What Is Two-Factor Authentication?
Two-factor authentication (2FA) adds a second verification step when you log in to an account. Instead of relying solely on your password (something you know), 2FA requires a second factor from a different category: something you have (like your phone or a hardware key) or something you are (like a fingerprint). Even if an attacker steals your password, they cannot access your account without the second factor.
Think of it like a bank vault that requires both a key and a combination. Having one without the other is useless. 2FA works the same way -- your password is the combination, and your second factor is the key. An attacker who obtains your password through a data breach, phishing, or guessing is still locked out.
With billions of passwords exposed in data breaches, a password alone is no longer sufficient protection for any account that matters to you. 2FA is the single most effective defense against account takeover attacks. If a service offers it and you are not using it, you are leaving the door unlocked.
Types of Two-Factor Authentication
Not all 2FA methods are created equal. They range from basic (better than nothing) to highly secure (resistant to sophisticated attacks). Understanding the differences helps you choose the best option available for each account.
SMS Codes
The service sends a one-time code to your phone number via text message. This is the most common form of 2FA and the weakest. SMS messages can be intercepted through SIM swapping attacks, where an attacker convinces your phone carrier to transfer your number to their SIM card. SS7 protocol vulnerabilities also allow interception of SMS messages in transit. Despite these weaknesses, SMS 2FA is still significantly better than no 2FA at all.
TOTP (Authenticator Apps)
Time-based One-Time Password (TOTP) is an algorithm that generates a six-digit code that changes every 30 seconds. The code is generated locally on your device using a shared secret that was exchanged when you set up 2FA. Because the codes are generated offline, they cannot be intercepted in transit like SMS messages. This is the recommended method for most people.
How TOTP works:
1. Setup: The service gives you a secret key (usually as a QR code)
Secret: JBSWY3DPEHPK3PXP
2. Your authenticator app combines:
Secret key + Current time (rounded to 30-second intervals)
↓
HMAC-SHA1 hash
↓
6-digit code: 482903
3. The server performs the same calculation independently.
If the codes match, access is granted.
4. After 30 seconds, both sides generate a new code automatically.Hardware Security Keys
Physical USB or NFC devices (such as YubiKey or SoloKeys) that perform cryptographic authentication. You plug the key in or tap it when prompted during login. Hardware keys are the strongest form of 2FA because they are immune to phishing -- the key verifies the website's identity before responding, so a fake site gets nothing. They are also immune to remote attacks since the attacker would need to physically possess the key.
Push Notifications
Some services send a push notification to their mobile app asking you to approve or deny the login attempt. This is convenient but can be vulnerable to "MFA fatigue" attacks, where an attacker repeatedly triggers login attempts hoping you will eventually tap "Approve" just to make the notifications stop. Services that show a number to match (like Microsoft Authenticator) are more resistant to this technique.
If you receive an unexpected push notification or 2FA request, someone is trying to log in to your account. Do not approve it. Instead, immediately change your password for that account. The unexpected prompt means your password is already compromised.
Setting Up an Authenticator App
An authenticator app is the best balance of security and convenience for most people. Here is how to set one up from scratch.
Choosing an App
- Aegis Authenticator (Android) -- Free, open-source, supports encrypted backups. The recommended choice for Android users.
- Raivo OTP (iOS) -- Free, open-source, iCloud sync. A strong choice for iPhone users.
- KeePassXC (Desktop) -- Your password manager can also store TOTP secrets, keeping everything in one encrypted vault.
- Google Authenticator -- Widely known but lacks encrypted backup and export features. Acceptable if no better option is available.
Adding an Account to Your Authenticator
- Step 1: Go to the security settings of the account you want to protect (e.g., your Google Account, GitHub, or any service that supports 2FA)
- Step 2: Find the two-factor authentication or two-step verification option and select "Authenticator app" as the method
- Step 3: The service will display a QR code. Open your authenticator app and scan it
- Step 4: The app will start generating 6-digit codes. Enter the current code on the website to confirm setup
- Step 5: The service will provide backup codes. Save these immediately (covered in the next section)
When a service shows you the QR code, there is usually an option to view the secret key as text (a string like JBSWY3DPEHPK3PXP). Save this text in your password manager alongside the account password. If you lose your phone, you can re-add the account to a new authenticator app using this secret without needing to go through the service's recovery process.
Enabling 2FA on Popular Services
Most major online services now support 2FA. Here is where to find the setting on commonly used platforms. The exact menu names may change over time, but the general location remains the same.
