Two Factor Authentication works like this in a nutshell:

You have a key to a door, but there is also a keypad on it. To open the door, you must have both the key and the code to the keypad, the door cannot be opened without the other.

​

Digitally, it’s setup in several ways using a password and another form of security to confirm that you are the owner of the account, it can take form as a temporary code (more on that later), a security question, or just another “password” that you have to input.

​

In more detail, whenever you input your **correct** password (**if it’s incorrect, it obviously will tell you it’s incorrect without sending you to the second security step)**, the database checks for your account and sees if it has 2FA (abbrev for Two Factor Authentication) turned on, and in what type, if it’s a security question or additional password, you input the correct answer accordingly and voila, you’re in.

​

As for the temporary code, it’s a code that’s sent to your account whenever you sign in, that code can be sent as SMS, or the site will tell you to type in your code, which you’ll find via a special application (like [Authy](https://authy.com/)), and input the code.

If you’re asking as to how such codes are generated, they’re really just generated randomly, six digit codes, and good luck if you try to brute-force your way through that, because there are at least half a million possible combinations.

Hope this helps!