Many websites that require authentication allow users to set up 2-Factor Authentication. Once it's set up, whenever you sign in using a new device (from where you have not already signed in), the website would not allow you to sign in by entering only the username and password. Rather, it sends you a pin code at your given mobile number or displays the code in the authenticator app installed on your mobile. That pin code must be entered along with credentials, otherwise, the sign-in would fail. But how it helps to keep your accounts safe, is explained below.
If a malicious user gets successful to steal your username and password. But when he/she would try to login from a device unknown to you, the portal would send the pin code to the given mobile number of your authenticator app, and not to that malicious user. In this way, your account would remain secure.
Now we share a very important point. When ignored, many people's accounts are hacked by malicious users. You may receive a fake call on your mobile by someone who got an account to your credential but could not get a pin code because of two-factor authentication. He/she would call you and ask for the pin code that you have received at your registered mobile number. They would tell you a fake story explaining why you shall give them. Always remember, original websites, banks, portal operators never call you to ask for the pin code that is sent to you on your cell. Whenever you get such a call, never share your confidential information e.g. credit card number, its expiry date, a pin code, etc., and instantly change the password of that account, because maybe the credentials (username/email and password) are compromised.