In today’s digital world, passwords are no longer enough to secure accounts. If stolen or guessed, anyone can access your personal data. This is where Two-Factor Authentication (2FA) comes in. It adds a second layer of protection, usually through a six-digit code generated on your phone.

The most widely used system is Time-based One-Time Passwords (TOTP), implemented by apps like Google Authenticator. When you set up 2FA, the service and your phone app share a secret key, usually via QR code. Using this key and the current time, both your app and the server run the same cryptographic calculation to generate matching codes.

The calculation relies on HMAC-SHA-256, a secure hashing process, and divides time into 30-second intervals. Each interval produces a new six-digit code, valid only once. Even if an attacker intercepts the code, it becomes useless after 30 seconds.

This makes 2FA far more secure than a password alone, since attackers need both your password and physical access to your phone. Other variations include push notifications or hardware tokens, but the principle remains the same: proving identity with two factors, something you know and something you have.