Authentication factors: 1) Knowledge (password, PIN), 2) Possession (phone, token), 3) Biometric (fingerprint, face). 2FA requires two different factors. Passwords alone are not enough — data breaches have exposed billions of them. SMS 2FA is the weakest option (SIM swapping attack). Authenticator apps (Google Authenticator, Authy) use TOTP (Time-based One-Time Password) — significantly more secure.
Hardware keys (YubiKey) are the strongest option and protect against phishing. Passkeys (WebAuthn/FIDO2) are the future technology that replaces passwords entirely. When implementing 2FA in an app: a TOTP library (OTPHP for PHP), backup codes functionality, and requiring 2FA during password recovery are all important.
Our courses on this topic