Two-Factor Authentication, Explained Simply

If you only do one thing this year to protect your accounts, turn on two-factor authentication. It's the single most effective protection against hackers, and it takes about 5 minutes per account.

What 2FA actually is

When you sign in to most accounts today, you only need one thing: your password. If a hacker gets that password (through a data breach, phishing, or guessing), they're in.

2FA adds a second step. After typing your password, you also need to enter a 6-digit code that's either:

• Sent to your phone by text message (least secure but easiest)
• Generated by an app on your phone like Google Authenticator (more secure)
• Sent via a physical security key like YubiKey (most secure, overkill for most people)

Now even if someone has your password, they can't sign in without also having your phone.

Three types of 2FA, ranked

1. Authenticator app (best for most people)

An app on your phone generates 6-digit codes that change every 30 seconds. No cell signal needed. Works offline. Free.

Good options: Google Authenticator, Microsoft Authenticator, Authy. All free. Authy backs up codes to the cloud (helpful if you lose your phone).

2. Text message (better than nothing)

Services text you a code when you try to sign in. Easy to set up. But vulnerable to SIM-swap attacks, where a scammer convinces your carrier to move your number to their phone.

Use SMS 2FA only if the service doesn't offer an authenticator app option.

3. Physical security key (most secure)

A physical USB or NFC key (YubiKey is the popular brand) that you plug in or tap to sign in. Highest security but $30-60 per key, and you need backup keys in case you lose one. Overkill for most people unless you're a high-value target.

Set up 2FA on the accounts that matter most

Google / Gmail (do this first)

1. Go to myaccount.google.com/security
2. Click 2-Step Verification
3. Follow the prompts. Use the Google Prompt method (sends a tap notification to your iPhone or Android) or an authenticator app.
4. Save your backup codes! Print them or write them down.

Google email controls password resets for half your other accounts. This is the most important one to secure.

Apple Account

1. On iPhone: Settings > Apple Account > Sign-In & Security > Two-Factor Authentication > turn on
2. On Mac: System Settings > Apple Account > Sign-In & Security > Two-Factor Authentication

Microsoft / Outlook

1. Go to account.microsoft.com/security
2. Sign in > Advanced security options > Two-step verification > turn on

Your bank

Every major bank now supports 2FA. Look in your bank's app under Security or Settings. Almost all use SMS 2FA. Better than nothing.

Facebook, Instagram, Twitter/X

All in Settings > Security > Two-Factor Authentication. Set them up while you're thinking about it.

Amazon

Account > Login & Security > 2-Step Verification > Edit. Highly recommended given the credit card stored on Amazon.

The most important thing: save your backup codes

When you enable 2FA, every service offers backup codes (usually 8-10 codes you can use if you lose your phone). Save them.

Best places:

• Print them and put in a safe at home
• Store in your password manager (encrypted)
• Write them in a notebook stored with important documents

Worst places (don't do these):

• Email inbox (defeats the purpose of 2FA)
• Notes app without protection
• Only memorized (you will forget)

What to do if you lose your 2FA phone

This is everyone's biggest fear. Here's the recovery process:

1. Use your backup codes to sign in once and remove the lost phone from your 2FA settings
2. If you have no backup codes, contact the service's customer support and prove your identity through other means. This can take days.
3. If your authenticator app backs up to the cloud (Authy, Microsoft Authenticator), you can restore your codes on a new phone

Plan ahead: when you get a new phone, transfer your 2FA codes to it BEFORE getting rid of the old one. Use the authenticator app's "transfer" or "export" feature.

Video walkthrough

Video by All Things Secured on YouTube