photo metadata and privacy.

More in Security & Privacy

See all Security & Privacy guides →

Tools mentioned in this guide