TL;DR
Two-factor authentication requires two types of proof to log in: something you know (password) and something you have (phone or security key). Even if attackers steal your password, they cannot access your account without the second factor. Use authenticator apps (TOTP) or hardware keys instead of SMS when possible.
The Simple Explanation
A password alone is "single factor" authentication. If someone steals it, they have full access. 2FA adds a second check. Even with your password, attackers need your phone or security key to log in. It is like needing both a key and a fingerprint to open a door.
Types of 2FA
| Method | Security | User Experience |
|---|---|---|
| Hardware Keys (WebAuthn) | Highest | Requires physical key |
| Authenticator Apps (TOTP) | High | Open app, enter code |
| Push Notifications | High | Tap to approve |
| SMS Codes | Medium | Wait for text |
| Email Codes | Low | Check email |
Implementing 2FA
Don't build 2FA from scratch. Use established libraries and services:
- Auth.js (NextAuth): Built-in 2FA support
- Clerk: Full auth with 2FA included
- Supabase Auth: TOTP support available
- speakeasy: Node.js TOTP library
2FA Recovery
Users will lose access to their 2FA device. Plan for this:
- Backup codes: Generate one-time codes during setup
- Multiple methods: Allow adding multiple 2FA options
- Recovery flow: Identity verification for account recovery
Don't make recovery too easy. If anyone can bypass 2FA with a simple email request, attackers will use that path. Balance security with usability.
What is the difference between 2FA and MFA?
2FA (Two-Factor Authentication) specifically requires two factors. MFA (Multi-Factor Authentication) requires two or more factors. In practice, the terms are often used interchangeably. MFA might include additional factors like biometrics or location verification.
Are SMS codes secure for 2FA?
SMS 2FA is better than no 2FA but has weaknesses. Attackers can intercept SMS through SIM swapping or social engineering phone companies. For high-security applications, prefer authenticator apps (TOTP) or hardware security keys (WebAuthn) over SMS.
Should I require 2FA for all users?
Consider your app's risk profile. For apps handling sensitive data (finance, health, enterprise), requiring 2FA is recommended. For consumer apps, encourage 2FA but making it mandatory may hurt user adoption. Always require 2FA for admin accounts.