How Does Two-Factor Authentication Work?

From TOTP algorithms to FIDO2 cryptography — a clear explanation of how each type of 2FA generates codes, authenticates users, and protects accounts from attackers.

Compare the best authenticator apps → Guide to Two-Factor Authentication
Diagram showing how two-factor authentication works with TOTP codes and cryptography
1TOTP Codes

How Authenticator Apps Generate One-Time Codes

Authenticator apps use the Time-based One-Time Password (TOTP) algorithm, defined in RFC 6238. The process begins when you scan a QR code during 2FA setup. That QR code encodes a secret key — a random string of bytes that is shared between the service (like Google or Facebook) and your authenticator app. This shared secret is stored securely on both sides and never transmitted again after the initial setup.

Every 30 seconds, your authenticator app performs an HMAC-SHA1 cryptographic operation combining the shared secret with the current Unix timestamp (divided into 30-second intervals). The result is hashed and truncated to produce the six-digit code you see. Simultaneously, the server performs the exact same calculation. When you submit the code, the server compares what you entered with what it calculated — if they match, authentication succeeds. Because the codes are derived from time and a secret, they are different every 30 seconds and cannot be reused.

This design has a critical security property: the secret key never leaves the initial setup process. Your authenticator app generates codes entirely offline — it doesn't need an internet connection, and it doesn't communicate with the server until you submit the code at login. This is why authenticator apps work even in airplane mode, and why intercepting your network traffic cannot expose the underlying secret or future codes.

  • Shared secret: A random key established once during QR code scanning — never transmitted again
  • HMAC-SHA1: Combines the secret with the current timestamp to produce each code
  • 30-second window: Codes expire and renew every 30 seconds automatically
  • Offline generation: No internet connection required — codes work in airplane mode
  • Non-reusable: Each code can only be used once and expires immediately after verification
  • Server-side verification: The server performs the same calculation and compares results
Understand the difference between TOTP and HOTP standards →
TOTP algorithm diagram showing how 30-second codes are generated
2SMS and Push

How SMS Codes and Push Notifications Work

SMS-based 2FA takes a fundamentally different approach. When you try to log in, the service generates a random code on its server and sends it to your registered to Spot and Avoid Attacks on Your Phone">Your Phone Number">phone number via the phone network's Short Message Service. You receive the text, read the code, and enter it into the login form. The server verifies the code matches what it sent and that it hasn't expired (usually within 5–10 minutes).

The weakness of SMS 2FA lies in the phone network itself. The SS7 protocol used by telecommunications networks was designed for an era before widespread security concerns, and its trust model allows any carrier in the global network to request call and SMS forwarding for any number. Sophisticated attackers with access to telecommunications infrastructure can intercept SMS messages silently. More commonly, SIM swap attacks exploit carrier customer service processes to transfer a victim's number to a new SIM card the attacker controls, after which all calls and texts are delivered to the attacker instead.

Push notification 2FA, used by services like Duo Security and some bank apps, sends a login approval request to your registered device as a push notification. You see the request details (login time, location, device) and tap Approve or Deny. This is more resistant than SMS because it relies on the push notification infrastructure of iOS or Android rather than the phone network. However, it requires an internet connection and is vulnerable to "push fatigue" attacks where criminals repeatedly send approval requests hoping the user will accidentally approve one.

  • SMS generation: Server creates a random code and sends via telecoms network to your phone
  • SMS vulnerability: SS7 protocol flaws and SIM swapping can redirect your messages to attackers
  • Push notifications: Use iOS/Android push infrastructure rather than the phone network
  • Push context: Shows login location and device details so you can verify legitimacy
  • Push fatigue: Attackers spam approval requests hoping for accidental approval — always verify
  • SMS best practice: Upgrade to an authenticator app wherever the option is available
See all the ways SMS 2FA can be defeated →
SMS 2FA and push notification authentication flow
3Hardware Keys

How Hardware Security Keys Work: FIDO2 and WebAuthn

Hardware security keys use public-key cryptography through the FIDO2 standard and its browser integration protocol, WebAuthn. When you register a hardware key with a service, the key generates a unique cryptographic key pair: a public key that is shared with the service and a private key that never leaves the hardware device. The private key is stored in a secure element — a tamper-resistant chip inside the key that makes extraction virtually impossible even with physical access to the device.

