How to Set Up Two-Factor Authentication on Everything

Two-factor authentication (2FA) adds a second verification step beyond your password, typically a 6-digit code from an app or text message. If someone steals your password through a data breach, phishing, or guessing, they still cannot access your account without the second factor. Enabling 2FA reduces the risk of account compromise by over 99%, according to Microsoft’s security research.

Authenticator App vs. SMS

SMS-based 2FA sends a code via text message. It is better than no 2FA but vulnerable to SIM swapping attacks, where an attacker convinces your carrier to transfer your number to their SIM card. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) generate codes locally on your device with no network transmission, making them immune to SIM swapping.

Authy is the recommended choice because it supports cloud backup of your 2FA codes (encrypted), meaning you do not lose access to everything if you lose your phone. Google Authenticator added cloud backup in 2023 but Authy’s implementation is more mature.

Setting Up 2FA Step by Step

For most services, the process is: go to Settings, Security, Two-Factor Authentication. Select Authenticator App. The service displays a QR code. Open your authenticator app, tap the plus icon, and scan the QR code. The app generates a 6-digit code every 30 seconds. Enter the current code on the website to confirm setup.

Priority accounts to protect first: Email (this is the master key; anyone who controls your email can reset every other password), banking and financial services, social media, cloud storage (Google Drive, Dropbox, iCloud), and Amazon/shopping accounts with saved payment methods.

Backup Codes

Most services provide 8 to 10 backup codes during 2FA setup. These are one-time-use codes that let you log in if you lose access to your authenticator app. Save them in a secure location: a printed sheet in a safe, a password manager, or an encrypted note. Do not skip this step; losing your phone without backup codes can permanently lock you out of accounts.

Hardware Security Keys

For maximum security, a hardware key (YubiKey at $25 to $50, or Google Titan at $30) provides 2FA through a physical USB or NFC device. You tap the key when prompted during login. Hardware keys are phishing-resistant because they cryptographically verify the website’s identity, making them the strongest form of 2FA available.

What to Secure First

Prioritize enabling 2FA on these accounts in this order:

1. Email. Your email account is the master key to every other account because password resets go through email. Securing email first prevents cascading compromise.

2. Financial accounts. Banks, investment accounts, payment apps, and cryptocurrency wallets. These are the highest-value targets for attackers.

3. Cloud storage. Google Drive, iCloud, Dropbox, and OneDrive contain personal documents, photos, and sometimes sensitive files.

4. Social media. Facebook, Instagram, Twitter, and LinkedIn accounts are frequently targeted for impersonation and spam distribution.

5. Shopping accounts. Amazon, eBay, and any account with stored payment information.

The entire process of enabling 2FA across all major accounts takes about 30 minutes total. Each account walks you through the setup in its security settings.

Backup Codes and Recovery

When you enable 2FA, every service provides backup codes (usually 8 to 10 one-time-use codes). Print these codes and store them in a safe, secure physical location like a locked drawer or fireproof safe. If you lose your phone, these backup codes are the only way to access your accounts without going through a lengthy identity verification process that can take days or weeks. Some services also let you designate a trusted phone number for backup SMS codes. Set this to a secondary number or a trusted family member. Never store backup codes only on your phone, because the scenario where you need them is exactly the scenario where your phone is unavailable.

Bottom Line

Install Authy or Google Authenticator. Enable 2FA on email first, then banking, social media, and shopping accounts. Save backup codes securely. This 30-minute setup prevents 99% of account hacking attempts.