Skip to content
How‑To Guides

How to Enable Two-Factor Authentication

Two-factor authentication stops stolen passwords from granting access to your accounts. Here is the essential guide for setting it up on every important account you own.

How to Enable Two-Factor Authentication

A password alone is no longer enough to protect an online account. Data breaches expose billions of credentials every year, and once a password appears in a breach database, automated tools test it against hundreds of other services within hours. The fix is two-factor authentication (2FA) — adding a second verification step to every login so a stolen password alone cannot grant access to your account. Even if someone has your password, without the second factor they cannot log in. If you want the full context, see our Complete Guide to Online Security and Privacy.

2FA works by requiring something you know (your password) plus something you have (your phone or a hardware key). An attacker who steals your password from a breach database doesn’t have your phone, which means the stolen credential is useless against a properly secured account.

The types of 2FA — not all are equal

Understanding the options helps you choose the strongest method each service supports:

  • Authenticator app (TOTP): An app like Google Authenticator, Authy, or Microsoft Authenticator generates a 6-digit code that changes every 30 seconds. The recommended method for most accounts — it works offline, is not vulnerable to SIM swap attacks, and is supported by virtually every service that offers 2FA.
  • Hardware security key (FIDO2/WebAuthn): A physical USB or NFC key like a YubiKey or Google Titan Key. The strongest 2FA method available — completely phishing-resistant because the key cryptographically verifies the website’s origin before signing in. Best for email, banking, and work accounts.
  • SMS text message codes: The weakest form. Vulnerable to SIM swap attacks where a fraudster tricks your carrier into transferring your phone number. Use it only if it’s the only option offered, and upgrade to an authenticator app when possible.
  • Email codes: Approximately as secure as the security of your email account itself — which is why securing email with a stronger 2FA method is the priority above all others.
  • Push notifications: An approval prompt sent to an app on your phone (common in Microsoft Authenticator and Duo). Convenient but vulnerable to “prompt bombing” attacks — attackers send repeated prompts hoping you accidentally approve one. Number matching (the app shows a number you must also see on the login screen) significantly reduces this risk.
  • Passkeys: The emerging replacement for passwords, where your device’s biometric authenticator (Face ID, fingerprint) serves as both the first and second factor in a single step — integrated authentication rather than layered.

The hierarchy: hardware key when available, authenticator app for everything else, SMS as a last resort. If a service only offers SMS, use it — it’s significantly better than no 2FA at all, because most attackers use automated credential stuffing tools that don’t bother with the additional step of SIM swapping.

Where to enable 2FA first

The accounts that deserve two-factor authentication immediately are those that, if compromised, would enable an attacker to compromise everything else. Start with email — it serves as the password reset destination for every other account, so losing email access effectively means losing access to all accounts that use it for recovery.

Priority order:

  1. Email (Google, Microsoft, Apple ID) — highest priority, enables all other recovery paths
  2. Financial accounts — banking, investment, payment services (PayPal, Venmo)
  3. Cloud storage and backup accounts
  4. Social media and communication platforms
  5. Everything else with a 2FA option

Google accounts: Google Account → Security → 2-Step Verification → Get started → select Authenticator app → scan the QR code → enter the six-digit confirmation code. Google also allows hardware keys as the primary method, providing the highest protection for Gmail.

Microsoft accounts: account.microsoft.com → Security → Advanced security options → Two-step verification → Set up. The Microsoft Authenticator app is recommended — it supports number matching by default, mitigating prompt bombing attacks. For business Microsoft 365 accounts, IT may have already mandated 2FA through Azure AD Conditional Access.

Apple ID: appleid.apple.com → Sign-In and Security → Two-Factor Authentication → Turn on. Apple’s implementation uses trusted Apple devices — a code appears on your other Apple devices rather than requiring a separate app. If you only have one Apple device, set up at least two trusted phone numbers as fallback.

Setting up an authenticator app — step by step

  1. Download an authenticator app. Google Authenticator and Microsoft Authenticator are the most widely used. Authy adds encrypted cloud backup of your 2FA codes — useful if you lose your phone, though it introduces a different security trade-off.
  2. Go to the account’s security settings. Look for “Two-factor authentication,” “2-Step verification,” or “Multi-factor authentication” under Security, Account settings, or Privacy and security menus.
  3. Select authenticator app as the method. The service shows a QR code encoding the shared secret that allows the app to generate matching codes.
  4. Open the authenticator app and scan the QR code. In Google Authenticator: tap the + icon → Scan a QR code → point the camera at the code. The account appears immediately, showing a rotating six-digit code.
  5. Enter the current six-digit code to confirm. The code changes every 30 seconds — enter it promptly.
  6. Save the backup codes. Every service generates single-use backup codes after 2FA setup. These let you log in if you lose access to your phone. Save them in your password manager’s secure notes, print them and store them physically, or both. This step is the most commonly skipped and the most important when something goes wrong.
  7. Repeat for every important account. 2FA on email only leaves every other account vulnerable to the password reset path.

Business and team accounts

A single employee account without two-factor authentication is the most common entry point for corporate breaches — phished credentials going directly to sensitive internal systems. Mandating 2FA across a business requires a policy enforcement mechanism or a combination of policy and training.

