Not all 2FA is created equal

Prerequisites: Basic understanding of 2FA and what it is and does. If not, please review this Microsoft article.

This post aims to explain why two-factor authentication (2FA) is important and also to explain that not all 2FA is created equal. 

False: You can't be hacked because you have two factors enabled. Some methods of the second factor only protect you marginally better than not having a second factor. To be clear, I am saying that everyone should have 2FA enabled on any accounts/services they want to be secured but focus on the second-factor method.

Never Use:

Email: Never use email as a second authentication method. This is where the app/service sends a code to your email. I have literally seen where someone's emails were hacked. Therefore, the hacker has the username and the second factor. All they need is to guess the password. That is basically the same thing if all a hacker had was your username; they would still need the password. So, as you can see, you aren't much better off having 2FA enabled if your email has been compromised in certain cases.

Text/SMS: Never use a text message on your mobile phone as the second factor. For similar reasons as email. It's not that hard for someone to get SIM or mobile information and be sitting at their office/desk and able to receive text messages as part of the second factor.

The service itself: For example, Facebook can notify you and prompt you via the Facebook app to do the second factor. Well, if Facebook is hacked, this second factor may not help. This is why having a separate company and app like Google Auth is much better. Because then one could compromise your username and password and still not get into your account.

Preferred Method:

Use an application like Google Authenticator or Microsoft Authenticator.

Google Auth is great because it is secure, and you can back up/export your methods if you get a new phone.

Microsoft Auth is nice because you can seamlessly enter the second factor via your watch or Face ID.

Other honorable mentions include a FIDO key, an RSA token, or the Authy app.

What else you should know:

Know the different ways the service allows one to reset your 2FA because this is sometimes used to workaround existing 2FA. Think about it, if one can go online and reset your 2FA to email or easily to another device, then they can get around your existing 2FA.

Notifications/Logging: Ensure the service notifies you in case of a failed 2FA or successful 2FA. This way, if you get a new phone or log into the service on a new computer or browser and you get a notification that someone is accessing your service, you don't care because you know it was you. However, if you get the same notification and it isn't you, you can proactively start looking at what's going on.

In conclusion, use an app or physical device to do the second factor and set up notifications if someone successfully logs into the service or attempts to reset the second factor.