Service Where to find 2FA settings
--------- ----------------------------
Google Security → 2-Step Verification
Microsoft Security → Advanced security options → Two-step verification
Apple Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication
GitHub Settings → Password and authentication → Two-factor authentication
Facebook Settings → Security and Login → Two-Factor Authentication
Instagram Settings → Security → Two-Factor Authentication
Twitter/X Settings → Security and account access → Security → Two-factor authentication
Amazon Account → Login & security → Two-Step Verification
Discord User Settings → My Account → Enable Two-Factor Auth
Reddit User Settings → Safety & Privacy → Two-factor authenticationStart with your email account -- it is the master key to everything else because password reset links go there. Then secure your financial accounts, cloud storage, social media, and any service where a compromise would cause significant damage. Work outward from the most critical to the least critical.
Backup Codes and Recovery
When you enable 2FA, most services generate a set of one-time backup codes. These are your emergency access method if you lose your phone, your authenticator app, or your hardware key. Without backup codes, losing your second factor can permanently lock you out of your own account.
How to Store Backup Codes
- In your password manager -- Store them as a note attached to the account entry. This is the most practical option for most people.
- Printed on paper -- Print them and store the paper in a safe, a locked drawer, or a safety deposit box. Not on a sticky note next to your computer.
- In an encrypted file -- If you use encrypted storage (like a LUKS volume or VeraCrypt container), you can store a text file with all your backup codes there.
- Never in plain text on your computer -- A text file on your desktop called "backup codes.txt" defeats the purpose of 2FA entirely.
Each backup code can only be used once. After you use one, cross it off your list or delete it from your records. When you are running low on unused codes, generate a new set from the service's security settings. Some services only provide 8-10 codes, so using them carelessly can leave you with no recovery option.
Hardware Security Keys
Hardware security keys are the gold standard of 2FA. They are small USB or NFC devices that provide cryptographic proof of your identity. Unlike TOTP codes, they are completely immune to phishing because the key checks the website's identity before responding.
How They Work
When you register a security key with a service, the key creates a unique cryptographic key pair for that specific website. During login, the website sends a challenge, the key signs it with the private key, and the website verifies the signature. The key also checks that the requesting website matches the one it was registered with -- so a phishing site at "g00gle.com" cannot trigger a response meant for "google.com."
Recommended Hardware Keys
- YubiKey 5 Series -- Supports USB-A, USB-C, NFC, and Lightning. Widely compatible with FIDO2, U2F, TOTP, and more. The most popular and well-supported option.
- SoloKeys -- Open-source hardware and firmware. Supports FIDO2 and U2F. Good for users who prefer open-source solutions.
- Google Titan -- USB-A, USB-C, and Bluetooth models. Built by Google, well-integrated with Google accounts.
Best Practices for Hardware Keys
- Register two keys per account -- Keep one on your keychain for daily use and one in a safe as backup. If you lose one, you can still log in with the other.
- Always set up a backup method -- Even with hardware keys, configure backup codes or an authenticator app as a fallback.
- Test both keys after registration to make sure each one works independently.
Common 2FA Mistakes
Enabling 2FA is an important step, but the way you manage it matters. These common mistakes can undermine your protection or lock you out of your own accounts.
- Not saving backup codes -- The most common mistake. People enable 2FA, skip the backup codes, and then lose their phone. Result: permanent account lockout.
- Using only SMS 2FA when better options exist -- If a service offers TOTP or hardware keys, use those instead. SMS should be your last resort, not your first choice.
- Storing TOTP secrets on the same device as your password manager -- If both your passwords and TOTP codes are on a phone that gets stolen, the attacker has both factors. Consider keeping them on separate devices or using a hardware key.
- Using the same phone number for 2FA on every account -- A single SIM swap attack compromises all of them. Diversify your 2FA methods where possible.
- Approving MFA prompts without thinking -- If you receive a push notification you did not expect, it means someone has your password. Deny the request and change your password immediately.
- Not updating 2FA when switching phones -- Before wiping or selling your old phone, transfer all authenticator accounts to the new device. Some apps support encrypted export/import; others require you to re-scan QR codes.
Before switching phones: (1) Export your authenticator app data if it supports encrypted backup. (2) Verify you have backup codes for every account. (3) Set up the authenticator on the new phone and verify each account works. (4) Only then wipe the old phone. Skipping this process is one of the most common ways people lock themselves out of accounts.
Summary
Two-factor authentication is your strongest defense against account takeover. It transforms a stolen password from a total compromise into a minor inconvenience -- the attacker has one piece of the puzzle but cannot get in.
- 2FA adds a second verification step that prevents access even if your password is stolen
- TOTP authenticator apps are the recommended method for most people -- they are secure, free, and work offline
- Hardware security keys are the strongest option and are immune to phishing attacks
- SMS codes are better than nothing but should be replaced with TOTP or hardware keys when possible
- Always save backup codes in your password manager or a secure physical location
- Enable 2FA on your email first, then financial accounts, then everything else
- Never approve unexpected 2FA prompts -- they indicate your password is already compromised
Start with your email and work outward. Each account you secure with 2FA dramatically reduces your risk. It takes only a few minutes per account, and the protection it provides is worth far more than the minor inconvenience of entering a code at login.