Auth & SecurityIn 2012, a hacker broke into a journalist's Apple, Twitter, and Gmail accounts in under an hour. The attack did not involve guessing passwords or exploiting software vulnerabilities. The attacker called Amazon support, social-engineered enough personal information to reset the Apple ID password, then used the Apple email to reset everything else. One factor, a password, was the only thing standing between the attacker and total account takeover. This is not a historical curiosity. Credential-based attacks account for over 80% of breaches today.
The password problem
Passwords have a fundamental design flaw: they are a shared secret. You know the password, and the server knows a hash of it. If either side is compromised, the password is gone. And in practice, both sides get compromised constantly.
Why passwords fail in the real world
| Failure mode | How it works | Scale of the problem |
|---|---|---|
| Password reuse | Users pick the same password across multiple sites | 65% of people reuse passwords across services |
| Credential stuffing | Attackers take leaked credentials from one breach and try them everywhere | Billions of leaked credentials are freely available |
| Phishing | Fake login pages trick users into entering real credentials | Phishing is the #1 initial attack vector in data breaches |
| Brute force | Automated tools try millions of password combinations | An 8-character password can be cracked in hours with modern GPUs |
| Keyloggers | Malware records everything the user types | A single infected machine compromises every account accessed from it |
| Shoulder surfing | Someone watches you type your password | Low-tech but effective in public spaces |
The math is not in your favor. Even if your application hashes passwords correctly with bcryptWhat is bcrypt?A widely used password hashing algorithm that is intentionally slow to make brute-force cracking impractical. It automatically generates and embeds a salt in the hash output. and enforces strong password policies, you cannot control what users do. They will reuse their password from the site that got breached last month. They will fall for a well-crafted phishing email. They will type their password on a compromised computer at a coffee shop.
What two-factor authenticationWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. adds
Two-factor authentication (2FA) requires users to prove their identity with two different types of evidence. Even if an attacker steals the password, they cannot log in without the second factor.
The concept is simple: a password is something you know. 2FA adds something you have (a phone, a hardware key) or something you are (a fingerprint, a face scan). Compromising two independent factors is exponentially harder than compromising one.
The three factor categories
| Factor | Category | Examples | Strength |
|---|---|---|---|
| Something you know | Knowledge | Password, PIN, security questions | Weakest, can be guessed, phished, or leaked |
| Something you have | Possession | Phone with authenticator app, hardware key, smart card | Strong, requires physical access to the device |
| Something you are | Inherence | Fingerprint, face scan, iris scan, voice recognition | Strong, difficult to replicate, but not revocable |
True 2FA requires factors from two different categories. A password plus a security question is not 2FA, both are knowledge factors. A password plus an authenticator app code is 2FA, knowledge plus possession.
What 2FA does and does not protect against
2FA dramatically reduces the impact of credential theft. If an attacker obtains a user's password through a breach, they still cannot log in without the second factor. Phishing attacks become harder because the attacker needs to capture both the password and the time-sensitive code in real time.
But 2FA is not invincible. Sophisticated phishing kits can act as a real-time proxy, capturing the 2FA code as the user enters it and immediately replaying it to the real server. SIM swapping can compromise SMS-based 2FA. Social engineering can trick support agents into bypassing 2FA. No single security measure is a silver bullet, but 2FA raises the cost of an attack from trivial to substantial.
Why every serious app needs 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you.
If your application stores user data, personal information, financial records, health data, business documents, you need 2FA. Not as a premium feature. Not as an afterthought. As a core part of the authenticationWhat is authentication?Verifying who a user is, typically through credentials like a password or token. system.
Regulatory expectations are increasing. PCI DSS requires multi-factor authentication for administrative access. HIPAA requires it for accessing electronic health records remotely. SOC 2 auditors expect it. GDPRWhat is gdpr?A European regulation that gives users control over their personal data, including the right to access, delete, and export it. does not mandate specific technologies, but "appropriate technical measures" increasingly means 2FA in practice.
User expectations are rising. Every major platform, Google, Apple, Microsoft, GitHub, either offers or enforces 2FA. Users who care about security will judge your application by whether it supports it. Enterprise customers will require it before signing a contract.
The cost of not having it is concrete. A single compromised admin account without 2FA can lead to a data breach that costs millions in fines, legal fees, and reputation damage. Implementing TOTPWhat is totp?Time-based One-Time Password - a 6-digit code generated from a shared secret and the current time, changing every 30 seconds. Powers authenticator apps.-based 2FA costs days of development time. The return on investment is not debatable.
Real breach examples where 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. would have helped
| Breach | Year | Root cause | Would 2FA have helped? |
|---|---|---|---|
| Dropbox | 2012 | Employee reused password from LinkedIn breach | Yes, stolen password alone would not have been enough |
| 2020 | Employees phished for internal tool credentials | Partially, TOTP would have slowed the attack, hardware keys would have stopped it | |
| Colonial Pipeline | 2021 | Compromised VPN password with no 2FA | Yes, the VPN account had no second factor at all |
| Uber | 2022 | Social engineering of employee's 2FA push notifications | No, attacker spammed push approvals until the employee accepted one |
The Uber breach is instructive. 2FA was enabled, but it was push-based, and the attacker bombarded the employee with approval requests until fatigue won. This is called an MFA fatigue attack, and it is why the type of 2FA matters, not just whether it exists. Number matching (where the user must enter a code displayed on the login screen) and hardware keys are resistant to this attack.
How 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. fits into the authenticationWhat is authentication?Verifying who a user is, typically through credentials like a password or token. flow
The standard 2FA login flow adds one step after password verification:
- User enters username and password
- Server verifies the password hash
- If correct, server prompts for the second factor
- User provides the second factor (TOTPWhat is totp?Time-based One-Time Password - a 6-digit code generated from a shared secret and the current time, changing every 30 seconds. Powers authenticator apps. code, hardware key tap, push approval)
- Server verifies the second factor
- SessionWhat is session?A server-side record that tracks a logged-in user. The browser holds only a session ID in a cookie, and the server looks up the full data on each request. is created only after both factors pass
The critical implementation detail: the session must not be created after step 2. If you issue a session tokenWhat is token?The smallest unit of text an LLM processes - roughly three-quarters of a word. API pricing is based on how many tokens you use. after password verification and then check the second factor as a separate step, an attacker who steals the session token after step 2 bypasses 2FA entirely. The session is only valid after both factors are verified.