How to Enable 2FA on Every Account
Microsoft reported that accounts with two-factor authentication enabled block 99.9% of automated attacks. Google found that adding a recovery phone number (a basic form of 2FA) blocked 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Yet only 28% of Americans use 2FA on any account, and fewer than 10% use it consistently across all important accounts.
Enabling 2FA takes about 2 minutes per account and is the single most impactful security improvement you can make. Here's how to do it on every account that matters.
Worried about account security? Paste suspicious login alerts into our free scanner →
What is 2FA and Why It Matters
Two-factor authentication means that logging in requires two things: something you know (your password) and something you have (your phone, a security key, or an authenticator app). Even if a scammer steals your password through phishing, a data breach, or malware, they can't access your account without the second factor.
Think of it as a deadbolt on your front door. Your password is the regular lock — a determined thief can pick it. 2FA is the deadbolt that makes the door massively harder to breach.
Types of 2FA (From Weakest to Strongest)
SMS codes (weakest): A text message with a 6-digit code. Better than nothing, but vulnerable to SIM-swapping attacks where scammers convince your phone carrier to transfer your number to their device.
Authenticator apps (strong): Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes that change every 30 seconds. These codes exist only on your device and can't be intercepted through SIM swapping.
Hardware security keys (strongest): Physical devices like YubiKey or Google Titan that plug into your computer or tap against your phone. They use cryptographic verification that's immune to phishing — the key confirms you're on the real website, not a fake one.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
For most people, an authenticator app provides the best balance of security and convenience. Use hardware keys for your highest-value accounts (email, banking, cryptocurrency).
Setting Up Your Authenticator App
Step 1: Download an authenticator app. Recommended options:
- Authy — Encrypted cloud backup (you won't lose codes if your phone is lost)
- Google Authenticator — Simple, now supports cloud backup
- Microsoft Authenticator — Good integration with Microsoft accounts
- Ente Auth — Open source, encrypted backups
Step 2: When setting up 2FA on any account (instructions below), you'll be shown a QR code. Open your authenticator app, tap the "+" button, and scan the QR code. The app immediately starts generating 6-digit codes for that account.
Step 3: Save the backup codes. Every service provides one-time-use backup codes when you enable 2FA. Store these in your password manager or a secure physical location. If you lose your phone, these codes are your only way back in.
Account-by-Account Setup Instructions
Google/Gmail: myaccount.google.com → Security → 2-Step Verification → Get Started. Choose "Authenticator app" and scan the QR code.
Apple ID: Settings → [your name] → Sign-In & Security → Two-Factor Authentication. Apple uses its own system through trusted devices.
Facebook: Settings → Security and Login → Two-Factor Authentication → Edit → Choose "Authentication App."
Instagram: Settings → Security → Two-Factor Authentication → Authentication App.
Twitter/X: Settings → Security and Account Access → Security → Two-Factor Authentication → Authentication App.
Amazon: Account Settings → Login & Security → Two-Step Verification → Edit → Authenticator App.
Banking: Most banks offer 2FA through their mobile app or website under Security Settings. Call your bank's support line if you can't find it — they'll walk you through the process.
Microsoft/Outlook: account.microsoft.com → Security → Advanced Security Options → Two-Step Verification.
IsThisAScam's 6-layer detection can identify phishing attempts designed to capture your 2FA codes — because yes, sophisticated phishing can intercept one-time codes in real time. Hardware security keys remain the only 2FA method immune to this attack.
What to Do About Accounts That Don't Support 2FA
If a service doesn't offer 2FA, you can still protect yourself:
- Use a unique, strong password generated by your password manager
- Monitor the account for unauthorized activity
- Consider whether you really need the account — reducing your attack surface helps
- Check if the service supports passkeys (a newer, passwordless authentication method)
Common 2FA Mistakes to Avoid
- Using only SMS 2FA on high-value accounts: Use authenticator apps or hardware keys for email, banking, and crypto
- Not saving backup codes: If you lose your phone without backup codes, you may be permanently locked out
- Approving 2FA prompts you didn't initiate: If you receive a random 2FA code or push notification and you're not logging in, someone has your password. Don't approve it — change your password immediately
- Sharing 2FA codes with "support": No legitimate company will ever call you and ask for a 2FA code
The 15-Minute 2FA Sprint
Set a timer and enable 2FA on your most important accounts right now:
- Primary email (3 minutes)
- Banking app (3 minutes)
- Social media — Facebook, Instagram, X (3 minutes each)
- Amazon and primary shopping accounts (3 minutes)
That's 15 minutes to dramatically reduce your risk of account compromise. For more security improvements, see our guides on creating strong passwords and securing your email.
Received something suspicious? Check it now for free →