Technology
What two-factor authentication actually is, why SMS codes are the weakest option, and how passkeys are quietly replacing passwords altogether in 2026.
A good password keeps one secret. The trouble is that secrets leak. They turn up in data breaches, get typed into convincing fake login pages, and occasionally get guessed. Once a password is out, it offers no resistance at all — whoever holds it walks straight in, and your account can't tell the difference between you and them.
Two-factor authentication exists to fix exactly that weakness, and passkeys are the next step that does away with the password's fragility for good. Both get explained in confusing, jargon-heavy ways that make people put off turning them on. So here is the plain version: what these things are, which options are worth your time, and how to switch them on for the accounts that actually matter.
Security people talk about "factors," which sounds technical but means something simple. A factor is a category of proof that you are who you claim to be. There are three of them: something you know (a password), something you have (your phone, a hardware key), and something you are (a fingerprint or face).
A password on its own is a single factor — something you know. If that one piece of knowledge escapes, the whole door is open. Two-factor authentication just insists on proof from a second category before it lets anyone in. Now an attacker needs your password and the physical thing in your pocket, which is a far taller order than skimming a password off a breached database.
This matters because passwords leak constantly, and usually not through any fault of yours. A company you signed up with five years ago gets breached, your login ends up on a list, and attackers try it everywhere. If you'd like the longer story on why reused passwords are the real danger here, our guide to password managers lays it out. The short version: a password manager stops the leak from spreading, and 2FA stops a single leaked password from being enough on its own.
Think of your password as the lock on your front door, and two-factor authentication as the deadbolt. Picking one lock is a hobby. Picking two, on a door someone might walk past at any moment, is a different job entirely.
Here is the part most guides skip: the different kinds of two-factor authentication are not equally good. Some are genuinely strong. One is barely better than nothing. It helps to picture them as a ladder.
This is the one most people know: you log in, the site texts you a six-digit code, you type it in. It works, and it's certainly better than no second factor at all. But it has real weaknesses. Text messages can be intercepted, and there's an attack called SIM swapping where someone convinces your phone carrier to move your number to their device — at which point your codes go to them, not you.
Use SMS if it's the only option an account offers. Just don't treat it as solid protection, and don't use it for your email or bank if anything better is available.
An authenticator app (Google Authenticator, Microsoft Authenticator, Authy, and others) generates a fresh six-digit code on your phone every thirty seconds. The crucial difference from SMS is that the code is created on your device from a secret shared once at setup. Nothing travels over the phone network, so there's nothing to intercept and no SIM to swap.
For most people, on most accounts, this is the right level. It's free, it works offline, and setup is usually as quick as scanning a QR code. The one thing to plan for: save the backup or recovery codes the site gives you when you turn it on, somewhere safe, in case you lose your phone.
A security key is a small physical device, often shaped like a USB stick, that you tap or plug in to prove it's you. Keys from brands like YubiKey or Google's Titan are the gold standard, and for a good reason: they're resistant to phishing in a way codes simply aren't. A fake login page can trick you into typing a code, but a hardware key checks the website's real address before it responds, so it won't authenticate to an impostor site.
If you're a journalist, run a business, hold cryptocurrency, or just want the best protection on your email, a hardware key is worth the modest cost. Buy two — one to use and one as a backup kept somewhere safe.
For years, 2FA was a patch on top of a flawed system: the password stayed, and we bolted a second factor onto it. Passkeys take a different approach — they replace the password itself.
A passkey is a pair of cryptographic keys created when you set it up. One half stays locked on your device (your phone, laptop, or a hardware key) and never leaves it. The other half is handed to the website. When you sign in, your device proves it holds the matching private key, usually after you unlock it with your fingerprint, face, or PIN. You never type a secret, and crucially, there's no secret stored on the company's servers for a breach to steal.
That design quietly removes the two biggest ways accounts get taken over:
Through 2026, passkeys have gone from a curiosity to the default that major platforms actively nudge you toward. Apple, Google, and Microsoft all support them across their devices, and they sync through your existing account or password manager so you're not locked to a single phone. When a site offers a passkey, taking it usually means you stop dealing with passwords and codes for that account altogether — the unlock on your device does both jobs at once.
You don't need to overhaul every account today. Work down from the ones that would hurt most if lost.
The settings live in slightly different places on every service, but the path is almost always Account → Security → Two-Factor Authentication (or "Two-Step Verification," or "Passkeys"). If you get stuck, searching "[service name] enable 2FA" gets you a current walkthrough faster than hunting through menus.
Most of the advice about staying safe online asks you to be permanently alert — to never click the wrong link, never reuse a password, never have a tired moment. People are bad at being permanently alert, which is why that advice keeps failing.
Two-factor authentication and passkeys work differently. They're a one-time setup that keeps protecting you afterward, even on the day you're distracted and almost fall for something. Spend twenty minutes this month locking down your email and your two or three most important accounts, switch on passkeys where they appear, and you'll have shut off the routes most ordinary account takeovers actually use — without having to think about it again.
Daniel is a writer and former IT consultant who has set up more laptops, backup routines, and password managers than he can count. He explains technology the way he wishes someone had explained it to him: plainly, with the trade-offs left in. He reviews every tool on his own devices before recommending it.
Keep reading
Phishing runs on urgency and misplaced trust, not technical wizardry. Here are the concrete red flags to check, a quick checklist, and what to do if you clicked.
Daniel Okafor
A plain-English guide to VPNs: what they protect, what they do not, who needs one, and how to choose a provider without falling for privacy theater.
Daniel Okafor