2FA or 2SV, two factor authentication or 2 step verification respectively, are excellent ways to increase security for digital accounts.
Computer security can be thought of as a triangle, the three points on the triangle are:
Something you know (password)
Something you have (RSA key, SMS code, hardware key, etc)
Something you are (fingerprint, retinal scan, vascular scan, etc)
The more points of the triangle involved in authentication the more secure the system and the harder it is to gain unauthorized access.
2FA/2SV it 2 points of the triangle, because of various reasons mostly technological the second factor of authentication is commonly "something you have" but can be "something you are". So if it isn't already obvious some systems allow you to have 3FA/3SV but they are uncommon.
Of the common forms of 2FA/2SV they are:
1) SMS or text message delivered code - This is better than nothing but with SIM card cloning or social engineering all you need is a means of having those texts/sms sent to an alternative device to defeat this system. Not easy but not hard either.
2) Voice call from an automated system - Same as 1 above but uses a voice call instead of a text/sms
3) Email code - This sends an email to the registered address on file with a 6 to 8 digit code. This system relies on the email account not being compromised and largely relies on the email servers being well maintained and the user having a strong password.
4) TOTP app on a smart phone - One of the most secure methods for 2FA/2SV. This uses an app to generate a 30 second rotating code which uses complex math to prevent prediction of the next code. Google Authenticator, Duo Security, Microsoft and a number of other organizations have these apps available for free download.
5) Hardware authentication key - this is a physical device commonly USB that is plugged into the computer or smartphone to provide the authentication. It is the most secure method commonly available. Google and a number of other companies offer such devices for sale.
TOTP stands for Time-based One Time Password. This system uses factoring of very large prime numbers along with other math to generate unpredictable codes. No matter how many previous codes you have you can never predict what the next code will be. The app on your smartphone and the server you are authenticating against both have the same "seed" number and the timing is important such that at any given moment of the day the matching code can be calculated on both devices simultaneously and thus can authenticate with each other. Because of the 30 second lifespan of the code, the unpredictable nature of the code and the unknown "seed" this method is highly secure. To compromise this method an attacker would need have your phone or know the initial seed. The initial seed is lost once the authentication is added to the app. The seed is commonly given as a QR code, one of those square barcode checkerboard patterns, which is scanned by the app using the smartphone camera at the time of setup. Once that QR code is gone from the computer screen it is irretrievable and so cannot be duplicated. The seed then exists only in the smartphone app and the authenticating server. TOTP is an extension of HOTP or HMAC-based One Time Password which in turn is based on HMAC or Hash-based Message Authentication Code. For the curious here are the Wikipedia articles on each:
TOTP -
Time-based One-time Password algorithm - Wikipedia
HOTP -
HMAC-based One-time Password algorithm - Wikipedia
HMAC -
HMAC - Wikipedia
Hardware authentication keys are the most secure as they require the use of a physical device that is unique and cannot be duplicated. If the physical key is lost or destroyed the 2FA/2SV on that account must be removed and setup anew with a new hardware key. This is more common in businesses since there will be an IT department that can have administrator access and remove the 2FA/2SV. An individual using a personal @gmail.com account may have extensive difficulty in trying to recover an account with a lost hardware key.
Here is the link to the Google Titan Security Key store page -
Many systems such as Google allow for the creation of one time bypass codes. This is a set of about 8-10 numeric sequences that are meant to be printed on a page of paper and stored in a safe place. Should the 2FA/2SV device be lost/stolen/destroyed the user can authenticate using one of these codes. Each code is usable only once and the Google account shows if codes have been created and if any have been used.
While having 2FA/2SV on any and all systems that support it is highly valuable and increases your security dramatically it is vitally important to consider how you would regain access to these various accounts if you were to lose your PC, laptop, tablet, smartphone or hardware key.