A “factor” is a different channel for authentication. The more factors you have the harder it is to be compromised because all of your factors must be compromised.

The three main factors are “what you know” “What you have” and “what you are” (biometrics, like a fingerprint)

A password is “what you know.” It’s something you know.

Biometrics is problematic for most 2FA applications because they’d need to have your biometrics ahead of time and it works best when the device scanning the biometrics can be monitored to ensure there’s no tampering or falsification going on because once your biometrics are compromised… that’s it. You can’t change your fingerprint. So you have to ensure the scanner is not compromised.

So that mostly leaves “what you have” as a 2nd factor to use. These days it’s mostly either an app on your phone that you configure with a one-time token or they send you a temporary code via text or e-mail. Depending on the service doing the 2FA you can also get a physical token with a constantly changing code or a physical card that must be inserted into the computer’s reader.

No token, no access. No password no access. Both the password *and* the token must be compromised to gain access.

It doesn’t work for all online purchases because you have to set up 2FA ahead of time. It doesn’t really offer any protection to set up 2FA moments before you use it because if your password is compromised then whoever compromised your password could just set up 2FA right then and how does that offer any protection?

Also it costs money to set up and maintain 2FA and the storefront might not find it worth the cost to offer it.