Two-factor authentication (2FA): what it is and why you need it
2FA is the single most effective step to protect your accounts - even if your password leaks. Here is how it works and how to set it up.
What is two-factor authentication?
Two-factor authentication (2FA, sometimes "two-step verification" or "MFA") means proving who you are with two different things: something you know (your password) and something you have (your phone, an app, or a security key). Even if an attacker steals your password, they cannot get in without the second factor.
It is the closest thing to a security "easy button" - a few minutes to set up, and it blocks the vast majority of account takeovers.
The types, from strongest to weakest
- Security keys and passkeys (strongest). A physical key or a passkey stored on your device. Phishing-resistant - even a fake site cannot capture it.
- Authenticator apps. Apps that generate a 6-digit code that changes every 30 seconds. Free, work offline, and far safer than text messages. Good open-source options exist.
- Text-message (SMS) codes (weakest, but still worth it). Better than nothing, but vulnerable to SIM-swap attacks. Use it only if nothing else is offered.
Avoid relying on SMS for your most important accounts if an app or key is available.
Where to turn it on first
Start with the accounts that can do the most damage if lost:
- Email - it is the master key; password resets for everything else go there.
- Banking and payments.
- Social media and your password manager.
Look in each account's Security or Login settings for "two-factor authentication" or "two-step verification."
A note on backup codes
When you enable 2FA, you will usually get backup codes. Save them somewhere safe (a password manager is ideal) so you do not get locked out if you lose your phone.
2FA matters most exactly when something goes wrong - when your password leaks. If you want to know whether one of yours already has, check it with our Password Checker, then turn on 2FA wherever you can.