Two-factor authentication (2FA) is the single most effective thing most people can add to their online accounts. If your password gets stolen — through a data breach, phishing, or anything else — 2FA means the attacker still can’t log in without a second piece of proof that only you have.
It’s not complicated. Here’s how it works and how to set it up.
What two-factor authentication actually is
When you log in somewhere with 2FA enabled, two things are required:
- Something you know — your password
- Something you have — usually your phone
The “something you have” is typically a six-digit code that changes every 30 seconds, generated by an app on your phone. Even if someone has your exact password, they can’t log in without that code — and the code expires before they can do anything useful with it.
This is why data breaches are less catastrophic for people with 2FA. The attackers get the password; they don’t get the phone.
The different types of 2FA (best to worst)
Not all 2FA is equally secure. Here’s the ranking:
Authenticator app (best)
Apps like Google Authenticator, Aegis (Android), Raivo (iOS), or Authy generate time-based codes on your device. Nothing is transmitted — the code is calculated locally from a shared secret set up when you scan the QR code.
This is the most secure common 2FA method and what you should use wherever possible.
Hardware security key (most secure, more effort)
A physical USB or NFC device (like a YubiKey) that you plug in or tap. Cryptographically the strongest option — immune to phishing because the key verifies the actual website you’re on. Overkill for most people, but worth it if you’re protecting high-value accounts.
SMS text message (better than nothing, not ideal)
A code texted to your phone number. The weakness: phone numbers can be hijacked through “SIM swapping” — convincing your mobile provider to transfer your number to a new SIM. This is rare but happens, particularly to people targeted specifically.
SMS 2FA is significantly better than no 2FA. But if a site offers an authenticator app option, use that instead.
Email codes (weakest)
A code sent to your email. Only as secure as your email account’s own security — which is circular if your email is what’s being attacked. Better than nothing; worse than everything else.
Setting up an authenticator app
Step 1: Download an authenticator app.
- Android: Aegis Authenticator (open source, local backup) or Google Authenticator
- iOS: Raivo or Google Authenticator
- Cross-platform with cloud backup: Authy (convenient but trusts their servers)
Step 2: Go to the security settings of the account you want to protect. Look for “Two-factor authentication”, “Two-step verification”, or “Login security”.
Step 3: Choose the authenticator app option and scan the QR code shown on screen with your authenticator app.
Step 4: Enter the six-digit code the app shows to confirm it’s working. Done.
From that point, every login will ask for your password then a code from the app.
Save your backup codes
When you enable 2FA, the site will give you backup codes — usually 8–10 one-time codes. Save these somewhere safe. If you lose your phone and can’t access your authenticator app, backup codes are the only way to recover your account.
Store them in your password manager, or print them and keep them somewhere secure offline.
Which accounts to protect first
Not everything needs 2FA — your loyalty card for a coffee shop probably doesn’t matter. Focus on accounts where a breach would be genuinely damaging:
Critical (do these now):
- Email — everything else can be reset through email, so it’s the master key
- Banking and financial accounts
- Apple ID / Google account — control your phone, control everything
High priority:
- Password manager (most support 2FA — this is the vault, protect it)
- Social media (used for identity and “Login with Google/Facebook” on other sites)
- Work accounts / Microsoft 365 / Google Workspace
- Domain registrar (if you own any domains)
- Cloud storage (Dropbox, OneDrive, Google Drive)
Nice to have:
- Shopping accounts (Amazon, eBay)
- Gaming platforms (Steam, PlayStation Network)
What about “remember this device”?
Most sites will ask if you want to skip 2FA on a trusted device for 30 days. On your personal home computer, that’s a reasonable trade-off for convenience. Don’t tick it on shared or public computers.
The small print
2FA is very effective against mass attacks and credential stuffing. It’s less effective against a sophisticated attacker targeting you specifically — but that’s not the threat most people face. For real-world attacks on ordinary people, 2FA is one of the highest-impact security measures you can take.
Set it up on your email account today. That one step protects you more than most other security changes combined.