2FA and Passwords: How to Protect User Accounts

Passwords leak and get guessed. Two-factor authentication (2FA) adds a second line of defense: even knowing the password, an attacker cannot log in without a one-time code.

How TOTP Works

The most common method is TOTP (time-based one-time codes, RFC 6238). An app (Google Authenticator, 1Password) and the server store a shared secret and every 30 seconds generate the same 6-digit code. Setup is done via a QR code.

How to Store Passwords Properly

• Never store passwords in plain text.
• Use bcrypt or argon2 with a salt.
• Do not impose a hard limit on password length, and encourage passphrases.
• Compare secrets using timing-safe functions.

Recovery Without Holes

A reset token must be single-use and short-lived, and you should store only its hash in the database. Make the system’s response identical regardless of whether the email exists — otherwise users can be enumerated.

Conclusion

2FA and proper password storage close the most common attack vector — account compromise. This is the mandatory minimum for any service with a login.