DI
dummyipsum.com
Security 6 min read

Two-factor authentication - what it is and how to enable it safely

Back to articles
Door being unlocked with a key and access fob

Two-factor authentication significantly reduces the risk of account takeover. Learn which options exist, what we recommend, and how to set it up safely.

Two-factor authentication is one of the simplest ways to significantly improve account security. You will often see it shortened to 2FA. In practice, it means that a password is not enough to sign in - the service asks for a second confirmation, such as a code from an app or an approval on your phone.

Why does that matter? Because passwords sometimes leak, and not always because of something you did. The second step often decides whether an attacker gets into the account or not.

What two-factor authentication is and why it works

With a regular login, you enter something you know: your password.

With two-factor authentication, you add a second step, most often:

  • something you have: a phone with an authenticator app or a security key,
  • or something you are: a fingerprint or face recognition, often as part of modern passwordless sign-in.

If an attacker gets your password, they still do not have the second factor. That is the whole point.

When passwords are most often abused

The most common scenarios look like this:

  • A data leak from another service. Many people reuse the same password, or a very similar one, across several websites. When one service leaks, attackers try the same login details elsewhere.
  • Fake login pages. Someone convinces you to enter your password on a page that only looks like the real one.
  • Weak or short passwords. Short and predictable passwords can be guessed or cracked faster.

If you want to quickly check whether your email address appeared in known breaches, you can use Have I Been Pwned.

Two-factor authentication helps in all of these cases.

Practical tip

Generate a strong password in seconds

Create a secure password in seconds.

Password generator

Which two-factor authentication methods exist, and which are worth using

Not every method is equally strong. Here is a practical overview with a short recommendation.

An authenticator app is the best compromise for most people

An authenticator app creates one-time codes, usually every 30 seconds. When signing in, you enter the current code.

Examples of apps: Google Authenticator, Microsoft Authenticator, Authy, or Proton Authenticator.

Advantages: good security, codes work even without internet access.
Disadvantages: you need to think about moving the app to a new phone and keeping a backup.

Google Authenticator - example of one-time codes
Example of the Google Authenticator interface with one-time codes.

App approval is convenient, but requires attention

Some services let you sign in by simply approving a prompt in a phone app: "Yes, it is me." It is convenient, but that is exactly why you should not approve prompts automatically.

A typical problem looks like this:

  • someone else tries to sign in to your account because they have your password from a leak or phishing attack,
  • you receive a login approval prompt,
  • you approve it in a hurry because it looks like a normal notification.

At that moment, you have approved the attacker’s login.

Recommendation:

  • approve a login only when you are signing in yourself,
  • always check what the app shows: service, device, and approximate location,
  • if you receive an approval request for no reason, choose deny, then change your password and check active devices or sessions.

An SMS code is better than nothing, but not ideal

SMS verification is still better than having no extra protection, but it has more weaknesses, such as phone-number abuse or message redirection.

If you can choose, prefer an authenticator app or a security key.

A security key is excellent for your most important accounts

A security key (USB/NFC) is very strong protection, especially for:

  • your email account, because it is often the key to your other services,
  • your password manager,
  • work and administrator accounts.

In practice, a password is not enough. The service asks you to connect the key by USB or tap it with your phone via NFC. Without the key, an attacker cannot sign in, even if they know your password.

Example of a security key: YubiKey.

Advantages: high resistance against account abuse.
Disadvantages: it is another device, so it is best to have a backup key too.

Which option to choose

If you want something secure and practical:

  1. Enable two-factor authentication with an authenticator app.
  2. Save your backup or recovery codes.
  3. For the most important accounts, consider using a security key too.

How to enable two-factor authentication step by step

The exact button names differ between services, but the process is usually similar:

  1. Open your account settings.
  2. Find the security section, often called "Security and sign-in".
  3. Choose two-factor authentication, often also called "2FA" or "two-step verification".
  4. Choose a method, ideally an authenticator app.
  5. Scan the QR code in the app and enter the first code to verify the setup.
  6. Save your recovery codes and set up a backup method if the service offers one.

Tip: most services let you use several methods at the same time. That is useful. If you lose your phone, you still have a backup.

Recovery codes: the detail that matters

The most common mistake with two-factor authentication is turning it on but not saving recovery codes.

If you lose your phone or delete the authenticator app, recovery codes are often the fastest way back into your account.

Practical ways to store them:

  • save them in a password manager,
  • print them and keep them somewhere safe,
  • store them in an encrypted file.

What to do before changing phones

Before switching phones, check:

  • whether your recovery codes are saved,
  • whether you have a backup method enabled,
  • how your authenticator app transfers accounts to a new device.

Recommendation: for the most important accounts, set up a second method too, such as a security key, so your access does not depend on a single phone.

Two-factor authentication does not replace a strong password

It helps a lot, but your password should still be:

  • unique for every account,
  • long enough, often 16+ characters,
  • ideally stored in a password manager.

If you also want practical advice on password length and setup, read How to create a strong password.

Frequently asked questions

Is an SMS code better than nothing?

Yes. SMS verification is better than no extra protection. If possible, switch to an authenticator app or security key later.

Can two-factor authentication completely prevent account abuse?

It significantly reduces the risk, but it is not a magic button. You should still watch out for phishing pages and use unique passwords.

My authenticator app code does not work. What should I do?

A common reason is incorrect time on your phone. Turn on automatic date and time settings, then try entering the code again.

Recommended articles

My password leaked: what to do step by step
Security 8 min read

My password leaked: what to do step by step

Found your password in a data breach or suspect someone accessed your account? Here is what to secure first, which accounts to prioritize, and what to check.

Read more
How to create a strong password: length, characters, and recommendations (2026)
Security 6 min read

How to create a strong password: length, characters, and recommendations (2026)

A practical guide to strong passwords: how many characters you need, which character types to combine, and what to do when a website does not allow symbols.

Read more
How to create a secure Wi-Fi password
Security 6 min read

How to create a secure Wi-Fi password

A secure Wi-Fi password should be long, unique, and hard to guess. See practical recommendations for home networks, offices, cafés, and guest Wi-Fi.

Read more