Two-Factor Authentication: Why You Need It and How to Set It Up
Two-Factor Authentication: Why You Need It and How to Set It Up
Advertisement
Your password alone is not enough to protect your online accounts. Passwords can be stolen in data breaches, guessed by attackers, or obtained through phishing. Two-factor authentication (2FA) adds a second layer of protection β even if someone has your password, they cannot access your account without the second factor. Microsoft research found that 2FA blocks over 99.9% of automated account attacks.
π Accounts with two-factor authentication enabled are over 100 times less likely to be successfully hacked than accounts relying on passwords alone.
What is Two-Factor Authentication?
Two-factor authentication requires you to prove your identity in two different ways when logging in. The three categories of authentication factors are:
- Something you know: Your password or PIN
- Something you have: Your phone, a hardware key, or an authenticator app
- Something you are: Your fingerprint or face
2FA combines two of these. Most commonly, you enter your password (something you know) and then a time-sensitive code from your phone (something you have). Even if an attacker steals your password, they cannot log in without physically having your phone.
Types of 2FA: Ranked by Security
| Type | Security Level | Convenience | Recommended? |
|---|---|---|---|
| Hardware key (YubiKey) | βββββ | Medium | Yes (high-risk accounts) |
| Authenticator App (TOTP) | ββββ | Good | Yes β best for most people |
| Passkeys (biometric) | βββββ | Excellent | Yes β the future standard |
| SMS text codes | ββ | Easy | Better than nothing |
| Email codes | ββ | Easy | Better than nothing |
β οΈ SMS-based 2FA (text messages) can be bypassed through SIM swapping attacks, where attackers convince your phone carrier to transfer your number to their SIM. Use an authenticator app instead whenever possible.
The Best Authenticator Apps
Aegis (Android) β Best Overall
Aegis is free, open-source, and the most feature-rich authenticator for Android. It supports encrypted backups, biometric protection, organising accounts into groups, and multiple import options. Strongly recommended for Android users.
Raivo (iOS) β Best for iPhone
Raivo is free, open-source, and specifically built for iOS. It supports iCloud backup and has a clean, simple interface. The best choice for iPhone users.
Bitwarden Authenticator β Best Integration
If you already use Bitwarden as your password manager, its built-in authenticator keeps your 2FA codes in the same place as your passwords. Convenient and secure.
Google Authenticator / Microsoft Authenticator
These are fine options and widely supported, but have been historically limited in backup and export features compared to Aegis or Raivo. Acceptable if you are already using them.
Advertisement
How to Set Up 2FA: Step-by-Step
Step 1: Download an authenticator app
Install Aegis (Android) or Raivo (iOS) from your app store.
Step 2: Go to your account’s security settings
For Google: myaccount.google.com > Security > 2-Step Verification. For most sites, look in Account Settings > Security > Two-Factor Authentication.
Step 3: Select “Authenticator App”
Choose the authenticator app option (not SMS if possible). The site will show you a QR code.
Step 4: Scan the QR code
Open your authenticator app, tap the “+” button, and scan the QR code displayed by the website. The account will appear in your app with a 6-digit code that refreshes every 30 seconds.
Step 5: Save your backup codes
Almost every service provides 10β12 one-time backup codes when you enable 2FA. Download or print these and store them somewhere safe β these are your way back in if you lose your phone. Store them in your password manager or a secure physical location.
Which Accounts Should You Protect First?
Prioritise in this order:
- Your email account β everything else can be reset via email
- Your password manager
- Banking and financial accounts
- Social media accounts (especially if they have saved payment methods)
- Cloud storage (Google Drive, iCloud, OneDrive)
- Any account with sensitive personal data
Final Thoughts
Setting up 2FA on your email account takes five minutes and makes it exponentially harder for anyone to access your account even if they know your password. Start with your email and password manager today β these two accounts are the keys to your entire digital life, and protecting them is the single highest-impact security action you can take.
Advertisement
