Your password alone is not enough to protect your online accounts. Passwords can be stolen in data breaches, guessed by attackers, or obtained through phishing. Two-factor authentication (2FA) adds a second layer of protection β€” even if someone has your password, they cannot access your account without the second factor. Microsoft research found that 2FA blocks over 99.9% of automated account attacks.

πŸ” Accounts with two-factor authentication enabled are over 100 times less likely to be successfully hacked than accounts relying on passwords alone.

What is Two-Factor Authentication?

Two-factor authentication requires you to prove your identity in two different ways when logging in. The three categories of authentication factors are:

  • Something you know: Your password or PIN
  • Something you have: Your phone, a hardware key, or an authenticator app
  • Something you are: Your fingerprint or face

2FA combines two of these. Most commonly, you enter your password (something you know) and then a time-sensitive code from your phone (something you have). Even if an attacker steals your password, they cannot log in without physically having your phone.

Types of 2FA: Ranked by Security

Type Security Level Convenience Recommended?
Hardware key (YubiKey) ⭐⭐⭐⭐⭐ Medium Yes (high-risk accounts)
Authenticator App (TOTP) ⭐⭐⭐⭐ Good Yes β€” best for most people
Passkeys (biometric) ⭐⭐⭐⭐⭐ Excellent Yes β€” the future standard
SMS text codes ⭐⭐ Easy Better than nothing
Email codes ⭐⭐ Easy Better than nothing

⚠️ SMS-based 2FA (text messages) can be bypassed through SIM swapping attacks, where attackers convince your phone carrier to transfer your number to their SIM. Use an authenticator app instead whenever possible.

The Best Authenticator Apps

Aegis (Android) β€” Best Overall

Aegis is free, open-source, and the most feature-rich authenticator for Android. It supports encrypted backups, biometric protection, organising accounts into groups, and multiple import options. Strongly recommended for Android users.

Raivo (iOS) β€” Best for iPhone

Raivo is free, open-source, and specifically built for iOS. It supports iCloud backup and has a clean, simple interface. The best choice for iPhone users.

Bitwarden Authenticator β€” Best Integration

If you already use Bitwarden as your password manager, its built-in authenticator keeps your 2FA codes in the same place as your passwords. Convenient and secure.

Google Authenticator / Microsoft Authenticator

These are fine options and widely supported, but have been historically limited in backup and export features compared to Aegis or Raivo. Acceptable if you are already using them.

Advertisement

How to Set Up 2FA: Step-by-Step

Step 1: Download an authenticator app

Install Aegis (Android) or Raivo (iOS) from your app store.

Step 2: Go to your account’s security settings

For Google: myaccount.google.com > Security > 2-Step Verification. For most sites, look in Account Settings > Security > Two-Factor Authentication.

Step 3: Select “Authenticator App”

Choose the authenticator app option (not SMS if possible). The site will show you a QR code.

Step 4: Scan the QR code

Open your authenticator app, tap the “+” button, and scan the QR code displayed by the website. The account will appear in your app with a 6-digit code that refreshes every 30 seconds.

Step 5: Save your backup codes

Almost every service provides 10–12 one-time backup codes when you enable 2FA. Download or print these and store them somewhere safe β€” these are your way back in if you lose your phone. Store them in your password manager or a secure physical location.

Which Accounts Should You Protect First?

Prioritise in this order:

  1. Your email account β€” everything else can be reset via email
  2. Your password manager
  3. Banking and financial accounts
  4. Social media accounts (especially if they have saved payment methods)
  5. Cloud storage (Google Drive, iCloud, OneDrive)
  6. Any account with sensitive personal data

Final Thoughts

Setting up 2FA on your email account takes five minutes and makes it exponentially harder for anyone to access your account even if they know your password. Start with your email and password manager today β€” these two accounts are the keys to your entire digital life, and protecting them is the single highest-impact security action you can take.