PasswordCrunch.com
Account Security · 6 min read

What Is Two-Factor Authentication (And Does It Replace Passwords)?

Two-factor authentication has gone from niche to mainstream over the past decade, and with good reason. Here is a clear explanation of how it works, the differences between the various types and why — despite being genuinely powerful — it does not make a strong password optional.

The basic idea

Authentication is the process of proving you are who you claim to be. Passwords are a single factor: something you know. Two-factor authentication (2FA, also called multi-factor authentication or MFA) requires a second piece of evidence from a different category.

Security professionals categorise authentication factors into three types: something you know (a password or PIN), something you have (a phone, a hardware key) and something you are (a fingerprint, face scan). 2FA combines at least two of these. The result is that even if an attacker gets your password, they still cannot access your account without the second factor.

The main types of 2FA

SMS / text message codes

Protection level: basic

A one-time code is sent to your phone number when you log in. Widely available and better than no 2FA, but vulnerable to SIM swapping (where attackers convince a carrier to transfer your number to their control) and interception. Not recommended for high-value accounts if better options are available.

Authenticator apps (TOTP)

Protection level: strong

Apps like Google Authenticator, Authy or Microsoft Authenticator generate a fresh 6-digit code every 30 seconds, based on a shared secret established when you set up 2FA. The code never leaves your device and cannot be intercepted in transit. Significantly stronger than SMS and free to use. Recommended for most accounts.

Hardware security keys

Protection level: strongest

Physical devices (YubiKey, Google Titan Key) that plug into a USB port or tap via NFC. They use a cryptographic protocol (FIDO2/WebAuthn) that is resistant to phishing — the key verifies the legitimate domain of the site before responding, so entering credentials on a fake site does nothing. The gold standard for high-security accounts. Around NZD $50–100 per key.

Push notifications / app prompts

Protection level: good

A notification appears on your phone asking you to approve or deny a login attempt. Used by many banking apps and services with their own authentication systems. Convenient and reasonably secure, though vulnerable to "MFA fatigue" attacks where attackers repeatedly send prompts hoping users will approve one by mistake.

Why 2FA does not replace passwords

This is a common misconception. Two-factor authentication is an additional layer, not a replacement. Here is why both still matter:

If your password is weak or reused, an attacker who obtains it can attempt to bypass 2FA through social engineering (calling your phone provider pretending to be you), exploiting backup account recovery options or waiting for an opportunity when you are travelling and have disabled 2FA temporarily.

Conversely, if you have a strong unique password but no 2FA, a successful phishing attack that captures your credentials gives an attacker full access. 2FA would stop them.

Strong passwords protect against password-based attacks. 2FA protects against scenarios where the password itself is compromised. They address different threat vectors, and you need both for meaningful protection on important accounts.

Which accounts need 2FA most?

In order of priority:

  1. Email — your email account controls recovery for almost everything else; it is the highest-value target
  2. Password manager — protects all your other credentials
  3. Banking and financial accounts — direct financial risk
  4. Social media accounts — account takeover enables targeted scams against your contacts
  5. Work accounts — can expose employer data and systems

For lower-value accounts — forums, newsletters, services with no financial information — 2FA is nice to have but not critical if you are using a unique password.

How to set it up

Most major services have a Security or Privacy section in account settings where you can enable 2FA. The process typically takes two minutes: scan a QR code with an authenticator app, enter the first code to confirm it is working and save your backup codes somewhere secure (a password-protected note in your password manager works well).

Backup codes are important. They let you access your account if you lose your phone. Do not skip this step — if you lose access to your 2FA device without backup codes, recovering the account can be difficult or impossible.

Pair it with a strong password

2FA works best alongside a strong, unique password

Enable 2FA on your important accounts and pair it with a randomly generated password you do not use anywhere else. Generate one here.

Open Password Generator

This article is for general informational purposes. Security recommendations vary by context. For enterprise security requirements, consult a qualified security professional.