Two‑Factor Authentication (2FA)

Home  / Glossary Index  / Alphabet T

What is Two‑Factor Authentication?

Two‑Factor Authentication (2FA) requires users to provide two separate authentication factors before gaining access to a system. The factors must span across these distinct categories:

Types of 2FA (Ranked by Security Level)

Method

How It Works

Security Level

Risk Profile

SMS Text

Code sent via carrier network

🔴 Low

Highly vulnerable to SIM swapping and interception.

Email Codes

Code sent to email inbox

🔴 Low

Vulnerable if email account itself is compromised.

TOTP Apps

Time-based code (Google Auth)

🟡 Medium

Safe from SIM swaps, but vulnerable to proxy phishing.

Push Notes

Approve via prompt on device

🟡 Medium

Vulnerable to user “MFA fatigue” approval spam.

Hardware Keys

FIDO2 Physical key (YubiKey)

🟢 High

Cryptographically phishing-resistant.

NIST Deprecates SMS 2FA

The National Institute of Standards and Technology (NIST) has officially deprecated SMS for two‑factor authentication. Due to the high frequency of SIM-swapping attacks and network interception, text-based codes are no longer considered acceptable for enterprise defense.
Scroll to Top