What are the two factors?
Two-factor authentication (2FA) means a login needs two proofs of different kinds. The classic split is something you know, your password, plus something you have, a phone or a hardware security key. The two must be different in kind: two passwords are not 2FA, because one leak compromises both. The value is that a password caught in a breach, reused from another site, or shoulder-surfed is no longer the whole story. The attacker still needs the thing in your pocket.
For a self-hosted setup, the accounts worth protecting this way are the ones that can hurt you: the code host, the domain registrar, the cloud provider holding a public server. Those are exactly the accounts attackers go for, because they are the lever to everything downstream.
What is a TOTP code?
The common second factor is a time-based one-time password (TOTP): the rotating six-digit code an authenticator app shows. The app and the server share a secret once, at setup, and from then on both compute the same code from that secret plus the current time. The code changes every thirty seconds, so a captured one is stale almost immediately, and nothing has to travel over the network to deliver it.
A hardware security key is stronger still, since it cannot be phished the way a code typed into a fake page can. SMS codes are the weakest common option: a text message can be intercepted, and the number it goes to can be ported away from you. Better than nothing, but the first choice when a service offers more.