What Is Two-Factor Authentication (2FA) and Why You Need It

Published: 18 January 2026 8 min read By ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

A friend of mine got an email from Have I Been Pwned last year telling him his password had appeared in a data breach. He used the same password for everything, his email, his CommBank login, his myGov, even his Netflix. Within hours, someone had logged into his email and started resetting passwords on his other accounts. If he'd had two-factor authentication turned on, none of that would have happened. (He also used the same weak password everywhere, another lesson there.) Not one account would have been compromised. But he didn't. That one missing step cost him weeks of recovery.

If you only do one thing to improve your online security after reading this, let it be this: turn on two-factor authentication on your most important accounts today. Right now, if you can.

What Is Two-Factor Authentication?

Two-factor authentication (often written as 2FA) means you need two different things to prove your identity when logging in. Instead of just entering your password, you also provide a second piece of evidence, usually a temporary code from your phone.

Think of it like a house with two locks on the front door. Even if a thief picks one lock (steals your password), they still can't get in without picking the second lock (your phone-generated code).

The "two factors" come from different categories. Something you know, your password. Something you have, your phone, a hardware key, or a code generator. Something you are, your fingerprint or face (biometrics). True 2FA uses factors from two different categories, which is why it's so much more secure than just having two passwords.

Why Do You Need 2FA?

The numbers paint a clear picture. Stolen passwords are involved in the majority of data breaches. Data breaches expose billions of credentials every year, many of which are sold on dark web marketplaces. If you reuse passwords, a single breach can compromise multiple accounts.

2FA stops this chain reaction. Even if your password appears in a data breach and an attacker tries to use it, they can't get in without the second factor. According to Google, adding 2FA to your account blocks 99.9% of automated attacks. That's not a typo, 99.9%.

Types of Two-Factor Authentication

Not all 2FA is created equal. Here are the main types, ranked from least to most secure:

Five types of two-factor authentication ranked by security A five-column comparison showing SMS codes, email codes, authenticator apps, push notifications, and hardware security keys. Each column has a security rating from one to five stars and a one-line weakness and strength summary. Hardware keys are rated strongest, SMS weakest. WEAKEST STRONGEST SMS Code ★☆☆☆☆ Weakest 2FA SIM-swap and SS7 intercept attacks possible. Still better than no 2FA at all. 📱 Email Code ★★☆☆☆ Slightly better If your email is compromised, so is your 2FA. Only as strong as your inbox. ✉️ Authenticator App ★★★★☆ Recommended TOTP codes generated on your device. Survives SIM swap attacks. 🔢 Push Approval ★★★★☆ Convenient + safe Tap "Approve" on your phone. No codes to type. Beware "fatigue" attacks, pause. 🔔 Hardware Key ★★★★★ Phishing-proof YubiKey, Titan, passkeys. Physical FIDO2 device. No remote attack can phish it. 🔑
Any 2FA beats none. If you can pick, an authenticator app or hardware key is what you want, but don't skip 2FA just because SMS is all that's offered.

SMS text message codes are the most common form. After entering your password, the service texts a 6-digit code to your phone number. You enter this code to complete the login. While convenient, SMS is the weakest form of 2FA because attackers can intercept codes through SIM swapping, convincing your mobile carrier like Telstra or Optus to transfer your number to their SIM card, or exploiting vulnerabilities in the phone network. That said, SMS 2FA is still much, much better than no 2FA at all. I cannot stress this enough, the fact that major Australian services like some banks and government portals still don't offer authenticator app support and rely solely on SMS verification in 2026 is a genuine security failure that puts millions of Australians at unnecessary risk, particularly given how prevalent SIM-swapping attacks have become.

Authenticator apps generate temporary codes on your phone that change every 30 seconds. Popular options include Google Authenticator, Microsoft Authenticator, and Authy. These are significantly more secure than SMS because the codes are generated on your device and never travel over the phone network. Even if someone clones your SIM card, they won't get your authenticator codes.

Push notifications send a login approval request to your phone. Instead of typing a code, you simply tap "Approve" or "Deny" on the notification. Apple, Google, and Microsoft all use this method. It's convenient and secure, though users should be cautious about approving unexpected prompts, attackers sometimes flood users with approval requests hoping they'll tap "Approve" by accident (called "MFA fatigue").

Hardware security keys are physical devices (like YubiKey or Google Titan Key) that you plug into your computer's USB port or tap against your phone. They're the most secure form of 2FA because they can't be phished, the key verifies it's communicating with the legitimate website, not a fake one. They cost between $25-$60 and are recommended for anyone with high-security needs.

