Something you have (e.g., an ID badge or a cryptographic key).
Something you are (e.g., a fingerprint or other biometric data).
Note: The security-key flow using WebAuthn is currently in beta.
When you enable 2FA, you will be prompted for a second form of authentication before performing certain actions on your account or packages to which you have write access. Depending on your 2FA configuration you will be either prompted to authenticate with a security-key or a time-based one-time password (TOTP).