You are one data breach away from your entire online life being turned upside down. The problem is our reliance on passwords, which are hopelessly fragile ways to secure valuable resources.
Don’t be lulled into a false sense of security by believing that creating a longer, more complex, harder-to-guess password will somehow make you safer online.
Also: The best VPN services (and how to choose the right one for you)
You can create a password that follows all the rules, one that’s so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has its server breached. This happens all the time.
Even with reasonable policies to ensure that passwords are strong, randomly generated, and not reused, people are still the weakest link in the security chain. Social engineering can convince otherwise intelligent people to enter their credentials on a phishing site or give them up over the phone.
If the bad guys manage to steal the credentials for your bank account, what’s to stop them from signing in and taking all your money? The solution is two-factor authentication (2FA). Some services, being sticklers for detail, call it multi-factor authentication (MFA) or two-step verification. For this article, I’ve used the terms 2FA and MFA interchangeably.
Also: The best free password managers: Expert tested
Turning on 2FA for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service. Those two forms of authentication can come from any combination of at least two of the following elements:
- “Something you know,” such as a password or PIN
- “Something you are,” such as a fingerprint or other biometric ID
- “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device
Setting up additional security for most online services requires minimal technical skills. If you can use your smartphone’s camera, type a six-digit number, and tap OK in a dialog box, you have all the skills required. Typically, the most difficult part of the task is finding the page with the relevant settings.
Here’s everything you need to know about how to enable 2FA to step up your security.
Show more
With 2FA enabled, someone who steals your password and tries to sign in from an unknown device isn’t given access right away. Instead, they need to supply a second form of identification, usually in the form of a numeric code from your smartphone. Because the person who stole your account credentials doesn’t have access to your smartphone, they’ll be stopped dead in their tracks. Without that code, they can’t unlock your account, and you’ll receive a notification that someone tried, unsuccessfully, to sign in from a remote location.
Also: What are passkeys? The life-changing magic of going passwordless
For the most part, the two-factor authentication systems you see today use the first item (your password) and the last item (your smartphone). Smartphones have become ubiquitous, making them convenient security devices.
Your smartphone can assist with authentication by providing a unique code that you use along with your password to sign in. You can acquire that code in one of two ways: sent as a text or email message from the service, or generated by an app installed on your phone. (Some services also allow you to approve a push notification on your smartphone.)
On services that support the use of passkeys, you can save those secure 2FA-backed credentials in a format that effectively sends both authentication factors simultaneously when you sign in on that device and prove your identity using biometrics or a PIN.
A 2023 report from Microsoft concluded that 2FA works, blocking 99.22% of attacks, compared to accounts that didn’t have 2FA enabled. Even in cases where the intended victim had their passwords leaked in a data breach, the requirement to use a second factor for authentication prevented 98.6% of the attacks from succeeding. If a service provider supports multi-factor authentication, Microsoft recommends using it, even if it’s as simple as SMS-based one-time passwords. A separate report from Google based on a year-long study, offered similar conclusions.
Also: The best password managers: Expert tested
Two-factor authentication will stop most casual attacks dead in their tracks. It’s not perfect, though. A determined attacker who is directly targeting a specific account might be able to find ways to work around it, especially if they can hijack the email account used for recovery or redirect phone calls and SMS messages to a device they control. But if someone is that determined to break into your account, you have a bigger problem.
Show more
<!–>
Some online services allow only the most basic authentication options. If you have the option to use SMS messages, all you need to do is associate a mobile phone number with your account. (With some services, you can also use a virtual phone line that can receive SMS messages, such as a Google Voice number.) Configure the account to send a code to that number whenever you sign in on an untrusted device.
When you set up this form of 2FA on an account for the first time, you’re typically required to re-enter your password and enter the phone number where you want to receive authentication codes. After you complete that process, you’ll receive a code on that device. Enter the code to confirm you received it, and the 2FA setup is complete, with the service marking that device as trusted. (This is also a good time to generate a recovery code, print it out, and file that code in a safe place so you can recover it if your primary 2FA method is unavailable.)
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Some services allow you to set up a trusted email address to receive authentication codes. The process is identical to the one for using text messages. Enter your preferred email address, wait for a code to arrive in your email app, and enter the code to confirm that this method works.
