What 2FA Actually Adds
Two-factor authentication requires something you know (your password) plus something you have (your phone or a hardware key). Even if an attacker obtains your password through a breach or phishing, they can't access your account without the second factor. This single addition eliminates the risk from credential stuffing and most phishing attacks.
Types of 2FA and Their Strengths
SMS-based 2FA is better than nothing but vulnerable to SIM-swapping attacks. Authenticator apps like Google Authenticator generate time-based codes that expire every 30 seconds and can't be intercepted by SIM swaps. Hardware security keys (FIDO2/WebAuthn) are the strongest option, providing phishing-resistant authentication even against sophisticated attackers.
Why You Still Need Strong Passwords With 2FA
2FA is not a replacement for strong passwords — it's a supplement. Some services allow bypassing 2FA through account recovery flows if you can prove knowledge of your old password. Attackers may attempt to disable 2FA by first compromising your password, then exploiting recovery options. Strong unique passwords make this attack chain much harder to execute.
Setting Up the Combination
Enable 2FA on every account that supports it, starting with email, banking, and social media. For each protected account, ensure you're also using a unique, randomly generated password. Store recovery codes in your password manager alongside the password. This combination makes your accounts effectively impenetrable to remote attacks.
Strong passwords and 2FA together cover essentially every remote attack vector. Implement both consistently and you'll be better protected than the vast majority of internet users.