What is 2FA (Two-Factor Authentication)?

Turkish: 2FA

2FA adds a second proof, such as an authenticator app, SMS code, or security key, on top of a password during sign-in.

What is 2FA?

2FA (two-factor authentication) requires a user to prove more than just something they know, such as a password. The second proof usually comes from something the user has, like a phone, authenticator app, or hardware security key.

Authentication factors are commonly grouped as something you know, something you have, and something you are. 2FA combines at least two of those groups. A login can pair a password with a TOTP code, a WebAuthn security key, or a mobile push approval.

Methods and Trade-Offs

  • TOTP apps: Google Authenticator, 1Password, and similar apps generate short-lived codes.
  • Push approval: The user approves a login prompt in a mobile app; extra checks are needed to prevent approval fatigue.
  • SMS code: Easy to adopt, but weaker against SIM swap and telecom-related attacks.
  • Hardware key: FIDO2/WebAuthn keys provide strong phishing resistance.

Business Use

2FA is a baseline control for admin panels, payment flows, customer portals, VPN access, and remote work tooling. MFA can add more factors and contextual checks, while OAuth2 addresses delegated authorization between applications.

The operational details matter: backup codes, device replacement, and support-team identity checks should be designed before rollout. Otherwise account recovery can become the weakest part of the system.