A password alone is "something you know." If someone steals or guesses it, they can log in as you, full stop. Two-factor authentication (2FA) adds a second, different kind of proof before access is granted, usually "something you have," like your phone.
Here's what actually happens when you enable it: after you enter your correct password, the bank's site doesn't log you in immediately. Instead it sends a one-time code to your phone (via text, an authenticator app, or a push notification), or asks you to approve the login on a device you already have signed in. You have to provide that second piece before the session opens. Each code is typically time-limited and single-use, so even if someone captured it, it would be useless minutes later.
The security gain is that a stolen or leaked password stops being enough on its own. Passwords get exposed constantly, through phishing pages, data breaches at other sites where people reuse passwords, malware, or simple guessing. With 2FA on, an attacker who has your password still cannot get in unless they also physically have your phone or authenticator device. That's a much higher bar than just knowing a string of characters.
Authenticator apps (like Google Authenticator or Authy) are generally considered more secure than SMS codes, because text messages can sometimes be intercepted through SIM-swapping attacks. But any form of 2FA is meaningfully safer than a password by itself, which is why banks push it so hard, your money is the thing most worth protecting with a second lock.