What does adding 2FA (e.g. a code to your phone) accomplish, and what are the "factors"?
It requires two independent factors — "something you know" (password) + "something you have" (your phone) — so a stolen password alone isn't enough.
The three classic authentication factor categories:
- Something you know — password, PIN.
- Something you have — phone, hardware token, smartcard.
- Something you are — fingerprint, face (biometric).
In the flow: after the password matches, the app sends a code to the user's mobile phone; the user enters it, and only then is access granted. An attacker who phished the password still lacks the second factor.
The catch: classic 2FA (SMS/OTP codes) is still based on shared secrets and can be phished in real time — a fake site relays your code instantly. It raises the bar a lot, but it's not phishing-proof.
Tip: Two factors must be different categories to count. Password + security question = still just "something you know" twice.