How Two-Factor Authentication Works

In 2011, Mat Honan had his entire digital life wiped out in an hour. Attackers used social engineering to reset his Apple ID password, then systematically deleted his Google account, Twitter, and years of photos from his MacBook. The breach started with a single vulnerability: his email had no second layer of protection. Two-factor authentication could have stopped it.

The short answer

Two-factor authentication (2FA) requires two different types of evidence to prove you are who you claim to be. Something you know (like a password) gets combined with something you have (like your phone) or something you are (like your fingerprint). When you enter your password and then a six-digit code, you’re performing a 2FA login that makes your account significantly harder to compromise.

The full picture

What “two factors” actually means

The security industry defines authentication in three categories: something you know (password, PIN, security question), something you have (phone, hardware token, smart card), and something you are (fingerprint, face, iris) — categories that NIST’s authentication glossary formalizes as the three authentication factors. True 2FA requires factors from at least two different categories. Entering your password and then a security question doesn’t count, because both are things you know.

This distinction matters. If an attacker phishing campaign harvests your password, they also need your second factor. That second factor is the gatekeeper that stops most account takeovers.

How SMS verification works

When you enable SMS-based 2FA, the service stores your phone number and links it to your account. During login, after entering your password, the server triggers an SMS containing a one-time code to your registered number. You enter this code, and the server verifies it matches what was sent.

The vulnerability here is SIM swapping. Attackers can call your mobile carrier, impersonate you, and transfer your number to their SIM card. In 2019, Twitter CEO Jack Dorsey’s account was hijacked this way, with attackers posting tweets through his profile while controlling his phone number — a carrier-level compromise Twitter itself acknowledged.

Authenticator apps and TOTP

Time-based One-Time Passwords (TOTP) work differently. When you set up an authenticator app like Google Authenticator or Authy, the service generates a secret key encoded as a QR code you scan with your phone. Your phone and the server now share this secret.

Every 30 seconds, both your phone and the server run the same algorithm using the current time and the shared secret — a process standardized in IETF RFC 6238, which specifies a 30-second time step as the default. They arrive at the same six-digit code. You enter this code, and the server confirms your phone generated it at exactly this moment. There’s no code transmitted over the network to intercept.

This is why authenticator apps are more secure than SMS. The secret never leaves your device, and each code expires in 30 seconds, dramatically limiting the window for attackers.

Hardware security keys

For maximum security, hardware keys like YubiKey or Titan store cryptographic credentials in a dedicated device. When you log in, you physically insert the key into your computer or tap it against your phone. The key performs cryptographic verification without ever exposing the private key to the network.

As reported by Krebs on Security, Google confirmed that none of its 85,000+ employees had been successfully phished on work accounts since early 2017, when the company required all staff to use physical security keys — with zero successful account takeovers since the rollout.

The authentication process step by step

When you log into an account with 2FA enabled, here’s what happens in sequence. First, you enter your password. The server verifies it correctly. Second, the server prompts for your second factor. Third, you provide your code (SMS, authenticator app tap, or hardware key). Fourth, the server validates this second factor and grants access if both checks pass. Fifth, the server issues a session cookie that keeps you logged in.

This sequence matters because each step is independent. An attacker with your password can’t proceed past step one without the second factor.

Why it matters

The numbers tell a clear story. According to Google’s research, enabling 2FA blocks the vast majority of automated account takeover attempts. The Verizon Data Breach Investigations Report consistently finds stolen credentials at the center of breaches — in the 2025 edition, roughly 88% of breaches in certain attack patterns involved compromised credentials. Most of those breaches could have been prevented with 2FA.

Consider the real-world impact. In 2022 alone, the FBI reported over $2.7 billion in losses from business email compromise and account takeover scams. Individual victims report losing anywhere from a few thousand to hundreds of thousands of dollars when attackers gain access to banking or investment accounts.

The time to enable 2FA is now, not after you’ve been compromised. Most major services support it: Google, Apple, Microsoft, Amazon, Facebook, and nearly every bank. Setting it up takes minutes. The inconvenience of entering an extra code is insignificant compared to the devastation of losing access to your email, bank accounts, or years of personal data.

Common misconceptions

“I don’t have anything worth hacking.”

Everyone has something worth stealing. Even if you think your accounts contain nothing valuable, attackers can use your email to reset passwords on other services. Your identity itself has value on the dark web. Compromised credentials sell for $5-$20 per account depending on what service they’re from.

“2FA is unhackable, so I’m completely safe.”

Nothing is unhackable. Sophisticated attacks can intercept 2FA codes through man-in-the-middle phishing sites that relay your login in real-time. These attacks, called “MFA fatigue” or “push bombing,” work by overwhelming you with authentication requests until you accidentally approve one. The goal isn’t to crack your 2FA but to annoy you into accepting their login attempt.

“SMS 2FA is good enough.”

SMS was designed for telecom, not security. It’s a 1970s protocol retrofitted for 2020s security threats. SIM swapping is well-documented and relatively easy for determined attackers. Security experts consistently recommend authenticator apps or hardware keys over SMS. If your only option is SMS, it’s still far better than no 2FA, but upgrade when you can.