Let me tell you something: Last year, a fren had his exchange account password compromised, but because he had enabled Google Authenticator, the Hacker couldn't get in. The money saved was enough for him to buy a car.

This is the value of two-factor authentication - it doesn't teach you cryptography, it helps you lose less money.

In three sentences: When you scan the code, you store a key, and the exchange also stores a copy. Both parties calculate the same 6-digit number using the same formula every 30 seconds. It can be calculated offline, making it the safest option. The Hacker does not have your key, and no matter how hard they try, they cannot calculate the verification code.

Practical advice: Find an old phone, remove the SIM card, disconnect from the internet, turn off WiFi, and specifically install Google Authenticator. This is called "air gap", military-grade protection, and the cost is just an old phone gathering dust. It can be tested, copied, and used immediately.

Stop using SMS verification, SS7 hijacking and SIM card cloning have too many vulnerabilities. The same goes for email, it's hard to defend against credential stuffing and phishing.

Looking further ahead, Passkey will gradually replace TOTP. It uses asymmetric encryption, the private key never leaves your device, and the server only stores the public key, so there's no problem even if the database is compromised. However, it will take a few more years for it to become widespread; for now, it’s sufficient to use an offline authenticator.

A used phone, saving the cost of a car, this calculation is clear to anyone.