WebPiki
EN
security

2FA Guide — Protect Your Accounts Beyond Passwords

Types of two-factor authentication, which accounts to secure first, authenticator app recommendations, and setup best practices.

A smartphone showing two-factor authentication

Passwords get compromised more often than people think. Phishing, credential stuffing from other breaches, keyloggers — the attack vector varies but the result is the same: someone logs into your account.

Two-factor authentication (2FA) is the additional defense layer that protects you even when your password leaks. Password (something you know) plus a second factor (something you have) means stealing just the password isn't enough.

Types of 2FA

SMS Verification

A code texted to your phone number. The most familiar method, but the weakest from a security standpoint.

SIM swapping is the main risk. An attacker convinces your carrier to transfer your phone number to their SIM card, and then the verification codes go to them. This has been a real problem, particularly in cryptocurrency theft cases. The fundamental vulnerability in tying authentication to a phone number never fully goes away.

Still, SMS 2FA is better than no 2FA at all. If it's your only option, use it.

TOTP Apps (Authenticator Apps)

Google Authenticator, Microsoft Authenticator, Authy — these generate a 6-digit code that changes every 30 seconds.

TOTP (Time-based One-Time Password) works by sharing a secret key between the server and the app, then both independently generate the same code based on the current time. No network connection needed. Immune to SIM swapping.

When you set it up, you scan a QR code that contains the secret key. Back up this key separately. If you lose your phone, you lose access to the authenticator app — and every account tied to it.

Hardware Security Keys

Physical devices like YubiKey that connect via USB or NFC. Based on the FIDO2/WebAuthn standard. The strongest 2FA available.

The biggest advantage: phishing immunity. The security key verifies the domain of the site you're authenticating to. On a fake site, the key simply refuses to work — even if you've already entered your password on the phishing page.

Downsides: cost ($30-70 per key) and the risk of losing a physical object. Most people buy two keys — one for daily use, one stored as backup.

Passkeys

A newer approach that aims to replace passwords entirely. Authentication happens through your device's biometrics (fingerprint, face) or screen lock. Apple, Google, and Microsoft all support passkeys, and adoption is growing.

Under the hood, passkeys use public key cryptography. From the user's perspective, it's just "scan fingerprint, done." No password to remember. Phishing-resistant by design.

Which Accounts to Secure First

Ideally, enable 2FA on everything. Realistically, prioritize:

  1. Email accounts — Password reset links for every other service land here. If email is compromised, everything downstream is at risk.
  2. Financial services — Banks, brokerages, payment apps
  3. Cloud accounts — Google, Apple, Microsoft. Your photos, documents, and contacts live here.
  4. Developer accounts — GitHub, AWS, server SSH access. Code theft or infrastructure hijacking can be catastrophic.
  5. Social media — A hijacked account can be used to send phishing messages to your contacts.

Authenticator App Recommendations

Authy

Supports cloud backup. Switch phones and just log in to restore everything. Convenient, but storing keys in the cloud creates an additional attack surface. Note that the desktop app was discontinued in 2024, so it's mobile-only now.

Google Authenticator

Straightforward. Google account sync was added — before that, losing your phone meant losing all your codes. It's better now, but separate backups are still smart.

Microsoft Authenticator

Natural choice if you use Microsoft 365 or Azure. Has a built-in password manager too.

1Password / Bitwarden

Password managers with built-in TOTP support. Having passwords and 2FA codes in the same vault is convenient, but if that vault is compromised, both layers are exposed. Security professionals are divided on whether this tradeoff is acceptable.

Setup Best Practices

Save recovery codes. Most services give you recovery codes when you set up 2FA. Store these somewhere safe — they're your emergency keys if you lose access to your authenticator. A password manager or a physical printout in a secure location both work.

Register at least two backup methods. TOTP app + SMS, or TOTP app + security key. If one fails, you need another way in.

Use a password manager alongside 2FA. Enabling 2FA doesn't make weak passwords acceptable. The ideal setup is a unique, strong password per service combined with 2FA.

Limitations of 2FA

2FA isn't bulletproof. Real-time phishing proxies (where an attacker relays your input between you and the legitimate site as a man-in-the-middle) can intercept TOTP codes. Defending against this requires FIDO2 security keys or passkeys.

Session cookie theft is another bypass. If an infostealer malware grabs your browser's session cookies after you've authenticated, the attacker can hijack your already-verified session. 2FA can't protect against post-authentication theft.

That said, 2FA blocks the vast majority of credential-based attacks. Not enabling it guarantees vulnerability. Enabling it eliminates most threats. Even with its limitations, the math overwhelmingly favors turning it on.

#2FA#Security#Authentication#OTP#Account Protection

관련 글

security2단계 인증(2FA) 가이드 — 계정을 지키는 가장 확실한 방법securityHow to Spot and Prevent Phishing AttacksitZero Trust Security: Core Concepts for Organizations