We've previously described and recommended the use of multi-factor (or two factor) authentication (2FA) on multiple occasions:
An article in Mashable, referring to the recently leaked NSA report on Russian efforts to hack the computers of U.S. election officials, notes that even 2FA won’t protect you against use of a fake website. For example, receipt of a special code via text on your smart phone offers no extra protection if you then provide the PIN to an illegitimate site controlled by the bad guy (or girl).
The reminder lesson: For any site that requires you to provide login credentials, confirm the URL address begins with "https," not "http." While not foolproof, doing so will reduce the possibility of you getting hoodwinked despite use of 2FA.