Biometrics like fingerprint scanners and face recognition are increasingly used as a second factor, especially on phones and laptops. They're convenient and difficult to fake, though they work best as a complement to other methods rather than a standalone solution.

🔒 Security tip

Phishing is the main way attackers bypass 2FA, they trick you into entering your code on a fake site. Always check URLs carefully before entering any credentials. Use our URL scanner to verify suspicious links.

Check a URL, Free

How to Set Up 2FA on Your Accounts

Setting up 2FA takes about 2-3 minutes per account. Here's the general process (it's very similar across most services):

Step 1: Go to your account's security settings. Look for "Security," "Login Security," or "Two-Factor Authentication" in the settings menu.

Step 2: Choose your 2FA method. If an authenticator app is an option, choose that over SMS. Download Google Authenticator or Microsoft Authenticator from your phone's app store if you haven't already.

Step 3: Scan the QR code. The service will show you a QR code on screen. Open your authenticator app, tap the "+" button, and scan the code with your phone's camera. The app will start generating 6-digit codes for that account.

Step 4: Enter the verification code. Type the current 6-digit code from your authenticator app to confirm it's working correctly.

Step 5: Save your backup codes. This is critical. The service will give you a set of one-time backup codes. Save these somewhere safe (printed and stored securely, or in a password manager). If you ever lose your phone, these codes are your lifeline to get back into your account.

Which Accounts to Protect First

If you're starting from scratch, enable 2FA on these accounts first, in this order:

Your email account. This is the most important because your email is used to reset passwords for virtually every other account. If an attacker gets into your email, they can reset the password on your bank, social media, and everything else.

Banking and financial accounts. Your bank, credit cards, investment accounts, PayPal, Venmo, and any service that has access to your money.

Social media. Facebook, Instagram, X (Twitter), LinkedIn, TikTok. Compromised social media accounts can be used to scam your friends and family, and recovering them can be extremely difficult.

Cloud storage. Google Drive, iCloud, Dropbox, OneDrive. These often contain sensitive documents and photos.

Shopping and subscription accounts. Amazon, Apple ID, Google account, Microsoft account. These have saved payment methods and personal information.

Common Concerns About 2FA

"It's too inconvenient." In practice, most services only ask for the second factor when you log in from a new device or location. On your everyday devices, you might only need to enter a code once a month or less. The few seconds it takes are well worth the protection.

"What if I lose my phone?" This is why backup codes exist. When you set up 2FA, save those backup codes securely. You can also set up your authenticator on a second device (like a tablet), or use Authy, which syncs across devices and lets you restore on a new phone.

"I don't have a smartphone." Many services offer SMS as a 2FA option, which works on any phone. Some also support email-based verification or hardware keys that don't require a phone at all.

Frequently Asked Questions

What if I lose my phone with my authenticator app?

Use the backup codes you saved when setting up 2FA. You can also set up your authenticator on multiple devices, or use Authy which offers cloud backup and multi-device sync.

Is SMS two-factor authentication safe?

SMS 2FA is better than nothing, but it's the weakest form due to SIM swapping attacks. For important accounts, use an authenticator app or hardware key instead.

Which accounts should I enable 2FA on?

Start with email, then banking, social media, cloud storage, and any account with sensitive information. Ideally, enable it everywhere it's available.

What is the best authenticator app?

Google Authenticator and Microsoft Authenticator are reliable and popular. Authy is excellent for cloud backup. For maximum security, hardware keys like YubiKey are the gold standard.

What I'd Tell You to Do This Afternoon

Open your email account settings and turn on 2FA right now. Then do your bank. Then your socials. My friend who lost access to everything because of that data breach now has authenticator-based 2FA on every single account he owns. He told me it took him about forty-five minutes to set up everything, and he wishes he'd done it years earlier. That forty-five minutes would have saved him weeks of panicked calls to CommBank, myGov, and every other service trying to recover his accounts. Don't wait for a breach to motivate you. Just do it.

Two-Factor Authentication 2FA Account Security Cybersecurity Online Safety

Received an email asking for your verification code? It could be phishing.

Upload the email and we'll analyse the sender, headers, and content for red flags.

Analyse a Suspicious Email

Sources & Further Reading

Related Articles

How to Create Strong Passwords
Strong passwords and 2FA together are your best defence.
Check If Your Email Was in a Data Breach
Find out if your accounts have already been compromised.
What Is Phishing?
2FA is one of the strongest defences against phishing attacks.