  • Google Workspace: admin.google.com → Security → Authentication → 2-Step Verification → Enforcement. Activates for all accounts without requiring each employee to set it up independently.
  • Microsoft 365: Microsoft 365 admin center → Security → Authentication → enable MFA.

Phishing attacks that bypass 2FA are a genuine and growing threat. Adversary-in-the-middle phishing kits (AiTM) intercept both the password and the 2FA code in real time, allowing attackers to authenticate as the user immediately after. This is why hardware security keys — FIDO2 keys that cryptographically verify the site’s origin — are the only form of 2FA that is completely phishing-resistant. For high-value accounts and business email, hardware keys are worth the investment of approximately $25-50 per key.

Our guide on using a password manager covers securing the accounts that 2FA protects, and our guide on avoiding phishing scams covers the social engineering attacks that target 2FA-enabled accounts specifically. For the technical specifications of FIDO2/WebAuthn hardware authentication, the FIDO Alliance’s documentation covers the phishing resistance properties and deployment considerations.

Recovery when 2FA locks you out

The second most common reason people disable two-factor authentication is a self-inflicted lockout after losing phone access. Understanding recovery options before they’re needed prevents the panic decision of disabling 2FA entirely.

Backup codes are the primary recovery mechanism — one-time-use codes generated during setup. Store them in the password manager’s secure notes and keep a printed copy for critical accounts in a physically secure location. If backup codes are used, the service prompts for a new set immediately after successful login.

When backup codes are also unavailable: most services offer recovery through an alternate email address, a recovery phone number, or identity verification with the service’s support team. Setting up at least two different recovery options during 2FA configuration is the best insurance against complete lockout. For Google accounts: add a recovery phone number and recovery email. For Microsoft: maintain a secondary email as a recovery alias.

Switching phones: migrate 2FA setups before factory resetting the old phone. Authy backs up codes encrypted to your account. Google Authenticator added encrypted backup via Google account in 2023. For both: use the “Transfer accounts” or export feature before resetting the old device. Losing the old phone without migrating creates a complex recovery situation for every account using app-based 2FA.

Shared accounts and 2FA

When multiple people share an account (family streaming service, shared business account), most platforms issue a single TOTP secret — there’s no per-user 2FA. Authy allows multiple devices to be registered with the same TOTP secret, providing a practical solution for shared accounts without requiring a separate app configuration per person. Alternatively, storing the TOTP seed in a shared password manager entry (Bitwarden Premium and 1Password both support TOTP storage) makes the code accessible to all authorised vault users without requiring separate app setup on each person’s phone.

Is the additional login friction worth it? The additional step takes approximately five seconds per login — often feeling like no friction at all on mobile with biometric unlocking. Against this five-second cost is protection against the entire category of credential stuffing attacks, which are fully automated and require no human targeting to be effective. A breached password from a retail site you haven’t visited in three years can be tested against your banking login within minutes of appearing in a criminal database. Two-factor authentication makes that test fail regardless of how old or obscure the breach was. The return on five seconds per login is protection against an entire automated attack category — which is why security professionals treat it as a baseline requirement, not an advanced option.

Passkeys — the 2FA replacement worth understanding

Passkeys are the technical evolution that replaces both the password and the second factor with a single cryptographic step. When you create a passkey for an account, your device generates a public-private key pair. The private key stays on your device secured by biometric authentication; the public key goes to the service’s server. Logging in with a passkey uses Face ID or fingerprint to unlock the private key, which cryptographically signs a challenge from the server — proving identity without sending a password or a one-time code.

The result is authentication that is simultaneously more secure than password + authenticator app (it’s phishing-resistant by design, since the key pair is bound to the specific site’s origin) and more convenient (one biometric step replaces typing a password and then checking an app). Major services now supporting passkeys include Google, Apple, Microsoft, GitHub, PayPal, eBay, and an increasing number of password managers themselves.

Passkeys don’t eliminate the need for understanding two-factor authentication — most services still fall back to password + 2FA for devices or situations where passkeys aren’t available, and understanding 2FA is essential for the accounts that don’t yet support passkeys. But they represent the direction that authentication is heading, and enabling passkeys on accounts that support them is worth doing — the security and convenience improvement over even a well-configured 2FA setup is meaningful.

A practical 2FA rollout plan

If you’re currently using 2FA on zero or just one account and want to get properly protected without spending an entire afternoon on it:

  1. Today (15 minutes): Enable 2FA on your primary email account with an authenticator app. Save the backup codes in your password manager. This single action protects the most valuable account and prevents the cascade failure where email compromise leads to every other account.
  2. This week (10 minutes per session): Enable 2FA on financial accounts — banking, investment, PayPal. These are the accounts where compromise causes direct financial harm.
  3. Over the next month: When you log into any account that offers 2FA, enable it at that moment — don’t schedule a dedicated session. Reactive enabling is more sustainable than trying to configure everything in a single batch.
  4. Ongoing: When you get a new phone, migration of 2FA setups is the first security task before factory resetting the old one.

Two-factor authentication isn’t a perfect security solution — nothing is — but it’s one of the most asymmetric security improvements available to individuals and organisations. The cost (five seconds per login, a one-time 10-minute setup per account) versus the protection (against the entire automated credential stuffing attack category, which represents the majority of account compromises) makes it a straightforward decision for every account that matters. Related: Prevent Account Takeover.

Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"