Why Two-Factor Authentication (2FA) Is Non-Negotiable
Passwords alone are no longer sufficient to protect your online accounts. Data breaches expose billions of credentials every year, and if your password is reused across sites — which is extremely common — a single breach can cascade into a full account takeover. Two-factor authentication (2FA) adds a second verification step, meaning stolen passwords alone aren't enough to get in.
How 2FA Works
After entering your password, you're asked to confirm your identity via a second method. The most common types include:
- Authenticator App (TOTP): A time-limited 6-digit code generated by an app like Google Authenticator, Authy, or Microsoft Authenticator. This is the most secure commonly available method.
- SMS Code: A one-time code sent to your phone via text message. Convenient but vulnerable to SIM-swapping attacks.
- Hardware Security Key: A physical USB or NFC device (e.g., YubiKey) that you plug in or tap. The most secure option, ideal for high-value accounts.
- Email Code: A code sent to your email. Only as secure as your email account itself.
Step-by-Step: Enabling 2FA on Key Accounts
Google / Gmail
- Go to myaccount.google.com
- Click Security in the left sidebar
- Under "How you sign in to Google," click 2-Step Verification
- Click Get Started and follow the prompts
- Choose your preferred method — we recommend an authenticator app or a Google Prompt on your phone
- Save your backup codes in a secure location
Microsoft / Outlook
- Go to account.microsoft.com/security
- Click Advanced security options
- Under "Two-step verification," click Turn on
- Follow the setup wizard — the Microsoft Authenticator app is recommended
Facebook / Instagram (Meta)
- Go to Settings & Privacy → Settings → Security and Login
- Find "Two-Factor Authentication" and click Edit
- Select an authentication method and complete the setup
- Download your recovery codes from the same menu
Apple ID
- On iPhone: Go to Settings → [Your Name] → Password & Security
- Tap Turn On Two-Factor Authentication
- On Mac: Go to System Settings → Apple ID → Password & Security
- Apple uses trusted devices and phone numbers for verification codes
Which Authenticator App Should You Use?
| App | Platform | Key Advantage |
|---|---|---|
| Authy | iOS, Android, Desktop | Encrypted cloud backup of tokens |
| Google Authenticator | iOS, Android | Simple, widely supported |
| Microsoft Authenticator | iOS, Android | Best for Microsoft accounts; push notifications |
| Aegis (Android only) | Android | Open source, local encrypted backup |
Important: Save Your Backup Codes
Every service that supports 2FA will offer backup recovery codes during setup. These are single-use codes that let you access your account if you lose your phone. Print them or save them in an encrypted file. Losing both your phone and backup codes means losing access to your account — potentially permanently.
Prioritise These Accounts First
- Your primary email account (it's the key to resetting everything else)
- Your bank and financial accounts
- Your Apple ID or Google account
- Any account storing sensitive documents or payment information
- Your password manager
Even enabling 2FA on just your email and financial accounts provides a massive improvement in your overall security posture. Start there, then work through the rest systematically.