Two-factor authentication: a second lock on your accounts
Even if someone steals your password, two-factor login can stop them getting in. Here's how it works and how to switch it on.
Two-factor authentication — often shortened to 2FA — means your account asks for two things before letting anyone in: something you know (your password) and something you have (usually your phone). It is one of the most effective protections available, and it takes about a minute to set up.
The three common types, from good to best
1. Text message (SMS) codes — good
The service texts you a short code to type in. Far better than nothing, though vulnerable to SIM swapping, where a criminal tricks your phone company into moving your number to their SIM card.
2. Authenticator apps — better
An app on your phone generates a fresh six-digit code every 30 seconds. The code is created on your device and never sent over the network, so it cannot be intercepted or SIM-swapped. See our directory of authenticator tools.
3. Security keys and passkeys — best
A passkey or physical security key only works on the genuine website, making it essentially immune to phishing. Passkeys are built into modern phones and are where the whole industry is heading.
How to turn it on
- Open your account settings and look for Security or Login.
- Find "Two-factor authentication" and turn it on.
- Pick your method — an authenticator app is a strong choice. You will usually scan a QR code with the app.
- Enter the test code to confirm it works.
- Save your backup codes.
Do not skip the backup codes
Most services give you one-time backup codes when you enable 2FA. These get you back in if you lose your phone. Print them or save them in your password manager — without them, losing your phone can mean losing the account.
What if I lose my phone?
- Keep backup codes somewhere safe and separate from your phone
- Register a second method where possible (an app and a phone number)
- Some authenticator apps can securely back up to the cloud and restore to a new phone
Two-factor login is the difference between "they stole my password" and "they stole my password and still could not get in." Turn it on for your email first, then your bank, then everything else that matters.