Two-Factor Authentication: Everything You Need to Know
What Is Two-Factor Authentication?
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if an attacker obtains your password through a data breach or phishing attack, they cannot access your account without the second factor. The second factor is typically something you have, such as a phone or hardware key, rather than something you know, like a password.
Enabling 2FA is one of the single most effective things you can do to protect your online accounts. Google reported that adding 2FA blocks over 99% of automated attacks and 96% of targeted phishing attempts. If you do nothing else from this guide, enable 2FA on your email, banking, and social media accounts today.
Types of 2FA
SMS-based 2FA sends a text message with a one-time code to your phone number. While better than no 2FA at all, SMS is the weakest form because it is vulnerable to SIM-swapping attacks, where an attacker convinces your mobile provider to transfer your number to their SIM card. Avoid SMS 2FA if your provider offers alternatives.
Authenticator apps like Aegis, Raivo, or Google Authenticator generate time-based one-time passwords (TOTP) that change every 30 seconds. These are significantly more secure than SMS because the codes are generated locally on your device and cannot be intercepted in transit. TOTP is the most widely supported 2FA method and the recommended minimum for all accounts.
Hardware Security Keys
Hardware security keys, such as YubiKey, are physical devices that you plug into your computer or tap against your phone to authenticate. They use the FIDO2/WebAuthn protocol, which is cryptographically bound to the specific website, making phishing attacks virtually impossible. Even if you enter your credentials on a fake website, the key will not authenticate because the domain does not match.
Hardware keys are the strongest form of 2FA available and are recommended for high-value accounts like email, cloud storage, and financial services. They cost between twenty and fifty pounds and are well worth the investment. Buy at least two keys and register both with each account so you have a backup if one is lost or damaged.
Setting Up 2FA
Most services have 2FA settings under Security or Account Settings. When you enable 2FA, the service will show a QR code that you scan with your authenticator app. The app then generates codes for that account. Always save the backup codes provided during setup in your password manager. These codes allow you to regain access if you lose your 2FA device.
For hardware keys, the process is similar: navigate to Security settings, select the option to add a security key, and follow the prompts to register your key. Register your backup key at the same time. Some services allow you to use both an authenticator app and a hardware key, which gives you maximum flexibility.
Managing 2FA Across Your Accounts
Start with your most critical accounts: email, password manager, banking, and cloud storage. Then expand to social media, shopping sites, and any service that holds personal data. Your password manager can help you track which accounts have 2FA enabled and which still need it.
Use an authenticator app that supports encrypted backups, such as Aegis on Android or Raivo on iOS. Without backups, losing your phone means losing access to all your 2FA accounts. Store your backup codes securely in your password manager, not in a text file on your desktop or a note on your phone.
Common Concerns
The most common concern about 2FA is being locked out of accounts. This is easily prevented by saving backup codes and registering multiple authentication methods. If you use a hardware key, a backup key ensures you are never locked out. If you use an authenticator app, encrypted backups let you restore your tokens on a new device.
Some people find 2FA inconvenient, but modern implementations are remarkably smooth. Hardware keys require a single tap, and authenticator apps auto-fill codes on many platforms. The few seconds 2FA adds to each login are a trivial price for the massive improvement in security it provides.