Show more
To set up an authenticator app as a trusted device, you have to first prove that you can sign in to the service using your password, then prove that you are who you say you are on the trusted device, using biometrics or a PIN.
That initial configuration process requires a data connection. After that step, everything happens on your device. The process is governed by a well-accepted standard — the Time-based One-Time Password algorithm (TOTP) — which uses the authenticator app as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for time zones without problem, although your codes will fail if the time on your device is wrong.
Also: The best VPNs for streaming your favorite shows and sports
To get started, you first need to install the authenticator app on the mobile device you want to use as your second authentication factor. Here are some authenticator apps for you to consider:
- If you carry an iOS device, you can get the Google Authenticator app from the App Store. (It’s optimized for use on iPhones but should work on an iPad as well.) On Android devices, install the Google Authenticator app from the Google Play Store.
- The Microsoft Authenticator app, which uses the same standard to create authentication tokens, is available for Android devices from the Google Play Store and for iOS devices from the App Store.
- Twilio Authy is also available from the App Store and the Google Play Store.
- Several password manager services incorporate 2FA support into their apps. For details on how to use the One-Time Password feature in 1Password, see this support page. Instructions for Dashlane are available here. A popular open-source option, Bitwarden, offers similar features.
After you install the app for your device, the next step is to set it up to work with each account where you have enabled 2FA.
Also: How to use Microsoft Authenticator as your password manager
The setup process typically requires that you enter a shared secret (a long text string) using the mobile app. All the mobile apps I listed above support using a smartphone camera to take a picture of a QR code, which contains the shared secret for your account. That’s much easier than manually entering a complex alphanumeric string.
The screenshot below, for example, is the QR code I saw when setting up a Dropbox account.
Show more
In your smartphone app, choose the option to add a new account and then snap a picture of the barcode to automatically set up 2FA support.
Screenshot by Ed Bott/ZDNET
In your authenticator app, choose the option to add a new account, choose the barcode option, aim the smartphone at the barcode on your computer screen, and wait for the app to fill in the necessary fields.
After you set up the account in the authenticator app, it begins generating codes based on the shared secret and the current time. To complete the setup process, enter the current code from the authenticator app.
Also: Navigating AI-powered cyber threats in 2025: 4 expert security tips for businesses
The next time you try to sign in with a new device or web browser, you’ll need to enter the current code, as displayed by the authenticator app.
Some 2FA settings include an option to generate special app passwords for use with ancient apps that don’t support modern authentication. The security settings for your account should guide you through that process. (But really, if you are using an app that’s so outdated it requires an app password, you are living in the Pleistocene era and should replace that app with a modern alternative.)
As part of the 2FA setup process, you should also generate one or more recovery codes, which you can print out and store in a safe place. In the event your smartphone is lost or damaged, you can use those codes to regain access to your account.
If you use SMS text messages as a second factor for authentication, transferring your number to the new phone will seamlessly transfer your 2FA setup too.
Most modern authenticator apps and password manager apps allow you to generate codes on multiple devices. Set up the app on the new phone, install the app, sign in, and then check each account to confirm that the codes generated on the new phone work properly. This step is critical. Do not erase your old phone until you’re certain that the authenticator app on the new phone is working properly.
Microsoft Authenticator allows you to back up codes to the cloud and restore them on a new device, but only if you’re using the same mobile platform — Android to Android or iOS to iOS. For step-by-step instructions, see “Back up and recover account credentials in the Authenticator app”. Authy offers a similar feature.
With Google Authenticator, you can sync codes across multiple devices by signing in with the same Google account on each device, as documented here: Get verification codes with Google Authenticator.
Show more
Turning on 2FA for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. After you successfully meet that challenge, you usually have the option to categorize the device as trusted, which means that 2FA requests should be relatively rare on the devices you use regularly.
Most (but not all) services that support 2FA offer a choice of authentication methods. Google, Microsoft, and Apple, for example, can push notifications to a trusted device; you tap the notification to approve the sign-in. An increasing number of services support the use of hardware security keys (see: “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas”).
Also: Most AI voice cloning tools aren’t safe from scammers, Consumer Reports finds
For high-value services, you might choose the “inconvenient” option of always requiring a 2FA code or prompt to sign in. That precaution reduces the risk that someone with access to a trusted device can tamper with that account.
