Two-Factor Authentication (also called multi-factor authentication, 2FA, and a number of things by various sites/accounts) is using a secondary channel to verify your access to the account. This can be digital (such as receiving a code via text, email, or app) or physical (such as requiring a card-reader or other USB device to be connected before continuing). For most online accounts for most users, you will see the digital options more readily. Some accounts will automatically email you an authorization code to log-in if it detects a "new" browser or it has been some time since your last access. Others require set-up to get 2FA.
Common methods of 2FA that you might see on your accounts (listed roughly from least secure to most secure) are
- email: you receive a code via your account email
- text: you receive a text (SMS) that has a code on a phone number associated with the account
- app: you use a 2FA app such as Authy, Duo Mobile, or Google Authenticator to generate a code
Different sites/accounts have different ways of handling it, so it is impossible to list them all, here, but there are sites like TwoFactorAuth.org that list many common websites and give links to set-up information.
2FA is sometimes touted as being an answer to issues that plague security questions (and password-based security in general). And it can help a number of security problems. There are, of course, issues. If your email uses the same password as your account being hacked, or if your email is compromised first, then having codes sent to your email does not stop any attempt at hacking. Texts are harder to spoof, but there are ways to clone SIM cards or to intercept texts. Both texts and the app based 2FA require you to have access to your phone and could lead to issues if your phone is lost or otherwise compromised.
Should you use it? Probably. At least on those accounts that are of particular importance to you and/or would result in notable damages if you lost them (email, bank accounts, important accounts to you such as gaming sites, etc). It is good to at least familiarize yourself with the concepts about what is available though with the caveat that knowing what security options are available are not much help if you wait until after your account is compromised to implement them. Identify the most important accounts and try it there and if you are amiable to the workflow it requires, then expand to accounts of lesser importance.
See Also: