Two-Factor Authentication, Explained
You've clicked "enable two-factor authentication" a hundred times without really knowing what it changes under the hood. You know it makes you type a code, or tap a notification, or plug in a little USB key — and you know it's "more secure." But if someone asked you why a six-digit code stops an attacker who already has your password, could you answer? This guide answers that, along with which second factor is actually worth your time and which one is quietly the weakest.
The phases
- One secret isn't enough — why passwords alone fail, and the something-you-know/have/are framework.
- How the common methods actually work — SMS codes, authenticator apps, and hardware keys, and why they're not equally safe.
- What this means for you — what to actually turn on, backup codes, and the recovery tradeoff nobody mentions.
Phase 1: One secret isn't enough →