To validate a user, two-factor authentication (2FA) requires a password and a unique form of identification, such as a login token sent through text message (SMS) or a mobile application. When the user inputs his or her password, the security code is requested in order to log in to the website. If the code does not match, the user will be denied access to the website.
Google Authenticator, YubiKey, Microsoft Authenticator, and other 2FA devices are examples.