Two-Factor Authentication
Two-Factor Authentication.
An authentication scheme requiring exactly two independent factors — typically something the user knows (password) plus something they have (phone, security key) or are (biometric).
2FA and MFA differ in count but not always in security. Two strong factors (password plus passkey, or passkey with biometric verification) is more secure than three weak factors (password plus SMS plus security question). The recurring mistake is treating the factor count as the security metric; the right metric is the resistance properties of each factor — replay resistance, phishing resistance, verifier impersonation resistance.
Passkeys present an interesting taxonomic question: a passkey on a device with biometric unlock is technically two factors (something you have — the device — and something you are — the biometric) in a single user interaction. NIST treats this as a single multi-factor cryptographic authenticator meeting AAL2 by itself; in practice, deployments increasingly treat a passkey as a complete authentication rather than half of a 2FA pair.
Common questions
What is the difference between 2FA and MFA?
Is SMS OTP still considered 2FA?
Are passkeys 2FA?
Related terms
In the guides
MFA vs 2FA: Are They the Same Thing?
2FA is two factors. MFA is two or more. The terms are often used interchangeably, and that's mostly fine — but the security-meaningful difference is in the factor quality, not the count.
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Deprecating SMS OTP in 2026: Why, When, and How
NIST SP 800-63-4 places SMS OTP outside AAL2. The 2026 question is how to migrate the install base off SMS, what to replace it with, in what order, and the patterns that work.