Two-factor authentication (2FA) is a method of authentication for online services that goes beyond the traditional username and password. It works by requiring a user to prove that they are who they say they are in two ways: with something they have and something they know.
When two-factor authentication is enabled, the user is asked to provide a combination of (usually two) authenticators, one that falls into each category above. Something that the user knows, such as passwords, and something the user has, such as possession of a separate authenticating device—usually a short code provided by a mobile phone—or a biometric identifier like a fingerprint or retina scan. Unless the user has both the account password and the device generating or receiving the random code, they will not be able to establish their identity and access the account. Neither will a hacker who has only been able to obtain the user’s password, whether through a phishing attack or otherwise.