At login, the server sends a challenge — a random piece of data — to your browser, which forwards it to the hardware key. The key prompts you to touch it (or tap it via NFC), then signs the challenge with the private key. The browser sends the signature back to the server, which verifies it using your registered public key. Crucially, the key also verifies the website's domain before signing. This domain binding means that even if a phishing site perfectly mimics a real login page, the key will not authenticate you — the domain won't match the registered service.

This phishing resistance is what distinguishes hardware keys from all other forms of 2FA. TOTP codes and push notifications can be relayed in real-time by a sophisticated phishing proxy, but a hardware key's domain verification cannot be fooled. This is why security-conscious organisations, including Google (which issued keys to all employees and reported zero successful phishing attacks afterward), treat hardware keys as essential for protecting high-value accounts.

  • Key pair generation: Device creates a unique public/private key pair per service during registration
  • Private key security: Stored in a tamper-resistant secure element — never transmitted or extractable
  • Challenge-response: Server sends a random challenge; key signs it with the private key
  • Domain binding: Key verifies the exact website domain before signing — phishing sites fail
  • Physical tap required: User presence (touching the key) prevents remote attacks
  • Phishing-proof: Cannot authenticate to fake websites regardless of how convincing they appear
Learn everything about hardware security keys →
FIDO2 WebAuthn hardware security key authentication flow
4The Future: Passkeys

Passkeys: How the Next Generation of Authentication Works

Passkeys implement the same FIDO2 public-key cryptography as hardware security keys, but using your device's built-in security hardware — the Secure Enclave on iPhones and Macs, or the Trusted Platform Module (TPM) on Windows devices. The private key is bound to your device and protected by your biometric (Face ID, Touch ID, or fingerprint). When you log in to a passkey-enabled service, your device verifies your biometric and then signs the server's challenge, completing authentication without you ever typing a password.

From a technical standpoint, passkeys are even more elegant than traditional 2FA because they collapse the two-factor requirement into a single gesture that internally satisfies two factors: something you have (the device containing the cryptographic key) and something you are (the biometric that unlocks it). The user experience feels like one step, but the security architecture enforces two-factor authentication automatically.

Passkeys also solve the synchronisation challenge. Unlike hardware keys, passkeys can be synced across your devices through iCloud Keychain (Apple devices) or Google Password Manager (Android/Chrome). This means your passkey for Google is available on your iPhone, your MacBook, and your iPad simultaneously. However, synchronisation also means that compromising your cloud account could theoretically expose your passkeys — making your Apple ID or Google account security critically important when using synced passkeys.

  • Device-bound cryptography: Private key stored in hardware security chip on your device
  • Biometric unlock: Face ID, Touch ID, or fingerprint unlocks the key for signing
  • Two factors in one gesture: Device possession plus biometric combined seamlessly
  • Cross-device sync: Passkeys sync via iCloud Keychain or Google Password Manager
  • Phishing-resistant: Inherits domain binding from FIDO2 — cannot authenticate to fake sites
  • Growing support: Apple, Google, Microsoft, and thousands of services now accept passkeys
Read the complete guide to passkeys →
Passkeys using biometric authentication as 2FA replacement

Now You Understand 2FA — Time to Use It

You know how authenticator apps, SMS codes, and hardware keys work. Now compare your options and set up the best 2FA for your accounts.

Compare the best authenticator apps → Guide to Two-Factor Authentication

Related VPN Articles

What Is a VPN?

The complete beginners guide to VPN technology.

How Does a VPN Work?

Encryption, IP masking and data tunnelling explained.

VPN Protocols Explained

OpenVPN, WireGuard, IKEv2 - which should you use?

Best VPNs for Hong Kong

Top-rated VPNs tested for HK users.

VPN for Streaming

Unblock Netflix, Disney+ and more from Hong Kong.

VPN on Public WiFi

Why public hotspots are dangerous and how VPN helps.

Free vs Paid VPN

What you sacrifice with a free VPN.

VPN for Gaming

Reduce lag and access geo-locked games.

VPN for Remote Work

Secure your home office connections.