Chapter 3 – Two-Factor Authentication (2FA)¶
Even the strongest password can be stolen. That’s where two-factor authentication (2FA) comes in; it adds a second step to prove your identity when logging in – and stops attackers even if they have your password.
Why 2FA matters
A leaked password isn't the end – unless there's no second layer of protection.
3.1 What Is 2FA?¶
Two-factor authentication means logging in with:
- Something you know (your password)
- Something you have (a second factor like your phone or token)
You only get access if both factors match.
Think of 2FA like a door + keycard
Your password is the door lock, 2FA is the keycard you need to enter.
3.2 Common Types of 2FA¶
| Method | Description | Example Providers |
|---|---|---|
| Authenticator apps | Time-based one-time codes | Google Authenticator, Authy, Bitwarden¹ |
| Push notifications | Confirm login via app prompt | Microsoft, Duo |
| SMS codes | Code sent via text message (less secure) | Used by many services |
| Hardware tokens | Physical device for login | YubiKey, Titan Security Key |
¹ Bitwarden supports built-in TOTP code generation with a paid plan — including on self-hosted instances.
Avoid SMS when possible
SMS 2FA is better than nothing, but it's vulnerable to SIM-swapping and phishing.
3.3 Why 2FA Is So Effective¶
- Blocks 99% of automated login attempts
- Makes phishing attacks much harder to succeed
- Adds a major barrier even if your password is leaked
2FA is one of the simplest ways to stop most account takeovers.
3.4 Where to Enable 2FA First¶
Start with your most critical accounts:
- Email accounts (e.g., Gmail, Outlook)
- Password manager
- Banking and finance
- Cloud services (Dropbox, iCloud, etc.)
Security settings are often just a click away
Look in your account settings under "Security" or "Login & verification".
3.5 What If You Lose Access?¶
Always set up backup options:
- Backup codes (print or save them securely)
- Secondary 2FA method (e.g., another device)
- Recovery email or phone number
No backups = no way in
If you lose your device and have no recovery, your account may be gone for good.
Custom-tip
You can store backup codes and recovery info securely inside your password manager if you use one.
3.6 Self-Check: 2FA Readiness¶
- I have enabled 2FA on my email and password manager
- I store backup codes safely (not in the same place as my main device)
- I use an authenticator app instead of SMS for 2FA
Start with your most important accounts
Email, password manager, and online banking should be your top priority.