🔐 Two-Factor Authentication 2FA
A login method that asks for two different proofs of identity before letting you in, instead of trusting a password by itself. Also called two-step verification.
🏧 The simple version — like an ATM
You already use 2FA at a cash machine. To pull out money you need the physical card (something you have) and the PIN (something you know). Either one alone is useless — a stolen card without the PIN won't pay out, and the PIN without the card does nothing. 2FA does the same for an online account: a password by itself is no longer enough, so someone who steals it still can't get in.
🧩 The three kinds of proof
Every proof of identity falls into one of three buckets. 2FA simply means combining two different buckets — two of the same kind (like two passwords) does not count.
| Factor | What it is | Examples |
|---|---|---|
| 🧠 Something you know | A secret in your head | Password, PIN |
| 📱 Something you have | A device in your hand | Phone, hardware key, passkey |
| Something you are | A part of your body | Fingerprint, face scan |
🛡️ Common types, from weakest to strongest
- ✉️ SMS or email codes — A one-time code texted or mailed to you. Easy to set up, but the weakest: codes can be intercepted.
- 📲 Authenticator app (TOTP) — An app makes a fresh code every ~30 seconds on your device. The code never travels over the phone network, so it can't be intercepted in the same way.
- 👆 Biometrics — A fingerprint or face scan, often used to unlock the app on your phone.
- 🔑 Hardware security key / passkey — A small physical device or built-in credential that proves it's really you. The strongest everyday option.
💸 Why it matters in crypto
Crypto transactions are irreversible — once coins leave your account, no bank can claw them back. That makes accounts a high-value target, so a single stolen password should never be enough. You'll first meet 2FA when you sign up for an exchange like Binance or Coinbase, which prompt you to turn it on during sign-up and again before withdrawals. Note that 2FA guards your exchange login; if you hold your own coins, the real key is your private key and seed phrase, kept offline.
🚨 Things beginners should know
- 📵 Skip SMS where you can — A SIM-swap attack tricks your mobile carrier into moving your number to the attacker's SIM, handing them your texted codes. CISA advises against SMS as a second factor.
- 💾 Save your backup codes — When you enable 2FA you get one-time recovery codes. Store them offline so you aren't locked out if you lose your phone.
- 🎣 2FA isn't magic — A convincing fake login page can ask for your code in real time. Always check the website address before typing anything.
- 💀 The stakes are real — Investor Michael Terpin reportedly lost around $24M in 2018 after a SIM-swap intercepted his SMS codes.
❓ FAQ
- Is 2FA just having two passwords?
- No. Two passwords are both 'something you know', so they count as one factor type. Real 2FA needs two different kinds of proof — for example a password (know) plus a code from your phone (have).
- Is SMS 2FA safe enough for a crypto account?
- It is the weakest form. A SIM-swap attack can move your phone number to an attacker's SIM and intercept the texted codes. CISA advises against using SMS as a second factor, and recommends an authenticator app or a hardware key instead.
- What happens if I lose the phone with my authenticator app?
- You can be locked out, since the rotating codes live on that device. This is why services give you backup codes when you set up 2FA. Save those codes somewhere safe and offline, and you can use them to get back in.