Two-factor authentication — what it is and why you need it

Passwords are, if you’re being honest about it, not really protecting you any more. Most people use the same one or two passwords across dozens of accounts, and the big platforms all know it. Data breaches happen constantly. The list of stolen usernames and passwords floating around the internet is staggeringly long, and when a hacker gets hold of your email address and a password from an old breach, the first thing they do is try it on your bank, your email, your Amazon account. It works more often than it should.

Two-factor authentication, usually shortened to 2FA, is the single most effective thing you can do to stop that happening. It is not complicated. It does not require any technical knowledge. It takes about five minutes to set up on most accounts. And yet most people still have not done it.

The idea is simple. When you log in to an account, you normally just need one thing: your password. Two-factor authentication means you need two things. The first is still your password. The second is a temporary code, usually six digits, that only you have access to. Even if someone else has your password, they cannot get in without that second code.

There are a few ways that second code gets to you. The most common is via a text message to your phone. When you log in, the site sends a code to your mobile number, and you type it in. This is the most basic form of 2FA and it is still significantly better than nothing, although it does have a known weakness: a determined attacker can sometimes intercept SMS messages or port your phone number to a new SIM. For most people in most situations, SMS 2FA is perfectly adequate. For high-value accounts or anyone who might be a target, there is a better option.

Authenticator apps are the more secure alternative. Google Authenticator, Microsoft Authenticator, and Authy are the three most commonly used. You install one of these apps on your phone, then when you set up 2FA on a website, you scan a QR code that links your account to the app. After that, the app generates a fresh six-digit code every thirty seconds. When you log in, you open the app, read the code, and type it in. Nothing is sent over SMS. The code cannot be intercepted in transit. It is generated locally on your phone using a shared secret that was established when you scanned the QR code.

Authy has one practical advantage over Google Authenticator that is worth knowing about: it backs up your codes to the cloud, which means if you lose or replace your phone, you can restore all your 2FA codes on the new device. Google Authenticator added a similar backup feature in 2023, but Authy has been doing it longer and many people find it more reliable. Microsoft Authenticator also backs up codes automatically if you are signed in to a Microsoft account. Whichever you choose, the core experience is the same: open the app, get the code, type it in.

The accounts most worth protecting with 2FA are, in order of importance: your email account, your bank or payment accounts, your password manager if you use one, and your Apple ID or Google account. Email is the critical one. Almost every other password reset in the world flows through your email inbox. If someone gains access to your email, they can reset the password on virtually every other account you own. Securing your email with 2FA is the single most important thing you can do.

Setting it up is straightforward. Go to the security settings of the account you want to protect. Look for something called two-factor authentication, two-step verification, or multi-factor authentication. They all mean roughly the same thing. Follow the prompts. If you are using an authenticator app, you will be shown a QR code to scan. Open your app, tap the plus button to add a new account, and scan the code. The account appears in your app immediately and starts generating codes.

One important practical point: most services give you a set of backup codes when you first enable 2FA. These are single-use codes that work if you ever lose access to your phone and cannot generate your normal 2FA code. Write them down and keep them somewhere safe, such as printed and stored with your important documents, or saved in a password manager. Do not save them in your email inbox or in a notes app on the same device you use for 2FA, because if that device is compromised, both layers of protection disappear at once.

Hardware security keys are the most secure option of all, though they are overkill for most people. A YubiKey, for example, is a small USB stick you plug in when logging in. You tap it to confirm your identity. It cannot be phished, because it communicates directly with the site you are logging in to and will not authenticate with a fake lookalike site. If you have accounts containing genuinely sensitive information or significant money, a hardware key is worth considering. For everyday use, an authenticator app is the right balance of security and convenience.

The honest answer to why people do not use 2FA is that it feels like friction. You have to get your phone out every time you log in. In practice, most services remember your device once you have authenticated on it, so you only go through the full 2FA process on a new device or after a long gap. The inconvenience turns out to be minimal. The protection it gives you is substantial. If your email password was leaked in a breach you do not even know about yet, 2FA is the thing standing between that and someone reading your messages, resetting your bank password, or accessing your cloud storage. It takes five minutes. Do it this week.