Account Security

Examples of Two-Factor Authentication (What Counts as 2FA)

A clear answer to the quiz-style question — plus what two-factor authentication is, which methods are strongest, how to turn it on, and what to know before you turn it off.

Which of the following is an example of two-factor authentication? A one-time code from an authenticator app, a text message with a login code, tapping a hardware security key, approving a sign-in prompt on your phone, or using your fingerprint or face on a device you already own — all of these count. Each one adds a second proof beyond your password: something you have (your phone, your key) or something you are (your biometric). A second password, a security question, or typing your email twice does not count — those are still just something you know.

That distinction matters because stolen passwords are routine. In penetration tests and phishing simulations, the first thing attackers go after is your login — and a password alone is often enough. Two-factor authentication (2FA) closes that gap. Below is a plain-language guide to what 2FA is, real examples you will see on quizzes and in real life, which methods are strongest, and how to set it up — or turn it off, if you absolutely must.

What is two-factor authentication?

Two-factor authentication means you prove your identity in two different ways before an account lets you in. The first factor is almost always your password — something you know. The second factor must come from a different category: something you have (a phone, a security key) or something you are (a fingerprint or face scan on a trusted device).

You will also see the term multi-factor authentication (MFA). MFA is the broader idea — two or more factors. When a site says "enable MFA," it usually means turn on 2FA at minimum.

Why bother? Because most account takeovers start with a password that was phished, guessed, reused, or leaked in a breach. With 2FA enabled, a stolen password is not enough — the attacker still needs your phone, your key, or your biometric. CISA states that using multi-factor authentication makes you 99% less likely to be hacked. Frameworks from NIST treat MFA as a baseline defense for important accounts. In my work as a penetration tester, accounts without 2FA are consistently the fastest to compromise.

Examples of two-factor authentication

Certification quizzes and security-awareness tests love this question format: "Which of the following is an example of two-factor authentication?" Here is how to answer it every time — and how to recognize 2FA in the wild.

What counts as 2FA

These are real examples of two-factor authentication

  • Authenticator app code — You open Google Authenticator, Microsoft Authenticator, or Authy and enter the six-digit code that changes every 30 seconds.
  • SMS text code — The site texts a one-time code to your phone; you type it in after your password. Weaker than an app, but still 2FA.
  • Push approval — Google, Microsoft, or your bank sends a "Was this you?" notification to your phone; you tap Approve or Deny.
  • Hardware security key — You plug in or tap a YubiKey or similar device when prompted at login.
  • Biometric on a trusted device — After your password, you confirm with Touch ID, Face ID, or Windows Hello on a device already linked to your account.
  • Passkey — You sign in with your device PIN or biometric instead of a password; the device proves possession cryptographically. (This replaces the password entirely in many setups, but the security model is the same: multiple proofs.)

Notice the pattern: password (something you know) plus a separate check from a different category. That is the whole test.

What is NOT two-factor authentication

These show up as wrong answers on quizzes — and they show up in real products that feel secure but are not true 2FA:

  • Security questions ("What was your first pet's name?") — still something you know, same category as your password.
  • A second password or PIN — two secrets, but one factor type twice.
  • Typing your email or username twice — not a second factor at all.
  • CAPTCHA or "I'm not a robot" — blocks bots, not credential thieves who already have your password.
  • Emailing yourself a login link — if you are already logged into email on the same browser, that is not a separate factor.

When in doubt, ask: "Is this a different type of proof, or just another thing I have to remember?" Only the first counts.

Strongest vs weakest 2FA methods

All 2FA beats no 2FA — but methods are not equal. Hardware security keys and authenticator apps are hardest to beat remotely; Google's guide on security keys explains why they resist phishing. Passkeys (device PIN or biometric) are a strong modern option where supported.

SMS codes are weaker: attackers who SIM-swap your number can intercept texts. The FTC warns about SIM-swap scams. Use SMS if it is your only option, then upgrade to an app or key. For email and banking, never stop at SMS if something stronger is offered.

How to set up two-factor authentication

Setup takes a few minutes on most services: open security settings, pick your second factor, and save backup codes somewhere safe (not beside your password).

  • Google: myaccount.google.com → Security → 2-Step Verification. See Google's 2-Step Verification help.
  • Apple ID: Settings → your name → Sign-In & Security → Two-Factor Authentication. See Apple's 2FA for Apple ID guide.
  • Microsoft: account.microsoft.com/security → Advanced security options. Work accounts may be managed by IT.

Enable 2FA on your password manager first, then banking and social accounts. It pairs with phishing defense: even on a fake login page, an attacker still needs that second factor. That is why it matters alongside spotting fake websites and recovering from a phishing click.

How to turn off or disable two-factor authentication

Some people search for how to disable two-factor authentication after getting a new phone or finding the extra step annoying. Honest guidance: only turn it off for a specific, temporary reason — and switch it back on as soon as you can. Never disable it because someone in an email, text, or call told you to. That is a common scam.

How to turn off two-factor authentication on iPhone

For Apple ID: Settings → your name → Sign-In & Security → Two-Factor Authentication → follow prompts to turn off if the option appears. Apple may not allow removal on newer accounts. Locked out? Use iforgot.apple.com — see Apple's 2FA guide for trusted devices and recovery.

For other apps (Gmail, banking, social), open each app's security settings — there is no single iPhone switch for everything.

On Google or Microsoft, the path is the same: security settings → 2-Step Verification → Turn off. Both warn you that the account becomes easier to compromise. If you are switching phones, add the new device as trusted before removing the old one instead of disabling 2FA entirely.

Frequently asked questions

Which of the following is an example of two-factor authentication?

A one-time code from an authenticator app, an SMS login code, approving a sign-in on your phone, a hardware security key, or a fingerprint on a trusted device. Each combines your password with something you have or something you are.

What is two-factor authentication in simple terms?

It is a second check at login — usually your password plus a code, tap, or biometric on a device you own. It stops most attacks that only have your password.

Is a security question considered two-factor authentication?

No. Security questions are still "something you know," the same category as your password. They do not count as a second factor.

What is the strongest type of two-factor authentication?

Hardware security keys and authenticator apps are generally stronger than SMS, because they are harder to intercept remotely. Passkeys are a strong modern option on supported sites.

How do I turn off two-factor authentication on iPhone?

For Apple ID: Settings → your name → Sign-In & Security → Two-Factor Authentication. Other apps have their own security settings. Apple recommends keeping 2FA on; only disable it if you understand the risk.

Should I turn off two-factor authentication?

Almost never — and never because someone contacted you and asked you to. Keep 2FA on for email, banking, and your password manager at minimum. If the extra step bothers you, use an authenticator app or passkey; they are faster than SMS once set up.

The bottom line

Examples of two-factor authentication always share one trait: they combine your password with a different kind of proof — a code on your phone, a tap on a key, or your fingerprint on a device you own. Security questions, second passwords, and CAPTCHAs do not make the cut.

Turn on 2FA starting with email and anything financial. Use an authenticator app or hardware key where you can. And if you are wondering whether your everyday habits actually match that advice, the scenarios in the free quiz will tell you — honestly, in about five minutes.