The Problem 2FA Solves

Passwords alone aren't as safe as they used to be. Data breaches happen regularly, and vast lists of usernames and passwords end up for sale online. Even if you've never been hacked directly, there's a real chance that login credentials from an old account are floating around somewhere. Two-factor authentication (2FA) means that even if someone has your password, they still can't log in without the second factor.

What Is Two-Factor Authentication?

Two-factor authentication is a security method that requires two separate proofs of identity before granting access to an account. The idea is based on three possible factors:

  • Something you know — your password or PIN
  • Something you have — your phone, a hardware key, or an authentication app
  • Something you are — a fingerprint or face scan

Standard 2FA combines the first two: you enter your password (something you know), then confirm via your phone (something you have). An attacker who steals your password doesn't have your phone, so they're stopped.

Types of Two-Factor Authentication

SMS Codes

The most common type. After logging in, you receive a text message with a short code. Enter it to complete sign-in. It's simple and widely available, though it's considered the weakest form of 2FA because SIM-swapping attacks can potentially intercept SMS codes.

Authenticator Apps

Apps like Google Authenticator, Authy, or Microsoft Authenticator generate a new 6-digit code every 30 seconds. These are significantly more secure than SMS because they don't go over the phone network. This is the recommended option for most people.

Passkeys and Hardware Keys

Physical devices (like a YubiKey) that you plug into your computer are the most secure form of 2FA. They're used mainly by security professionals or for high-value accounts. Passkeys — a newer technology supported by Google, Apple, and Microsoft — work similarly and are becoming more common on everyday accounts.

Biometrics

Fingerprint and face recognition on your phone can serve as a second factor when used in combination with a password. This is increasingly common in banking apps.

How to Set Up 2FA: Step-by-Step

  1. Go to your account's security settings. Look for "Security," "Privacy," or "Sign-in options."
  2. Find the 2FA or Two-Step Verification option and click to enable it.
  3. Choose your method — authenticator app is recommended over SMS when available.
  4. If using an app: Download Google Authenticator or Authy, scan the QR code shown on screen, and enter the first 6-digit code to confirm it's working.
  5. Save your backup codes. These are one-time codes you can use if you lose access to your phone. Store them somewhere safe — printed out or in a secure notes app.

Which Accounts Should Have 2FA?

Enable 2FA on everything important. Prioritise in this order:

  • Email accounts (these can be used to reset every other account)
  • Banking and financial accounts
  • Password managers
  • Social media accounts
  • Work or business accounts
  • Shopping accounts with saved payment methods

Common Concern: "What If I Lose My Phone?"

This is the most common hesitation, and it's a fair one. The answer: backup codes. Every service that offers 2FA also provides a set of emergency backup codes when you set it up. Store these safely (not only on your phone). Most services also allow account recovery through ID verification if you're truly locked out.

The Bottom Line

Two-factor authentication is one of the easiest, most effective steps you can take to protect your digital life. It takes about five minutes to set up on your most important accounts and dramatically reduces the risk that a stolen password leads to a compromised account. Set it up today — especially on your email.