Security/

What Is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) requires two separate kinds of proof before it lets someone into an account. The first is almost always a password (something you know). The second is a different category of proof, such as a code from your phone (something you have) or a fingerprint (something you are). Because the two proofs come from different categories, stealing one rarely gives an attacker the other.

That category distinction is the whole point. A password can leak in a breach, get phished, or be guessed. If the only thing standing between an attacker and your account is that password, the account is one leak away from compromise. Adding a second factor from a different category means the attacker has to defeat two unrelated things at once, which is much harder to pull off at scale.

The three authentication factors

Security people group proof into three categories. A login counts as two-factor only when the two proofs come from two different categories.

  • Knowledge (something you know): passwords, PINs, the answer to a security question.
  • Possession (something you have): a phone receiving an SMS or push, an authenticator app, a hardware security key.
  • Inherence (something you are): a fingerprint, a face scan, a voiceprint.

Two passwords are still just knowledge, so asking for a password and then a PIN is not 2FA. A password plus a code from your phone is, because it pairs knowledge with possession. If you want the longer treatment of where the line sits, see two-factor authentication vs. two-step verification.

What can the second factor be?

In practice the second factor is almost always a possession factor, and you have a few options that trade off convenience against how hard they are to attack.

  • SMS or voice OTP. A short one-time password is sent to your phone number by text or read out by an automated call. It works on any phone with no app to install, which is why it is the most common second factor in the world.
  • TOTP authenticator apps. Apps like Google Authenticator or Authy generate a six-digit code that rotates every 30 seconds, computed from a shared secret and the current time. The code never travels over the network, so there is nothing to intercept in transit.
  • Push approvals. The service sends a prompt to a registered app and you tap approve or deny. Convenient, though it invites "push fatigue" attacks where a user taps approve just to make the prompts stop.
  • Hardware keys and passkeys. A physical key (FIDO2/WebAuthn) or a passkey stored on your device signs a challenge with a private key that never leaves the hardware. These resist phishing because the signature is bound to the real site's origin, so a lookalike domain cannot collect anything reusable.

Why it matters

Most account takeovers start with a password the attacker already has, from a breach dump, a reused credential, or a phishing page. None of those give the attacker your second factor. So even a basic SMS code, which is not the strongest option, blocks the large majority of bulk, automated attacks that rely purely on stolen passwords.

It is worth being honest that 2FA is not a single thing with a single security level. A hardware key and an SMS code are both "2FA," but they defend against very different threats. Pick the second factor to match the value of what you are protecting.

What are the tradeoffs?

SMS-based 2FA is the easiest to roll out and the easiest to attack. SIM-swap fraud (an attacker convinces a carrier to port your number to their SIM) and SS7 interception can both deliver your codes to someone else. App-based TOTP avoids the carrier entirely because the code is generated on your device, so there is no message to redirect. Hardware keys and passkeys go further by being phishing-resistant, at the cost of needing the user to own and carry the key.

A reasonable default: offer SMS because it has the widest reach, but let security-conscious users upgrade to an authenticator app or a passkey. Some accounts (an admin console, a financial dashboard) are worth requiring the stronger options outright.

How do you add 2FA?

If you are a user, look under the account or security settings of the service and enable it. The service will usually show a QR code to scan into an authenticator app, or ask you to confirm a phone number for SMS codes. Save the recovery codes somewhere safe so a lost phone does not lock you out.

If you are building the feature, you have two paths. You can implement TOTP yourself (it is a well-specified standard and the math is small) and store a shared secret per user. Or you can hand the delivery and verification of OTPs to a provider so you are not running an SMS pipeline or rate-limiting logic by hand. Bird's Verifications product sends and checks one-time codes over SMS, voice, and email, and the underlying SMS product covers the message delivery if you want to assemble the flow yourself.

FAQ

Is two-factor authentication the same as two-step verification?

Not exactly. 2FA requires two proofs from different factor categories. Two-step verification means two sequential steps, which may or may not use two different factors. The terms get used interchangeably, but the distinction matters when you are reasoning about what an attack actually has to defeat.

Is SMS-based 2FA safe enough?

For most consumer accounts, yes, because it blocks the bulk attacks that rely on stolen passwords. For high-value accounts, prefer an authenticator app or a hardware key, since SMS is vulnerable to SIM-swap and network interception.

What happens if I lose my second factor?

Most services issue recovery codes when you enable 2FA. Store them offline. Without a recovery path, losing the device that holds your second factor can lock you out of the account entirely.

Does 2FA replace a strong password?

No. The second factor is an additional layer, not a substitute. A weak or reused password still widens the attack surface, so keep using a password manager and unique passwords alongside 2FA.

Two-factor authentication is one of the cheapest ways to raise the cost of an account takeover, and the second factor is usually a one-time code. If you want to see how the codes themselves work, read what OTP means, or look at how Bird handles code delivery and verification in the Verifications product.

Begin met één kanaal.
Voeg de rest toe wanneer je er klaar voor bent.

Een test-API-key is direct beschikbaar. Productietoegang wordt ontgrendeld zodra je een betaalmethode toevoegt en een afzender verifieert.

Aan de slagLees de docs

Gebruik je Claude Code, Cursor of Codex? Kopieer een setup-prompt en je agent installeert de Bird CLI en skills voor je. Kies de jouwe:

Cursor