Security Guide
Two-factor authentication blocks 99.9% of automated attacks on your accounts, according to Microsoft. Yet only 28% of Americans use it consistently. This guide explains what 2FA is, which type is most secure, and walks you through setting it up on every major platform.
The Basics
Two-factor authentication (2FA) adds a second verification step when you log in to an account. Instead of relying on just your password (something you know), 2FA requires a second factor — something you have (like your phone or a hardware key) or something you are (like a fingerprint).
Over 24 billion username-password combinations are currently available on dark web marketplaces. Even if you use strong, unique passwords for every account, a data breach at any service can expose your credentials. With 2FA enabled, a stolen password is useless — the attacker also needs physical access to your second factor. This single step eliminates the vast majority of account compromise attacks.
Think of 2FA like a bank vault that requires two separate keys held by two different people. Even if one key is stolen, the vault stays locked. The three authentication factors are:
Your password, PIN, or security questions. This is the traditional first factor. The problem: passwords can be stolen through phishing, data breaches, or brute force. Security questions (mother's maiden name, first pet) are often guessable from social media.
Your phone (for SMS codes or authenticator apps), a hardware security key (like YubiKey), or a smart card. This is the most common second factor. Even if someone has your password, they can't log in without physical access to your device.
Biometrics: fingerprint, face recognition, iris scan, or voice recognition. Used by many phones and laptops as a local authentication method. Biometrics are convenient but can't be changed if compromised — unlike a password or security key.
Comparison
Not all second factors are created equal. SMS codes, authenticator apps, and hardware keys all provide 2FA — but they differ dramatically in security. Here's how they compare.
A one-time code is sent to your phone via text message. While better than no 2FA at all, SMS is the least secure option. SIM-swapping attacks — where criminals convince your carrier to transfer your phone number to their SIM card — have surged in recent years. The FBI reported over 2,000 SIM-swap complaints in a single year, with losses exceeding $72 million. SMS codes can also be intercepted through SS7 network vulnerabilities.
Some services send a verification code to your email. This is only as secure as your email account — and if an attacker already has your email password (common in credential-stuffing attacks), they can intercept the code and access both accounts. Email-based 2FA should be a last resort.
Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based one-time passwords (TOTP) that change every 30 seconds. The codes are generated locally on your device — they're never transmitted over a network, making them immune to SIM-swapping and interception. This is the best balance of security and convenience for most people.
Physical devices like YubiKey or Google Titan that plug into your USB port or tap via NFC. Hardware keys use the FIDO2/WebAuthn protocol and are phishing-resistant — they verify not just your identity but also that the website you're logging into is legitimate. Google requires all employees to use hardware keys and reported zero successful phishing attacks after implementing them.
Use an authenticator app for most accounts and a hardware security key for your most important accounts (email, banking, password manager). Avoid SMS-based 2FA if your service offers an alternative — but if SMS is the only option, it's still far better than no 2FA at all. The jump from "password only" to "password + SMS" is much larger than the jump from SMS to authenticator app.
Security Alert
SMS-based 2FA has well-documented vulnerabilities. Understanding these risks helps you make informed decisions about which accounts need stronger protection.
An attacker calls your mobile carrier, impersonates you (using personal details from data breaches or social media), and convinces the carrier to transfer your phone number to a new SIM card. Once they control your number, they receive all SMS codes sent to it. High-profile victims include Twitter CEO Jack Dorsey and numerous cryptocurrency investors who lost millions.
SS7 (Signaling System 7) is the protocol that connects mobile networks worldwide. Known vulnerabilities in SS7 allow attackers to intercept SMS messages without needing physical access to your phone or SIM card. While these attacks require technical sophistication, they've been documented by security researchers and are actively exploited by state-sponsored actors.
Sophisticated phishing attacks now include real-time interception: an attacker creates a fake login page, captures your password, logs into the real site, triggers an SMS code, then asks you to enter the code on the fake page. This relay attack works against SMS codes but not against hardware keys (which verify the site's domain).
Despite its weaknesses, SMS 2FA still blocks the vast majority of attacks — automated credential stuffing, basic phishing, and opportunistic hackers. If a service only offers SMS-based 2FA, enable it. The risk of SIM swapping is real but relatively rare compared to the risk of having no 2FA at all. Upgrade to an authenticator app or hardware key when the option becomes available.
App Comparison
Authenticator apps generate time-based codes locally on your device. They're free, work offline, and are significantly more secure than SMS. Here are the best options.
Our top pick for most users. Microsoft Authenticator supports TOTP codes for any service, push notifications for Microsoft accounts, biometric lock, and encrypted cloud backup. The backup feature is critical — if you lose your phone, you can restore all your 2FA codes on a new device. Available on iOS and Android.
Authy offers encrypted multi-device sync — your 2FA codes are available on your phone, tablet, and desktop simultaneously. This is a major convenience advantage over single-device authenticators. Authy also supports encrypted cloud backups and a desktop app. The multi-device feature does slightly increase attack surface, but Authy mitigates this with strong encryption.