Show more
The best authentication method is the one you’re most comfortable with, assuming you have a choice at all. Whenever possible, you should set up at least two verification options to avoid the risk of being locked out of your account.
When I have a choice, I prefer to use an authenticator app rather than receiving codes via text message, and so should you, for two good reasons. The first reason is a matter of simple logistics. There are times when you have access to the internet (via a wired connection or Wi-Fi) but can’t receive a text message, because your cellular signal is weak or nonexistent, or you’re using a different SIM while traveling. The second reason is the small but real chance that an attacker will social-engineer their way through your mobile carrier’s defenses to acquire a SIM card with your phone number, a process called SIM swapping or simjacking.
Also: This new Android feature protects your phone, even if someone has your PIN
If you prefer, you can also mix and match authenticator apps on a trusted device. I use 1Password to save both passwords and 2FA codes for most sites and services, making sign-in even more seamless. However, I use the separate Microsoft Authenticator app for high-value accounts, including verification codes for setting up 1Password on a new device. I go into more detail about your authenticator app options here: “Protect yourself: How to choose the right two-factor authenticator app”.
Show more
When I started writing about this technology, more than a decade ago, 2FA support was relatively rare. Today, it’s commonplace, and an increasing number of online services require it:
- Google accounts, including both consumer Gmail and business Google Workspace accounts, offer a wide range of two-step verification alternatives and now support passkeys. Go to this account page and sign in to get started: 2-Step Verification (google.com).
- All Microsoft accounts, including the free accounts used with Outlook.com, Xbox, and other consumer services, support a variety of authentication options that are managed directly by the account holder. “How to use two-step verification with your Microsoft account”.
- Administrators of Microsoft 365 business and enterprise subscriptions manage user authentication with Microsoft’s cloud-based identity and access management platform, Entra ID (formerly known as Azure Active Directory). If your IT department has enabled this feature, follow these instructions: “Set up your Microsoft 365 sign-in for multi-factor authentication”.
- For Apple accounts, two-factor authentication requires that you supply a six-digit verification code when signing in on a new device for the first time. Apple assumes you have another trusted Apple device handy. (You can use a trusted phone number if you don’t have access to another device signed in to your Apple account.) Official instructions are in this Apple Support article: “Two-factor authentication for Apple ID”.
2FA support is ubiquitous among social media services (Facebook, X/Twitter, Instagram, and so on). Every online storage service worth considering supports 2FA, as do most domain registrars and web hosting companies. If you’re unsure about a specific service, the best place to check is a superb open-source information repository called the 2FA Directory, which is run by a Swedish nonprofit, the 2factorauth group, and maintained on GitHub.
And if a high-value service you rely on doesn’t support 2FA, well, maybe you should consider switching to one that does.
Show more
You probably have login credentials at dozens of online services that support 2FA, so the best strategy is to make a prioritized list and work your way through it. I suggest following these priorities:
Password/identity managers: Using a password manager is perhaps the most important way to ensure that you have a strong, unique password for every service, but that strategy also creates a single point of attack. Adding 2FA shores up that potential weakness. Note that for some password management apps, 2FA support is a paid option.
Microsoft, Google, and Apple accounts: If you use services from any of these major platform companies, adding 2FA support is essential. Fortunately, it’s also easy. (See the previous section for links to detailed instructions.)
Email accounts: If a bad actor can take over your email account, they can often wreak havoc, because email messages are a standard means of sending password reset links. Messages from a compromised email account can also be used to attack your friends and co-workers (by sending malware-laden attachments, for example). If you use Outlook.com, Microsoft 365, Exchange Online, Gmail, or Google Workspace, your email account uses the identity verification method associated with your Microsoft or Google account. If you use a different email service, you’ll need to set up 2FA separately.
Also: These are the best email hosting services that will protect your data
Social media accounts: As with email, the biggest risk associated with a hacked Facebook or Instagram account is that it will be used against your friends and associates. Even if you’re a lurker who rarely posts anything on social media, you should protect these accounts.
Banks and financial institutions: Most banks and credit card companies have made significant investments in back-end fraud detection programs, which is why 2FA options are typically limited compared with other categories. Nonetheless, it’s worth exploring these settings and securing them as much as possible.
Shopping and online commerce: Any site where you’ve saved a credit card number should be secured.
Show more