It’s potentially as single point of failure _if you have the cell phone_ because then you often get the password too.

But most databreaches aren’t done by people stealing cell phones, it’s just not scalable. 2FA mostly works because most methods of broaching single authentication involve getting just the password by someone who has no hope of getting access to the associated phone.

> How is this more secure than say, having a secondary password field in the main app?

Because the second “password” isn’t something that you memorize. It’s generated with some very complex math based on a secret “seed” value and the current time. It changes roughly every 30 seconds. If someone doesn’t have access to that secondary app, then they can’t get into the account even if they know your passwords.

>why only 2FA and not 3 or 5FA?

2FA stands for “two-factor authentication”, and there are only three “factors”:

* Something you know (i.e. a password)
* Something you have (i.e. the phone with the 2FA app installed on it)
* Something you are (i.e. biometrics)

You can have 3FA if you have to enter a password that you know, get an auth token from a device that you have, and scan your fingerprint. But 5FA isn’t a thing.

Not all “factors” are equal. For example, having two different passwords is basically the same as just having one, longer password. So having a second password field really doesn’t make it 2FA.

Generally, the factors should be of different kinds, the three kinds being:

* Something you know (e.g. a password)
* Something you have (e.g. a smart phone)
* Something you are (e.g. finger prints/retina)

2FA commonly employs the first two. The smart phone is something you have and the password you enter into it is something you know.

Yes, this means if you enable your device to save and autofill the password part (and your phone isn’t additionally protected with a pin or a passcode to get into it) then you have effectively eliminated one factor from consideration; All someone needs is your phone and they get in.

That doesn’t make 2FA inherently less secure. Just about any security system can be rendered insecure by poor implementation or decisions on part of the users.

As to why it isn’t 3FA or 5FA. As I point out above, there are only 3 “kinds” of factors and having two factors from the same category really doesn’t add anything. So the highest you can go and have significant additional security is 3FA but that means biometrics.

Biometrics are generally costlier or, when they aren’t costlier, less reliable, or otherwise have privacy concerns. Theoretically you could implement this yourself by locking your phone with face recognition or finger print scanner in order to access the 2FA app on it.

2FA saves you from someone who bought a list of login details from a data breach, for example. Before 2FA became popular, stealing login info worked great because the login could be done from anywhere.

When an account is protected with 2FA, this mystery criminal can’t do anything even if they have your correct password.

That separate app is 2FA, also called an OTP (one time password.

A system is only as secure as its weakest link which tends to be the human, a 2FA approach gives you a small time frame (normally 30s for app based codes) to enter that code. it’s a second layer of defence. It’s more secure than just a second password because it’s a pseudo random code that is generated on your device and a server using a known set of values on each side and generally using time to sync them. It would take longer than 30s to brute force that otp by which time it has changed and you have to start brute forcing again.

Some sites use text, some use email and some use apps but the core principle is the same. A short lived freshly generated code that has a single use.

Why 2 and not 3 or 5 or 100? Balance of security and usability, as you add more layers you create a more secure system BUT you also cause humans to be more reluctant to use it and so the human defaults to 1FA(a password).

If you have a smart phone you should be having a passcode or password to unlock it and to also see previews of messages and some phones now require that code to be entered when using saved passwords but again, the weakest link is the human, if they don’t protect their device with a password or code then it does defeat a lot of the 2FA benefits.

With 2FA you have to have access to both authenticating devices. Putting both on one page defeats the purpose. The idea is that the chances are much less that a “bad guy” will have access to both the site and your phone (assuming of course they are not accessing the site on your phone). The reason anything greater than 2FA is rarely if ever used is end user convenience. Not many people have the ability or desire to authenticate on 3 different platforms and I have to imagine keeping 3 levels of authentication in sync would be more effort than it is worth for daily use