2FA (Two-Factor Authentication)
A security method that requires two different forms of verification before granting access, typically a password plus a code from a device you own.
Two-factor authentication (2FA), also called multi-factor authentication (MFA), adds a second verification step beyond your password. Even if an attacker steals your password through phishing or a data breach, they cannot access your account without the second factor.
Common Second Factors
- TOTP apps (Google Authenticator, Authy): Generate a time-based 6-digit code that changes every 30 seconds. Stored locally on your device.
- Hardware keys (YubiKey, Titan): Physical USB/NFC devices that cryptographically verify your identity. The strongest option, immune to phishing.
- SMS codes: A code sent via text message. Better than nothing, but vulnerable to SIM-swapping attacks.
- Push notifications: An app on your phone prompts you to approve or deny the login.
- Passkeys: A newer standard that combines password-free login with cryptographic verification, supported by most modern password managers.
Why SMS Is the Weakest Option
SMS-based 2FA is vulnerable to SIM-swapping: an attacker convinces your mobile carrier to transfer your number to their SIM. Once they have your number, they receive your codes. For any account that matters, use TOTP or a hardware key.
2FA and Swiss Compliance
The nDSG requires “appropriate technical measures” to protect personal data. For systems handling sensitive information, 2FA is considered a baseline expectation by Swiss regulators. FINMA explicitly requires multi-factor authentication for financial institutions.
How to Roll Out 2FA for a Team
- Start with a password manager that supports TOTP storage
- Enable 2FA on email accounts first (email is the recovery path for everything else)
- Extend to cloud storage, financial tools, and admin panels
- Consider hardware keys for critical systems and admin accounts
- Document the process for nDSG compliance records