Two-Factor: The Second Lock

Lesson 4 · taught by Pip

A password is one secret. Two-factor sign-in (often shown as 2FA or "two-step verification") adds a second one — something you have, not just something you know. So even if a stranger learns your password, they're still standing outside.

Think of your front door with two locks. The first turns with a key anyone might copy. The second needs a key that never leaves your pocket. A thief who copied the first key still can't get in. 🔦

Why the second lock works

Most break-ins don't involve someone cleverly guessing your password. They involve a password that leaked somewhere else and got reused, or one that was typed into a fake page. In those cases the thief has your password and you never even know.

Two-factor breaks that. After the password, the site asks for a one-time code or a tap that only your phone or key can give. The thief, sitting at their own computer, has no way to produce it. The stolen password becomes a dead end.

It also acts as an alarm. If a code shows up on your phone when you weren't signing in, that's a clear signal someone has your password — time to change it.

The three kinds, plainest to strongest

Text-message codes (SMS). The site texts you a number to type in. This is the most common and far better than nothing. Its weak spot: a determined attacker can sometimes hijack your phone number, and codes can be phished. Fine for everyday accounts.

Authenticator app codes. A free app on your phone (Google Authenticator, Microsoft Authenticator, or the one built into many password managers) shows a 6-digit code that changes every 30 seconds. Nothing is texted, so there's no phone number to hijack. Stronger than SMS, and works even with no signal.

Security keys and passkeys. A small physical key you tap or plug in, or a passkey stored on your phone. These are the strongest because they actually check you're on the real website, so they can't be handed to a fake page. This is what protects against the cleverest phishing.

Which to choose

Match the lock to what's behind the door. For your email and your password manager — the accounts that can reset all the others — use an app code at minimum, a security key or passkey if you can. For your bank and main money accounts, the same. For everything else, turn on whatever the site offers; even SMS closes the biggest gap.

One caution: save your backup codes. When you switch on two-factor, the site gives you a short list of one-time recovery codes. Print them or store them in your password manager. They're your spare key if you ever lose your phone.

Your turn

Pick your single most important account — almost always your main email. Open its Security or Settings page, find "Two-factor" or "Two-step verification," and turn it on. Choose an authenticator app if offered; SMS if that's all there is. Then save the backup codes somewhere you'll actually find them later. One account, five minutes.

Next we'll learn to spot the fake pages and messages that try to trick you out of these codes in the first place.