Two-factor authentication (2FA) — also called two-step verification or multi-factor authentication (MFA) — adds a second check to your login process. Instead of just a password, you also need a second piece of proof that you are who you say you are. This simple change stops the vast majority of account hijacking attacks.
Why Passwords Alone Are Not Enough
Passwords get compromised constantly — through phishing attacks, data breaches at websites you use, or password reuse across multiple sites. Once a criminal has your password, they can access your account from anywhere in the world.
Two-factor authentication breaks this. Even if an attacker has your correct password, they still cannot log in without the second factor — which only you have.
How 2FA Works
When you log into an account with 2FA enabled, the process has two steps:
- Something you know — your password
- Something you have or are — a code from your phone, a physical security key, or a biometric
Both are required. Getting one without the other is not enough.
Types of Two-Factor Authentication
Authenticator App (Most Recommended)
Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code that changes every 30 seconds. When you log in, you open the app and type in the current code. This works offline, is fast, and is significantly more secure than SMS.
SMS Text Message
A code is sent to your phone number via text. Easy to set up, works on any phone, but less secure — SIM swap attacks can intercept SMS codes. Better than nothing, but use an authenticator app if possible.
Hardware Security Key (Most Secure)
A physical device like a YubiKey that you plug in or tap to your phone. Cannot be phished remotely. The most secure option available for consumer use. Used by high-risk targets like journalists, executives, and activists.
Push Notification
An app on your phone shows a login request — you tap Approve or Deny. Used by Microsoft Authenticator and Duo. Convenient but vulnerable to “MFA fatigue” attacks where attackers spam approval requests.
Passkeys
A newer technology that replaces passwords entirely with a cryptographic key stored on your device. When you sign in, your device authenticates using Face ID, Touch ID, or PIN. Passkeys are both the first and second factor in one — extremely secure and increasingly supported by major websites.
Where to Enable 2FA First
Prioritise accounts that would cause the most damage if compromised:
- Email — your email resets every other password, making it the master key
- Microsoft/Google account — controls your device, cloud storage, and more
- Banking and financial accounts
- Password manager
- Work accounts
- Social media
How to Set Up 2FA on Common Services
- Microsoft account: account.microsoft.com → Security → Advanced security options → Two-step verification
- Google account: myaccount.google.com → Security → 2-Step Verification
- Apple ID: Settings → [Your name] → Sign-In & Security → Two-Factor Authentication
- Most websites: Look in Security or Account settings for “Two-factor authentication” or “Two-step verification”
What to Do With Backup Codes
When you enable 2FA, most services provide one-time backup codes for use if you lose your phone. Save these somewhere secure — a password manager, a printed sheet stored safely, or an encrypted note. Losing access to your 2FA device without backup codes can permanently lock you out of your account.
