2FA adds a time-based one-time password (TOTP), WebAuthn (hardware key), or push notification. This raises the cost of unauthorized access from trivial (guessing a password) to substantial (stealing a physical token or intercepting real-time OTPs).
Always secure your TOTP seed codes (e.g., in an encrypted vault like Vaultwarden). If you lose your phone, you need a way back in. homelab 2fa
Single-factor authentication fails when: 2FA adds a time-based one-time password (TOTP), WebAuthn