What is 2FA (Two-Factor Authentication)?
Turkish: 2FA
2FA adds a second proof, such as an authenticator app, SMS code, or security key, on top of a password during sign-in.
What is 2FA?
2FA (two-factor authentication) requires a user to prove more than just something they know, such as a password. The second proof usually comes from something the user has, like a phone, authenticator app, or hardware security key.
Authentication factors are commonly grouped as something you know, something you have, and something you are. 2FA combines at least two of those groups. A login can pair a password with a TOTP code, a WebAuthn security key, or a mobile push approval.
Methods and Trade-Offs
- TOTP apps: Google Authenticator, 1Password, and similar apps generate short-lived codes.
- Push approval: The user approves a login prompt in a mobile app; extra checks are needed to prevent approval fatigue.
- SMS code: Easy to adopt, but weaker against SIM swap and telecom-related attacks.
- Hardware key: FIDO2/WebAuthn keys provide strong phishing resistance.
Business Use
2FA is a baseline control for admin panels, payment flows, customer portals, VPN access, and remote work tooling. MFA can add more factors and contextual checks, while OAuth2 addresses delegated authorization between applications.
The operational details matter: backup codes, device replacement, and support-team identity checks should be designed before rollout. Otherwise account recovery can become the weakest part of the system.
Related Terms
A brute force attack tries many password or key combinations automatically until one works, often targeting login and admin panels.
Credential StuffingCredential stuffing is an account takeover attack that automatically tests leaked usernames and passwords across many services.
MFA (Multi-Factor Authentication)MFA protects sign-ins by requiring extra factors such as an authenticator app, device prompt, biometrics, or a security key.
OAuth 2.0OAuth 2.0 is an authorization framework that allows third-party applications to access resources without the user's password.
PasskeyA passkey is a phishing-resistant sign-in method that uses a device-held private key plus biometric or PIN approval instead of passwords.
WebAuthnWebAuthn is a web standard that lets browsers use security keys and passkeys for strong, passwordless authentication.