Understanding Two-Factor Authentication (2FA) and Why It Matters
Quick Answer
Passwords alone are no longer sufficient protection. They get leaked in data breaches, guessed by automated tools, or stolen through phishing. Two-factor authentication adds a second layer that stops the vast majority of account takeover attempts even when a password has been compromised.
How 2FA Works
When you log in with 2FA enabled, you provide two things:
- Something you know, your password
- Something you have, a code generated by an app, sent to your phone, or stored in a physical key
Even if a scammer has your password, they cannot log in without the second factor. This single change blocks a significant share of account compromises.
Types of 2FA: From Most to Least Secure
Authenticator apps (most secure for most people) Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a six-digit code that changes every 30 seconds. The code is generated on your device and never transmitted, making it very difficult to intercept.
Push notifications Some services (like Duo or certain banks) send a push notification to your phone asking you to approve the login. Secure and convenient, but requires your phone to have data access.
Hardware security keys Physical devices (like YubiKey) that plug into USB or tap via NFC. The most secure option, popular with high-risk users like journalists and executives. Requires carrying the key.
SMS text message codes (convenient but weaker) A code is texted to your phone number. More convenient than app-based 2FA, but vulnerable to SIM swapping attacks where scammers convince a carrier to transfer your number to a new SIM card. Still much better than no 2FA at all.
Email codes (least recommended) A code is sent to your email. Only as secure as your email account itself.
Where to Enable 2FA First
Prioritise accounts where a compromise would cause the most harm:
| Account Type | Why It Is High Priority |
|---|---|
| All password resets flow through email, if email is compromised, everything else is vulnerable | |
| Banking and financial accounts | Direct financial loss |
| Social media | Can be used to scam your contacts |
| Amazon, eBay, PayPal | Contain payment methods and order history |
| Work accounts | Risk of professional and financial harm |
| Anywhere with saved payment cards | Direct purchase fraud |
How to Enable 2FA on Major Platforms
Gmail: Settings → Security → 2-Step Verification → Get started
Apple ID: Settings → Your Name → Password & Security → Two-Factor Authentication
Facebook: Settings → Security and Login → Two-Factor Authentication
Amazon: Account → Login & Security → Two-Step Verification
Banks: Log in → Security or Account Settings → look for "two-step verification" or "multi-factor authentication"
The option is usually found in Account Settings under Security or Privacy on most platforms.
What to Do If You Lose Access to Your 2FA Method
When you enable 2FA, most services provide backup codes, a set of one-time use codes you can use if you lose your phone or authenticator app. Store these somewhere secure (not on the same device as your authenticator):
- Print them and store in a safe location
- Save them in a password manager
- Write them down and keep in a secure physical location
Losing your 2FA method without backup codes can lock you out of your account. Having backup codes ready prevents this.
Common 2FA Scams to Be Aware Of
Scammers have adapted to 2FA. The most common attack is social engineering:
- A scammer who already has your password calls or texts pretending to be your bank or a platform, saying there is a suspicious login and they need to "verify" your account by asking for the code that was just sent to you
- You read them the code, which they use to log in immediately
The rule: Never share a 2FA code with anyone who contacts you. Legitimate companies will never call and ask for the code sent to your phone.