Multi-Factor Authentication Explained
Multi-factor authentication adds a second layer of proof when you log in, so a stolen password alone is not enough to access your account. This guide covers the main methods, from authenticator apps to passkeys, and explains where SMS fits in.
What multi-factor authentication is
Authentication factors fall into three categories: something you know (a password), something you have (a phone or security key), and something you are (a fingerprint or face scan). Multi-factor authentication, often shortened to MFA or 2FA, requires at least two of these categories. If an attacker steals your password, they still need the second factor to get in.
App-based codes
Authenticator apps generate a new six-digit code every 30 seconds. The code is created on your device using a shared secret that was set up once during enrolment. Because the code never travels over the network, it cannot be intercepted in the way an SMS message can. Popular authenticator apps are available for both Android and iOS at no cost.
When you enable app-based MFA, the service shows you a QR code. Scan it with your authenticator app, and the pairing is done. From that point on, you enter your password followed by the current code from the app each time you log in.
Passkeys
Passkeys are a newer approach that replaces the password entirely. They use public-key cryptography, storing a private key on your device and a corresponding public key on the server. When you log in, your device proves it holds the private key without ever sending it. Passkeys are resistant to phishing because they are bound to the specific website that created them.
Support for passkeys is growing. Major operating systems and browsers now include built-in passkey management, and an increasing number of services offer passkey sign-in as an option.
SMS verification
SMS codes are the oldest and most widely supported form of MFA. A text message containing a short code is sent to your registered phone number. While it is true that SMS can be intercepted through SIM-swapping attacks or network vulnerabilities, SMS-based MFA is still significantly better than using a password alone. If a service only offers SMS as a second factor, enable it. Something is always better than nothing.
Hardware security keys
Physical security keys are small USB or NFC devices that you tap or insert when logging in. They offer strong phishing resistance because the key checks the website's identity before responding. Hardware keys are an excellent choice for high-value accounts such as email, banking, and cloud storage.
Backup and recovery
When you set up MFA, most services provide backup codes. Store these securely, for example in your password manager or printed and kept in a safe place. Without a backup method, losing access to your second factor could lock you out of your account permanently.
Frequently asked questions
Which accounts should I protect with MFA first?
Start with your primary email, because it is the gateway to password resets for everything else. Then add MFA to financial accounts, cloud storage, and social media.
Is SMS MFA really that bad?
It is less secure than app-based or hardware-key MFA, but it is far better than having no second factor at all. Use it when no other option is offered, and upgrade to an authenticator app when you can.
What if I lose my phone?
Use the backup codes you saved when you first enabled MFA. If you did not save them, contact the service's support team. Going forward, always store backup codes somewhere separate from your phone.