Two-factor authentication (2FA) is a secondary method of identification that is much more secure than knowledge-based identification (with knowing the username and password) anyone can have this information but they might not necessarily be the owner or authorized to use that account/entry system.
Sometimes called Login Approvals, Multi-Factor Authentication (MFA), One Time Passcode (OTP) or Two Step Verification (2SV) – the way it works is you have a hardware device that could be a mobile phone, flat-panel device, laptop/desktop computer or custom dongle with a display, initially to get the passcode a seed must be sought or entered into the authenticating app, this is time-sensitive and will only activate once the correct token has been entered back into the system for verification, there are four types of system in use.
Authenticator App / Timed One Time pass 2FA (TOTP 2FA)
If using a tablet PC for the authentication app like Authy, Google Authenticator, FreeOTP and others, after setting up, every time you enter the system a different passcode will be locally displayed on your 2fa device in addition to your usual username and passphrase, this passcode will change at set intervals thus time is of the essence when entering them.
Not all websites and services offer this secondary identification but a great deal are integrating it more and more, you should still have a good password with a mix of upper and lowercase letters with a number and special character, if your password is still somehow compromised the account will not be able to be entered without having the required 2FA key that is displayed on the table PC.
It is very important to consider where keeping the 2FA authentication app as if this is stolen the accounts could be compromised.
You should export and keep the backup codes in a safe place, if you lose the device it will be a quick process to login the systems and change the 2FA keys, some apps allow you to back them up for transfer to another device securely.
SMS 2FA – push
Passcodes can be sent to you over text messages on your mobile phone, there are a couple of downsides to this as you have to submit your telephone number to a third party with some selling and passing this info on for marketing and cold calls. The 2FA messages can also be spoofed as well as the packets intercepted as they are getting to your phone. This form of 2FA is not recommended but as 2FA is not standardised, it may be the only option available for a some web platforms.
Apples Trusted devices method, Duo Push and Google will send a prompt to one of your connected devices asking if it is you who is trying to login and has possible location information, you can then allow or deny the attempt. This is a convenient method and one more resistant to phishing attempts, there is also a clue with the IP/Location details from the originating login IP.
FIDO U2F / Security Keys
There is another form of Universal Second Factor (U2F), typically using a small Bluetooth Low Energy (BTLE), NFC or USB device, these are often referred to as security keys, you must register these on the site prior to use, on subsequent logins the site will prompt you to connect your device to allow login.
When setting up 2FA some sites will display backup codes if you should lose the device or not have access to it you can quickly set them up again, it is very important to keep these backup codes in a safe place as this will minimize the time needed to re-setup and also reduce the time it takes to re-secure the accounts.