What Is Two-Factor Authentication (2FA) and How to Set It Up
Understand 2FA, why SMS OTP is weak, the best 2FA methods, and how to enable it on your important accounts.
What Is Two-Factor Authentication?
Two-factor authentication (2FA) adds a second verification step beyond just a password. Even if someone steals your password, they cannot log in without the second factor.
The "two factors" refer to two of these three categories:
Something you know: Your password, PIN, or security question.
Something you have: Your phone, a hardware token, or a smart card.
Something you are: Your fingerprint, face, or iris (biometrics).
2FA typically combines your password (something you know) with a code sent to your phone (something you have).
Why Passwords Alone Are Not Enough
Passwords get stolen through data breaches (12+ billion credentials are in circulation from historical breaches), phishing attacks (fake login pages that capture your credentials), password reuse (one breach compromises all accounts with the same password), and keyloggers or malware.
2FA stops most of these attacks. Even with your correct password, attackers also need your physical device or the real-time code.
2FA Methods Ranked by Security
Hardware security keys (YubiKey, Google Titan): The most secure option. A physical USB or NFC device you tap to authenticate. Cannot be phished — even entering your credentials on a fake site cannot compromise a hardware key because the key uses cryptographic challenge-response, not codes you type. Around Rs 3,500.
Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy): Time-based one-time passwords (TOTP) that change every 30 seconds. Excellent security. Free. Works offline. Authy backs up codes to the cloud in case you lose your phone.
Passkeys: The emerging standard that may eventually replace passwords entirely. Biometric authentication (fingerprint or face) tied to a specific device. Supported by major platforms.
SMS OTP: The most common 2FA method in India. Codes sent via text message. Weaker than app-based 2FA because of SIM swapping attacks (criminals convince carriers to transfer your number to their SIM) and SS7 protocol vulnerabilities. Better than no 2FA, but avoid for critical accounts when better options are available.
Where to Enable 2FA First
Email: Most critical — if your email is compromised, every account that uses it for password reset is also compromised.
Banking and investment accounts: Enable whatever 2FA your bank offers, even if it is only SMS.
Google/Gmail: Security key or Google Authenticator.
Aadhaar/UIDAI: OTP is built in.
Social media: Especially important for business accounts — account hijacking can damage reputation.
How to Set Up an Authenticator App
Frequently asked questions
Is SMS OTP safe for 2FA?
SMS OTP is better than no 2FA but weaker than app-based 2FA. It is vulnerable to SIM swapping attacks. Use authenticator apps for critical accounts when possible.
What happens if I lose my phone with 2FA set up?
Save backup codes when you set up 2FA — these let you in without your phone. For Authy, your codes sync to the cloud. For Google Authenticator, back up codes manually or use account recovery options.
What is a passkey?
A passkey is a new authentication standard that uses biometrics (fingerprint or face) on your device instead of passwords. It is phishing-resistant and supported by Apple, Google, and Microsoft accounts.
Put this guide into practice with our free online tool — no signup required.
Open tool