Two-factor authentication, usually shortened to 2FA, means proving who you are with two different types of evidence instead of one. The first is almost always something you know, your password. The second is something you have or something you are: a code sent to your phone, an authenticator app, a hardware key, or a fingerprint. A stolen password alone doesn't get an attacker in, because they're also missing the second piece.
It works. Microsoft's 2025 Digital Defense Report found that multi-factor authentication, especially the phishing-resistant kind, blocks more than 99% of identity-based attacks, and 97% of those attacks are simple password spray or brute-force attempts that 2FA stops cold. If you've enabled 2FA somewhere and stopped thinking about it, that's a reasonable place to stop thinking about it.
The three kinds of second factor
- Something you know. A PIN or security question, on top of your password. The weakest option, since anything you can type, someone else can eventually guess or steal.
- Something you have. A code from an authenticator app, a text message, or a physical security key like a YubiKey. The most common setup in practice.
- Something you are. Fingerprint or face recognition. Hardest to steal remotely, but it requires hardware that supports it.
An authenticator app or a hardware key beats SMS codes specifically because a text message can be intercepted through a SIM swap. Not every 2FA method carries the same risk, and it's worth choosing the strongest one your accounts support.
Where AI is closing the gap
The same Microsoft report that shows how effective 2FA is also shows the exception attackers are exploiting: adversary-in-the-middle, or AiTM, phishing. Instead of trying to guess a password, an AiTM kit puts a fake login page between you and the real service. You type your password and your 2FA code into what looks like the real site, and the attacker's server relays both through in real time, stealing the session token the moment you're authenticated. 2FA didn't fail here. It got bypassed by intercepting what happens right after you use it.
What's changed is how convincing the bait has gotten. A study led by Harvard Kennedy School researcher Fred Heiding found that AI-generated phishing emails achieved a 54% click-through rate, statistically matching phishing written by human experts, and well above the 12% baseline for generic phishing attempts. Microsoft's own data puts AI-driven phishing at roughly three times more effective than traditional campaigns, with a 54% click-through rate of its own, and generative tools have cut the time it takes to write a convincing, personalized lure from hours to a few minutes.
What still works
- Use an authenticator app or hardware key over SMS where the option exists. It removes the SIM-swap risk entirely.
- Check the URL before you type a password anywhere, every time. AiTM kits rely on a fake domain close enough to the real one that people don't look twice.
- Use passkeys where a service offers them. They're tied to the specific site they were created for and can't be phished onto a fake login page the way a typed code can.
- Treat an unexpected login prompt as a red flag, not an annoyance. If you didn't try to log in and a 2FA prompt shows up anyway, someone else has your password and is trying to get past the second step.
The short version
Two-factor authentication still blocks the overwhelming majority of account takeovers, and turning it on remains one of the highest-value five minutes you can spend on any account. The newer risk isn't that 2FA stopped working, it's that AI-written phishing is convincing enough to get people to hand over both factors at once through a fake login page. The fix is the same instinct that's always mattered: check the URL before you type anything into it.
Want the credential side of this problem? Read about honeypots and basic site security, or see how API keys create a different kind of exposure that a password manager alone won't catch.
Sources
- Microsoft, "2025 Microsoft Digital Defense Report" (October 2025): https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025
- Heiding et al., "Evaluating Large Language Models' Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects" (arXiv, November 30, 2024): https://arxiv.org/abs/2412.00586
- Microsoft Learn, "How it works: Microsoft Entra multifactor authentication" (updated 2026): https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks