The most common way to authenticate a user (i.e. prove that they are who they say they are) is through a password - a shared secret between the user and the server, which is assumed to be known only by the user. In other words, something that the user know.
Other forms, not all applicable to the Internet, would be:
- a document, badge or card: something that the user has.
- digital printing, retinal scanning, etc: something that the user is.
Two-factor authentication consists of using not one, but two forms of authentication, preferably of different natures (i.e. not asking for two passwords instead of one, as both would still be one factor - what the user know). Thus, even if one of these forms is compromised (someone copied the password, someone stole the card, the retinal scan was false positive) the chance that the other also be are much less.
It is also possible to require more than two factors, but this is rare - since each additional factor makes authentication a little more difficult (i.e. it reduces convenience by bothering users) without necessarily making security significantly better. It is also possible - and common - if there are several factors available to the user, and any two of them can be used.
Motivation
Although the concept "username and password" is common knowledge, it is a nuisance to the user, especially if he has account in several services and each of them has a different policy regarding the "strength" of the password (minimum size, required character types, character types permitted, mandatory password exchanges, etc.). A user can even memorize the passwords of the most important services individually, but there comes a point that he passes to or reuse passwords so he doesn’t have to memorize another, or write them down somewhere (e.g., a post-it stuck to the monitor).
Moreover, the average "strength" of passwords is quite low: the human being is bad at thinking about random things, so that the passwords of any user always end up fitting in a certain pattern. Attackers are aware of this, and the techniques used to "guess" passwords - as well as existing tools to assist in the task - are sufficiently sophisticated to make it difficult to use secure passwords. The best option nowadays is to use a password manager, but these plus sometimes inconvenient still represent a "single point of failure" (if someone steals your master password, all your passwords are stolen at once).
Finally, there is the question of logging into a computer/device that you do not control: if you enter your password into a machine infected by a keylogger, for example, no matter how good your password is - it is liable to be captured. Even worse if it is your password manager’s master password! This is one that you do not want at all to type on an untrusted computer, but if you make a point of only entering it on your device, this is already characterized as two factors (i.e. to get the real password, you need at the same time to be in possession of your device - something you has - and use your master password to unlock it - something you know).
Implementation
Although certain authentication methods have a cost (e.g., sending a code to the user via SMS - making sure the user has your mobile device), others are accessible to anyone who wants to use them. One of them is the "disposable password" (one-time password), whose most common implementation is through a HOTP ("disposable password based on HMAC") and its variant TOTP ("time-based disposable password"). Another is marking a computer as "reliable", containing a cookie with a secret and long-term expiry symbol.
A good use of these techniques would be to offer them all at the same time - the password as "what the user knows" and any of the others as "what the user has". Using Google as an example, when a user enables two-factor authentication, he needs to login in addition to his password one of the following:
- Being logged in from a "trusted computer" (i.e. the cookie sent by the browser proves that the user is in possession of his personal computer);
- Being in possession of a mobile device with the Google Authenticator (or compatible application), capable of generating time-based disposable passwords;
- Or simply a device capable of receiving SMS, but here we are talking about methods accessible to all.
- Be in possession of their backup codes, which are a form of disposable HMAC-based password. Where the user has stored these codes - on paper, on file, etc - is from his account, but proves that he is in possession of something that presumably nobody else owns.
Each of these techniques is easy to implement, and that is if there are no more ready-made libraries on your platform of choice that do it for you. In particular the TOTP, where you just implement the part server-side compatible with Google Authenticator (if you like, even generating a Qrcode for user not having to type anything) and use it along with that own application.
Care
Finally, a quick note for cases exceptional: Many websites offer an option for the user to reset their password by simply sending the user’s email a link to complete the action. This practice alone completely eliminates the "something that the user know", delegating the entire authentication to the premise that the user still has control over his email address. In other words, whoever gets access to the user’s email, can reset all their passwords... For this reason, some even propose to delete the password from the equation, reducing the login process to simply send an email to the user with a unique validity access link.
This is not ideal as it depends only on what the user has to authenticate it makes the theft of your credentials a very attractive way of attack (e.g.: do you access your email via smartphone? which, in addition to a standard or a simple Swipe prevents someone from picking up their device from reading all their email? ). A secret component is important, although not as strong as possible. If your primary mode of authentication is what you has, this allows even a weak password still to fulfill its role well - as the bank passwords, which are usually numerical and short, but it does not matter because without your chip card you do nothing.
For this reason, it is important to offer multiple means of authentication, and to make clear to the user the importance of protecting them. Because by avoiding the error of "relaxing" too much the form of password recovery, you may end up making another mistake, to prevent the recovery of access to a lost account. That is, when deciding whether or not to offer multiple authentication factors - and what the "weight" of each, what the alternatives are in case one or the other is lost - always bear in mind the balance between authenticity and availability.