There is no “one way” for two-factor authentication to work. It refers to an philosophy of authentication, in that you have to provide two “factors.”

Most authentication today is single factor, with that single factor being a password.

It was long known that a single factor is pretty insecure and two-factor authentication was conceived to be a more secure upgrade. With this you have to have two different kinds of “factors” from the following categories:

* Something you know (like a password or pin)
* Something you have (like a keycard, or fob)
* Something you are (a part of your body, like a fingerprint, or retina)

How it “works” then, depends on the specific factors you are using. A very common implementation is to have a smart card along with a pin. You present the card to the badge reader and it then prompts you for a PIN. You enter the PIN and the system validates that the PIN and card combination are valid.

Two Factor Authentication works like this in a nutshell:

You have a key to a door, but there is also a keypad on it. To open the door, you must have both the key and the code to the keypad, the door cannot be opened without the other.

​

Digitally, it’s setup in several ways using a password and another form of security to confirm that you are the owner of the account, it can take form as a temporary code (more on that later), a security question, or just another “password” that you have to input.

​

In more detail, whenever you input your **correct** password (**if it’s incorrect, it obviously will tell you it’s incorrect without sending you to the second security step)**, the database checks for your account and sees if it has 2FA (abbrev for Two Factor Authentication) turned on, and in what type, if it’s a security question or additional password, you input the correct answer accordingly and voila, you’re in.

​

As for the temporary code, it’s a code that’s sent to your account whenever you sign in, that code can be sent as SMS, or the site will tell you to type in your code, which you’ll find via a special application (like [Authy](https://authy.com/)), and input the code.

If you’re asking as to how such codes are generated, they’re really just generated randomly, six digit codes, and good luck if you try to brute-force your way through that, because there are at least half a million possible combinations.

Hope this helps!

Imagine a door with a single lock. Whoever has the key to that lock can open the door. That’s single factor authentication.
Multi-Factor Authentication would be if you add different locks and carry all the keys on different keychains. So when you do lose one key, your door still stays locked. The important thing is carrying two separate keychains.

In an online example:
If you have single factor authentication on your reddit account (= only 1 lock – the username password combination), anyone who knows your username and password combination can log into your account.
But if you add another layer, another factor, it gets harder.
A common second factor is the phone. It looks like this: you log into reddit with your username password combination, the reddit server checks if that’s alright and if it is, it STILL wants you to prove that you are who you claim. For example by sending you a text message to your phone, the phone that only you could have and prompting you to enter it’s contents.
So in the scenario you do lose your password or you get hacked or your login data gets exposed elsewhere, even if you lose your first keychain, your door will stay locked, your account will stay secured.

First time trying to explain something, let me know if something is still unclear!

You hand your dad a note which says, “LevyShorts can have cake for supper and stay up until midnight playing video games and doesn’t need a bath tonight. Signed, Mom.”

That’s the first factor – A written note signed by mom.

Your dad calls your mom.

That’s both the second factor, and your demise.