All excellent answers here, but let’s generalize: All authentication systems have problems with them. Two Factor Authentication simply requires you use 2 different forms of authentication to prove you are you, which means the problems with any 1 authentication system are reduced.

Let’s analyze the most common systems: 1) Password 2) Text To Phone

You know your password, company knows your password, you type it, they confirm your password is right. Great. But what happens if a thief is spying on your web browser? You type your password and whoever is spying can just steal your password and keep using it. Or, a thief can guess your password and then keep using it. Or a thief can break into their server and steal the passwords from there (most passwords are no longer actually stored on their servers: They only store a value derived from your password. But let’s ignore that for now.)

The other system is you know your phone number, company knows your phone number, they send you a secret one time number to your phone. You tell them the number back. That proves you have a phone with that phone number. Great. But what if a thief steals your phone or your phone number? Now, they can just ask for the one time number and always get it.

But, put these two system together and require both: a Password + Text To Phone. Now, if a bad guy is listening, he will hear you send your Password and the one time number. He knows your password, but he doesn’t know the *next* one time number, which will be different. Thief can’t login as you from their computer. Similarly, if a different bad guy steals your phone, they can request the one time number and get it, but he doesn’t know your password.

To login as you, they have to steal your password **and** your phone, which is much harder to do.

Why don’t all companies do this? It’s more expensive and it takes people more time to authenticate themselves. This means a store may lose a sale when customers get upset and annoyed it takes longer to authenticate themselves. The extra security is not worth it.