Google's security research found that adding two-factor authentication to an account blocks 99.9% of automated attacks, 99% of bulk phishing attacks, and 90% of targeted attacks. No other single security measure comes close. If you do one thing after reading this guide, enable 2FA on your email, banking, and social media accounts today.
What Two-Factor Authentication Is
Authentication factors fall into three categories:
- Something you know: a password, PIN, or security question answer.
- Something you have: a phone, security key, or authentication app.
- Something you are: a fingerprint, face scan, or other biometric.
Two-factor authentication (2FA) requires two different categories to log in. Your password alone (something you know) is one factor. Adding a code from your phone (something you have) is the second factor. Even if a scammer steals your password through phishing, they cannot access your account without the second factor.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
2FA Methods Ranked by Security
Not all second factors are equally secure. Here is the ranking from strongest to weakest:
1. Hardware Security Keys (Most Secure)
Physical devices like YubiKey or Google Titan Key that plug into your USB port or connect via NFC. You tap the key when prompted during login.
Why it is the strongest:
- Cannot be phished. The key cryptographically verifies the website's identity, so it will not respond to a fake site.
- Cannot be intercepted remotely.
- Does not rely on your phone's security.
Considerations:
- Costs $25-$60 per key.
- You should buy two (one as backup) in case you lose one.
- Not supported by all services, though coverage is expanding rapidly.
2. Authenticator Apps (Very Secure)
Apps like Google Authenticator, Microsoft Authenticator, Authy, or 1Password generate time-based codes (TOTP) that change every 30 seconds.
Why it is strong:
- Codes are generated locally on your device, not sent over a network.
- Cannot be intercepted via SIM swapping (unlike SMS).
- Works without cellular service or internet.
Considerations:
- If you lose your phone, you lose access unless you saved backup codes.
- Authy and 1Password offer cloud backup of 2FA tokens. Google Authenticator added this recently but it is optional.
- Can still be phished if you enter the code on a fake website (the attacker uses it in real-time).
3. Push Notifications (Secure)
Services like Google Prompt, Microsoft Authenticator, and Duo send a push notification to your phone asking "Did you just try to sign in?" You tap "Yes" or "No."
Why it is good:
- More convenient than typing codes.
- Shows login location and device details, helping you spot unauthorized attempts.
Considerations:
- Susceptible to "MFA fatigue" attacks where scammers spam push notifications until you accidentally tap "Yes." To counter this, some services now require you to match a number shown on screen.
- Requires internet connection on your phone.
4. SMS Codes (Better Than Nothing)
A text message with a 6-digit code sent to your phone number. This is the most common 2FA method and the weakest.
Why it is the weakest 2FA method:
- SIM swapping: Scammers convince your carrier to transfer your phone number to their SIM card. They then receive your SMS codes. This is more common than most people realize.
- SS7 vulnerabilities: The telecom protocol used for SMS routing has known security flaws that allow interception.
- Social engineering: Scammers call you pretending to be your bank and ask you to read them the code "for verification." The code was triggered by the scammer trying to log into your account.
Still, SMS 2FA is significantly better than no 2FA. If SMS is the only option a service offers, use it.
How to Set Up 2FA on Major Platforms
Google / Gmail
- Go to myaccount.google.com/security
- Click "2-Step Verification"
- Follow the setup wizard
- Recommended: Set up a security key or Google Authenticator as primary, with backup codes stored safely
Apple ID
- iPhone/iPad: Settings → [Your Name] → Password & Security → Two-Factor Authentication
- Mac: System Settings → [Your Name] → Password & Security → Two-Factor Authentication
- Apple uses its own push notification system for 2FA
Microsoft / Outlook
- Go to account.microsoft.com/security
- Click "Advanced security options"
- Under "Additional security," turn on "Two-step verification"
- Recommended: Use Microsoft Authenticator app
Banking Apps
Most major banks now offer 2FA. Check your bank's security settings or contact customer service. Look for options labeled "Two-Factor Authentication," "Two-Step Verification," or "Extra Security."
Social Media
- Instagram: Settings → Accounts Center → Password and Security → Two-Factor Authentication
- Facebook: Settings → Accounts Center → Password and Security → Two-Factor Authentication
- X (Twitter): Settings → Security and Account Access → Security → Two-Factor Authentication
- LinkedIn: Settings → Sign In & Security → Two-Step Verification
Backup Codes: Your Safety Net
When you enable 2FA, most services provide a set of backup codes (usually 8-10 one-time-use codes). These are your emergency access if you lose your phone or security key. Treat them like a spare house key:
- Print them and store them in a secure physical location (a safe or locked drawer)
- Do not store them on the same phone you use for 2FA
- Do not save them in an unencrypted file on your computer
- A password manager is a reasonable storage option
Common 2FA Mistakes
Using SMS for Everything
If a service offers authenticator app support, use it. SMS is the fallback, not the first choice.
Not Saving Backup Codes
Losing your phone without backup codes means being locked out of your own accounts. Recovery processes exist but are slow, frustrating, and sometimes impossible.
Sharing Codes
No legitimate service will ever call or message you asking for your 2FA code. If someone contacts you and asks for a code that was just sent to your phone, they are trying to break into your account — even if they claim to be from the company. You can verify messages like these by pasting them into IsThisAScam.to.
Using the Same Authenticator Without Backup
If your phone is your only authenticator and you have no backup codes, losing or breaking that phone creates a serious problem. Use Authy (which supports multi-device sync) or keep backup codes.
Skipping 2FA on Email
Your email is the master key to your digital life. Password resets for almost every other service go through email. If a scammer controls your email, they can reset passwords on your banking, social media, and shopping accounts. Your email account should be the first place you enable 2FA.
Passkeys: The Future Beyond 2FA
Passkeys are a newer technology supported by Apple, Google, and Microsoft that may eventually replace both passwords and traditional 2FA. A passkey is a cryptographic credential stored on your device that uses biometrics (fingerprint or face) to authenticate. You do not type a password or enter a code — you just verify with your fingerprint.
Passkeys are phishing-resistant by design (they are bound to specific websites and cannot be entered on fakes). As adoption grows, they represent the strongest consumer authentication available. Enable passkeys on any service that supports them.
Start Now: Your 15-Minute Security Upgrade
Spend 15 minutes today and dramatically reduce your vulnerability:
- Download an authenticator app (Google Authenticator or Authy)
- Enable 2FA on your primary email account
- Enable 2FA on your bank accounts
- Enable 2FA on your social media accounts
- Save your backup codes in a secure location
These five steps, taking about three minutes each, provide more protection than any other single action you can take for your online security.
Received something suspicious? Check it now for free →