How to Set Up Two-Factor Authentication
Two-factor authentication is the single highest-impact step you can take to protect your accounts. Here is how to turn it on properly — and which method to choose.
Passwords alone are no longer enough. Billions of stolen credentials circulate online, and if you reuse a password anywhere, a breach on one site can unlock many others. Two-factor authentication (2FA) fixes the biggest weakness by requiring a second proof of identity — something you have, like your phone or a security key — on top of your password. Even if an attacker steals your password, they cannot get in without that second factor. The U.S. cybersecurity agency CISA calls multi-factor authentication one of the most effective defenses an individual can adopt, and it takes only minutes per account. This guide shows you how to enable it well, pick the strongest method, and avoid the mistakes that lock people out.
Key takeaways
- 2FA blocks most account takeovers even when your password is stolen.
- Authenticator apps and passkeys beat SMS — text codes can be intercepted via SIM swapping.
- Passkeys are the new gold standard: phishing-resistant and built on the same cryptography as security keys.
- Always save your recovery codes somewhere safe, or you risk locking yourself out.
What two-factor authentication is
Authentication factors fall into three buckets: something you know (a password or PIN), something you have (your phone, an authenticator app, a hardware key), and something you are (a fingerprint or face). Two-factor authentication simply means you must present two different types. A password plus a one-time code from an app is the classic example. Because an attacker on the other side of the world has your password but not your physical phone, the second factor stops the vast majority of remote attacks. NIST's digital identity guidelines treat this layered approach as a baseline for protecting accounts that matter.
SMS vs authenticator apps vs passkeys
Not all second factors are equal. Here is how the common options compare.
| Method | Security | Best for |
|---|---|---|
| SMS text code | Basic — vulnerable to SIM swapping | Better than nothing; use only if no other option |
| Authenticator app (TOTP) | Strong — codes generated on your device | Most accounts; works offline |
| Passkey / security key | Strongest — phishing-resistant | Email, banking, and any critical account |
SMS is the weakest because criminals can hijack your phone number through SIM swapping and intercept the texts. Authenticator apps generate time-based codes locally, so there is nothing to intercept over the network. Passkeys go further still: they use public-key cryptography tied to your device, cannot be phished, and are increasingly supported by major platforms. If you want the deeper background, see our explainer on two-factor authentication explained and our piece on what a 2FA authenticator app is.
SMS is still worth it if it is your only choice. Any 2FA dramatically beats none. If an account offers only text-message codes, enable them — but switch to an authenticator app or passkey the moment the account supports it.
Turning 2FA on, step by step
The flow is similar everywhere. Sign in and open the account's Security or Sign-in settings, then look for Two-factor authentication, Two-step verification, or Passkeys. To set up an authenticator app, choose Authenticator app, then scan the on-screen QR code with an app like Google Authenticator, Microsoft Authenticator, or a password manager that supports codes. The app immediately starts showing a rotating six-digit code; type the current one back into the site to confirm the link. To set up a passkey, choose Add a passkey and follow the prompt to confirm with your device's fingerprint, face, or PIN — there is no code to copy. Google, Apple, and Microsoft all document these flows in their support centers, and the steps rarely take more than two minutes per account.
Save your recovery codes
When you enable 2FA, most services offer a set of one-time backup recovery codes. These are your lifeline if you lose your phone or security key. Download or print them and store them somewhere genuinely safe — ideally inside your password manager's secure notes, or printed and kept with important documents. Do not screenshot them into an unsecured photo library. Many people get locked out of accounts not because of attackers but because they enabled 2FA and never saved a way back in. A good password manager can store both your passwords and these recovery codes together, encrypted.
Register a second factor too. Add a backup — a second passkey on another device, or a printed code set — so losing one device never locks you out. Redundancy is the difference between a minor inconvenience and a lost account.
Which accounts to protect first
Start with your email. Email is the master key: anyone who controls it can reset passwords on everything else through “forgot password” links. After email, secure your password manager, then financial accounts (banking, brokerage, payment apps), then your primary cloud and platform accounts (Apple, Google, Microsoft), and finally social media and shopping. Working in that order means the accounts that could unlock everything else are protected first.
Common mistakes to avoid
Three errors cause most 2FA pain. First, relying solely on SMS for high-value accounts — upgrade to an app or passkey. Second, never saving recovery codes, which leads to lockouts. Third, approving login prompts you did not initiate; if your phone buzzes with a sign-in approval you did not request, deny it and change your password, because someone has it. Combine careful 2FA with a strong, unique password on every account — generate them with a password generator — and you have closed the two biggest holes attackers exploit.
Frequently asked questions
Is an authenticator app safer than SMS codes?
Yes. SMS codes can be intercepted if a criminal hijacks your phone number through SIM swapping, a known and growing attack. An authenticator app generates codes locally on your device with nothing transmitted over the network, so there is nothing to intercept. Use an app or a passkey wherever possible and reserve SMS only for accounts that offer no better option.
What is a passkey and is it better than 2FA codes?
A passkey is a cryptographic credential stored on your device that signs you in with your fingerprint, face, or PIN instead of a password and code. It is phishing-resistant because it cannot be entered on a fake site, making it the strongest mainstream option. Where a service offers passkeys, they are generally safer and more convenient than typing one-time codes.
What happens if I lose my phone with my authenticator app?
This is why backup recovery codes matter. If you saved them, you can use one to sign in and re-enroll a new device. Many authenticator apps also offer encrypted cloud backup, and registering a second factor on another device gives you redundancy. Without any backup, you may have to go through each service's account-recovery process, which can be slow.
Which account should I enable 2FA on first?
Your email account. It is the master key because most other services let you reset their passwords through a link sent to your email. If an attacker controls your inbox, they can take over almost everything else. Secure email first, then your password manager, then financial and platform accounts.
Sources & further reading
- CISA — Turn on multifactor authentication
- NIST SP 800-63B — Digital Identity Guidelines
- Google Support — Turn on 2-Step Verification
This guide is independently produced. We reference primary documentation from device makers and security authorities (NIST, CISA). Tudug is reader-supported and may earn from ads.