The original authenticator app, now with cloud sync (added in 2023). Google Authenticator is simple, reliable, and widely supported. It generates standard TOTP codes and recently added the ability to transfer codes between devices via Google account sync. A solid choice if you prefer simplicity over features.
If you already use 1Password as your password manager, it can also store and generate TOTP codes. This means your password and 2FA code auto-fill together — extremely convenient. The trade-off: your password and second factor are stored in the same app, reducing the "two separate factors" benefit. For most people, the convenience is worth the minor theoretical risk.
Step-by-Step
Enabling 2FA takes 2-3 minutes per account. Start with your most important accounts — email, banking, and your password manager — then work outward.
Go to myaccount.google.com → Security → 2-Step Verification → Get Started. Google offers multiple options: Google Prompts (push notifications), Authenticator App, Hardware Key, or SMS. Choose "Authenticator App," scan the QR code with your authenticator, and enter the verification code. Save the backup codes Google provides — store them in your password manager or print them.
On iPhone: Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication → Turn On. Apple uses trusted devices as the second factor — verification codes appear on your other Apple devices. You'll also receive a trusted phone number as a backup. Apple's 2FA is mandatory for many services and tightly integrated into the ecosystem.
Most banks offer 2FA in their security settings (often labeled "Two-Step Verification" or "Multi-Factor Authentication"). Many banks still only support SMS — enable it anyway, as it's far better than password-only access. If your bank supports authenticator apps (Chase, Capital One, and others now do), use that instead. Check your bank's security settings page or contact support.
Facebook: Settings → Security and Login → Two-Factor Authentication. Instagram: Settings → Security → Two-Factor Authentication. X (Twitter): Settings → Security → Two-Factor Authentication. All three support authenticator apps. Facebook and X also support hardware keys. Enable 2FA on social media to prevent account takeovers — a growing target for scammers.
This is arguably the most important account to protect with 2FA. In 1Password: Sign in to your account at 1password.com → Profile → More Actions → Manage Two-Factor Authentication. Use a separate authenticator app (not 1Password itself) for this — if someone compromises your 1Password vault, you want the second factor stored elsewhere.
Outlook/Microsoft: account.microsoft.com → Security → Advanced Security Options → Two-Step Verification. ProtonMail: Settings → Security → Two-Factor Authentication. Your email account is the master key — it's used to reset passwords for almost every other service. Protecting it with 2FA (and ideally a hardware key) is the highest-impact security step you can take.
Important
If your phone is lost, stolen, or broken and you haven't saved your backup codes, you could be locked out of your accounts permanently. Most services provide 8-10 one-time backup codes when you enable 2FA. Save these codes in your password manager, print them and store them in a safe, or both. Some authenticator apps (Authy, Microsoft Authenticator) offer cloud backup — enable this feature as an additional safeguard. Recovery without backup codes often requires identity verification that can take days or weeks.
Two-factor authentication and strong unique passwords together block virtually all common account attacks. A password manager handles the passwords; an authenticator app handles the second factor. Setup takes under 30 minutes.
See Our Top Password Manager PicksCommon Questions
Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA). 2FA specifically requires exactly two factors. MFA can require two or more. In practice, most consumer services that say "MFA" are actually implementing 2FA — a password plus one additional factor. The terms are often used interchangeably.
Sophisticated attackers can bypass SMS-based 2FA through SIM swapping or real-time phishing relays. Authenticator apps are much harder to bypass. Hardware security keys are virtually impossible to bypass remotely — they verify both your identity and the website's authenticity. No security measure is 100% foolproof, but 2FA makes attacks dramatically harder and more expensive for criminals.
Prioritize in this order: (1) your primary email account — it's the master key to reset all other passwords, (2) your password manager, (3) banking and financial accounts, (4) social media, (5) cloud storage (Google Drive, Dropbox, iCloud), (6) any account containing sensitive personal or work data. Start with the top three and work down the list.
Absolutely. 2FA is a second layer of defense, not a replacement for the first. A weak password with 2FA is still less secure than a strong, unique password with 2FA. Use a password manager to generate random, unique passwords for every account, and protect them with 2FA. These two tools together provide far more security than either one alone.
A hardware security key (like YubiKey 5 or Google Titan) is a small physical device that plugs into your USB port or connects via NFC. It uses the FIDO2/WebAuthn protocol to provide phishing-resistant authentication. You need one if you're a high-value target (executive, public figure, cryptocurrency holder) or if you want the strongest available protection for your most important accounts. For most people, an authenticator app is sufficient.
Enable two-factor authentication on your most important accounts today. Pair it with a password manager for unique passwords everywhere. It's the highest-impact security step most people still haven't taken.
See Our Top Security PicksIndependent reviews · No sponsored rankings · Updated quarterly