Yes via SIM swap, real-time phishing proxies, or MFA-fatigue push spam. Hardware keys defeat all three.

What is 2FA / MFA? — mlab Academy

Q: Is 2FA and MFA the same thing?

2FA is a special case of MFA with exactly two factors. MFA can mean two, three or more.

Q: What are passkeys?

Passkeys are FIDO2 credentials synced across your devices. They replace the password entirely and are phishing-resistant.

1Why passwords alone are not enough

A password is something you know. If it leaks in a breach or is guessed, the attacker has everything. Two-factor authentication (2FA) adds a second check — something you have (a phone, a security key) or something you are (a fingerprint). Even a perfect phishing attempt against your password fails if the attacker does not also have your second factor. Multi-factor authentication (MFA) generalises this to any number of factors.

99.9%

Of automated account-takeover attacks blocked by MFA (Microsoft)

< 1 min

To enable 2FA on most major services

Factor categories: know, have, are

2The main types of 2FA, ranked

Hardware security key (FIDO2 / WebAuthn) Best

YubiKey, Google Titan, Passkeys. Phishing-resistant by design: the key verifies the site's origin before responding.

TOTP authenticator app Good

Google Authenticator, Aegis, 2FAS. Generates a 6-digit code every 30s, works offline, much safer than SMS.

Push notification OK

Convenient but vulnerable to "MFA fatigue" attacks where the user eventually taps approve out of exhaustion.

SMS codes Weak

Vulnerable to SIM-swapping and interception. Still better than nothing, but never use it for high-value accounts.

Explore the mlab.sh ecosystem

mlab.sh offers production-grade scanning and cheatsheets you can use daily — see the full toolbox.

Open mlab.sh tools

3Common mistakes and red flags

Storing 2FA codes in the same password manager as the password

If the vault leaks, both factors leak with it. Debatable — acceptable for non-critical accounts, not for email/banking.

Losing backup codes

Print them, store them in a safe. A lost phone + no backup codes often means permanent account loss.

Approving a push you did not request

If your phone buzzes for a login you did not start, deny it — someone has your password and is trying.

2FA & MFA FAQ

Is 2FA and MFA the same thing?

2FA is a special case of MFA with exactly two factors. MFA can mean two, three or more.

Can 2FA be bypassed?

Yes — via SIM swap (SMS), phishing kits that proxy the real site in real time, or MFA-fatigue push spam. Hardware keys defeat all three.

What are passkeys?

Passkeys are FIDO2 credentials synced across your devices. They replace the password entirely and are phishing-resistant.

Related Modules

Password security best practices

Strong passwords, password managers, passphrases: how to build a password strategy that actually works.

What is social engineering?

Social engineering attacks: how scammers hack humans instead of systems, and what to watch for.

Recognizing a phishing link

Techniques for detecting fraudulent URLs that mimic legitimate websites.