Tutorials

How to Set Up Two-Factor Authentication (Without Getting Locked Out)

Published 2026-06-02

A clear, jargon-free walkthrough of 2FA: what it is, the differences between SMS, TOTP, push, and hardware keys, and how to set it up on the accounts that matter most.

What 2FA Does

Two-Factor Authentication (2FA) requires you to provide two independent pieces of evidence to log in: something you know (your password) and something you have (your phone, a hardware key) or something you are (a fingerprint). Even if an attacker steals your password, they can't log in without the second factor — which dramatically reduces the impact of password breaches.

If you enable 2FA on your most important accounts (email, bank, password manager, cloud storage), most credential-stuffing attacks become harmless.

The Four Main Types of Second Factor

  • SMS codes: code sent to your phone. Easiest to set up. Vulnerable to SIM-swap attacks where an attacker convinces your carrier to transfer your number to their phone.
  • TOTP (Time-based One-Time Password): 6-digit code generated by an app like Authy, Google Authenticator, or 1Password. Code rotates every 30 seconds. Not vulnerable to SIM-swap. Recommended baseline.
  • Push notifications: app pops up 'Did you just log in?' — you tap Yes/No. Easier than typing a code but vulnerable to push-fatigue attacks (attacker spams you with notifications hoping you'll tap Yes by mistake).
  • Hardware keys (YubiKey, Titan, etc.): physical USB / NFC token. Strongest. Cannot be phished. The 2FA gold standard for high-value accounts.

Setting Up TOTP (the Common Case)

  1. Install an authenticator app on your phone. Authy has cloud backup so you don't lose codes if your phone is lost. Google Authenticator is simpler but harder to migrate.
  2. In the account you want to secure, navigate to Settings → Security → Two-Factor Authentication → Authenticator App.
  3. The site shows a QR code. Scan it with the authenticator app. The app starts generating 6-digit codes for that account.
  4. The site asks you to enter the current code to confirm setup. Enter it.
  5. The site shows recovery codes (8-10 one-time codes). Save these somewhere safe — password manager or printed and stored offline. These are your only fallback if you lose your phone.
  6. Done.

The Recovery-Code Trap

The single most common 2FA mistake: enabling 2FA, getting the recovery codes, ignoring them, then losing the phone six months later and being locked out. Always save recovery codes immediately. Treat them with the same care as your password — they bypass 2FA entirely.

The second most common mistake: saving recovery codes in the same place as the password (same password manager entry). If the password manager is compromised, both are lost. Save recovery codes in a separate vault or a printed paper backup.

Priority Order for Adding 2FA

  1. Your email account. Whoever controls your email can reset every other password. Lock this down first.
  2. Your password manager. Same reasoning — it holds all your credentials.
  3. Your bank and brokerage. Direct financial impact.
  4. Cloud storage (iCloud, Google Drive, Dropbox). Holds documents, photos, work.
  5. Social media. Account takeover here can damage your reputation and contacts.
  6. Any account holding payment methods (Amazon, PayPal, Stripe).

Why SMS Is Better Than Nothing But Worse Than TOTP

SMS 2FA is vulnerable to SIM-swap attacks: an attacker calls your carrier, impersonates you, and convinces them to transfer your number to a SIM in the attacker's possession. From that point, all SMS-based 2FA codes go to the attacker. This is a real, common attack against high-net-worth targets and crypto holders.

For most users, SMS 2FA is dramatically better than no 2FA. For high-value accounts, upgrade to TOTP or hardware keys. Disable SMS as a fallback option once TOTP is set up — otherwise an attacker can downgrade your 2FA to SMS and then SIM-swap.

Hardware Keys for Critical Accounts

A YubiKey or similar hardware token is the gold standard. Costs $25-50. Plugs into USB or taps via NFC. Cannot be phished — the key cryptographically verifies the website's domain before responding.

For critical accounts (Gmail, password manager, crypto exchange, bank), buy two hardware keys: one to carry, one as backup at home. Enroll both. If you lose one, the other still works.

When Not to Use 2FA

Throwaway accounts you'll never log into again: skip 2FA, it's friction with no upside. Anything else: enable 2FA. The 30 seconds of setup is the best security trade you can make.

Related Guides

See also: how to check if your email was breached, verifying sender legitimacy, and our data breach defense article.

Related Articles in Tutorials

Back to blog