Authentication

Two-Factor Authentication & Passkeys: A Plain-English Guide

By Sophie Bennett · · 8 min read

Two-factor authentication adds a second check on top of your password, so a stolen password alone is not enough to get into your account. Passkeys take this a step further by replacing the password entirely with something far harder to steal. If you only do one thing after reading this, turn on the strongest second step your important accounts offer — ideally an authenticator app or a passkey rather than a text message.

What two-factor authentication actually is

Logging in normally relies on one thing: something you know, your password. The trouble is that passwords leak, get guessed and get phished. Two-factor authentication, usually shortened to 2FA, asks for a second, different kind of proof. That second factor is typically something you have — your phone, an app or a small hardware key — or something you are, such as a fingerprint or face scan.

The idea is simple but powerful. Even if a criminal has your password, they almost certainly do not have your unlocked phone in their hand. That single extra step blocks the overwhelming majority of opportunistic account takeovers, which is why it is the most valuable upgrade you can make after using strong, unique passwords.

The three common types of second factor

1. Text message (SMS) codes

You receive a short code by text and type it in. This is the most familiar form and, crucially, it is much better than no second factor at all. Its weakness is that text messages can be redirected. In a SIM-swap, an attacker convinces a mobile network to move your number to their device, and convincing fake login pages can also capture a code in real time. Use SMS if it is the only option, but treat it as the weakest tier.

2. Authenticator apps

An app on your phone generates a fresh six-digit code every thirty seconds, calculated from a secret shared once during setup. Because nothing travels over the mobile network, there is no text to intercept and SIM-swapping does not help an attacker. This is a strong, free, widely supported choice and a sensible default for most people.

3. Hardware keys and passkeys

A physical security key, or a passkey stored on your device, provides the strongest everyday protection. These use cryptography that is tied to the genuine website, so even a convincing fake page cannot trick them. We will look at passkeys properly in a moment, because they are quickly becoming the gold standard.

Quick rule of thumb: passkey or hardware key first, authenticator app second, SMS only if nothing else is offered. Any of them is better than relying on a password alone.

Passkeys, explained simply

A passkey is a modern replacement for the password. When you create one, your device generates a matched pair of keys. The public half is stored by the website; the private half never leaves your device and is unlocked by your fingerprint, face or screen lock. To sign in, your device proves it holds the private key without ever revealing it.

This design quietly removes several classic problems at once. There is no password to reuse across sites, nothing memorable to guess, and nothing useful for a fake page to steal — a passkey only works on the real website it was made for. For a deeper look at why reuse is so risky, see our guide on why reusing passwords is so dangerous.

Passkeys usually sync securely across your devices through your platform or password manager, and you can approve a sign-in on a laptop by confirming on your nearby phone. In practice it feels like unlocking your phone — quick and familiar — while being dramatically more resistant to phishing.

How to turn the strongest option on

Most services keep these controls under Settings, then Security or Sign-in. Look for headings such as Two-step verification, Two-factor authentication or Passkeys. The general path is the same everywhere:

  • Open the account's security settings and choose to add a second step or a passkey.
  • If offered, pick a passkey or an authenticator app over SMS.
  • For an authenticator app, scan the on-screen code with the app and enter the six-digit code it shows to confirm.
  • Save your backup or recovery codes. Store them offline somewhere safe — they are your way back in if you lose your phone.

Start with the accounts that matter most: your email, your password manager and your banking. Securing your inbox is especially important, because it can reset almost everything else — our guide on how to secure your email walks through it step by step.

Common worries, settled

People often hesitate over two fears: being locked out, and the hassle. Lock-out is solved by saving recovery codes and registering more than one method where possible, such as a passkey on two devices. The hassle is smaller than expected — many services only re-prompt on new devices or occasionally, so day-to-day life barely changes while your protection rises sharply.

And none of this replaces good passwords; it layers on top of them. A long, random password from our password generator, combined with a strong second factor, is a genuinely tough combination to beat. If you want to sanity-check an existing password first, our password analyser estimates its strength right in your browser.

The bottom line

Two-factor authentication turns a stolen password into a dead end, and passkeys remove the stealable password almost entirely. Turn on the strongest option your key accounts offer, keep your recovery codes somewhere safe, and you will have closed the door on the most common kind of account takeover.

Frequently asked questions

Is SMS two-factor authentication still worth using?

Yes — any 2FA is far better than none. But if an authenticator app or a passkey is offered, choose that instead, because text codes can be intercepted through SIM-swapping and phishing.

What happens if I lose my phone with the authenticator app?

This is why you save backup codes when you set 2FA up. Store them somewhere safe and offline. Many authenticator apps also let you back up encrypted copies so you can restore them on a new device.

Are passkeys safer than passwords?

For most people, yes. A passkey cannot be reused, guessed or phished in the usual way, because the secret never leaves your device and only works on the genuine website it was created for.

Do I still need a password if I use a passkey?

Often the account still has a password as a fallback, so keep it strong and unique. Over time some services may let you remove the password entirely once a passkey is set up.

Can I use the same passkey on my phone and laptop?

Yes. Passkeys sync through your platform or password manager, and you can also approve a sign-in on a nearby device, so one account can be reached from several of your gadgets.

This article is general online-safety education, not professional security advice.