Two-Factor Authentication Guide: How to Enable 2FA on Every Important Account

Why Two-Factor Authentication Is Non-Negotiable

Passwords alone are no longer enough. Data breaches expose billions of credentials every year, and password reuse means one leaked password can unlock dozens of accounts. Phishing campaigns trick even security-aware users into typing their credentials into fake login pages. Credential stuffing bots test leaked usernames and passwords across hundreds of services automatically.

Two-factor authentication (2FA) stops all of these attacks. Even if an attacker has your exact password, they cannot log in without the second factor — something only you possess. According to Google's research, adding 2FA blocks 100% of automated bot attacks, 96% of bulk phishing attacks, and 76% of targeted attacks.

If you do nothing else for your online security this year, enable 2FA on your email, banking, and primary social media accounts. Use our free password generator to create a strong primary password first, then layer 2FA on top for maximum protection.

The 4 Types of 2FA (Ranked by Security)

Not all 2FA is created equal. Here is how the main types compare, from weakest to strongest:

1. SMS text message codes — The most common type, also the weakest. A 6-digit code is sent to your phone number. The problem: SIM swapping attacks allow criminals to hijack your phone number, and SMS codes can be intercepted. Still much better than no 2FA, but upgrade to an authenticator app when the option exists.

2. Authenticator apps (TOTP) — Apps like Google Authenticator, NordPass Authenticator, or Authy generate time-based one-time passwords (TOTP) that rotate every 30 seconds. These work offline and are not vulnerable to SIM swapping. This is the recommended default for most people.

3. Push notifications — Apps like Microsoft Authenticator and Duo send a push notification to your phone asking you to approve or deny a login attempt. Convenient and secure, but beware of "MFA fatigue" attacks where criminals spam approval requests hoping you'll click approve by accident.

4. Hardware security keys (FIDO2/WebAuthn) — Physical devices like a YubiKey that you plug in or tap via NFC. These are phishing-proof — the key cryptographically verifies the site's identity, so a fake login page cannot steal your code. This is the gold standard for high-value accounts.

How to Enable 2FA on Your Most Important Accounts

Google / Gmail: Go to myaccount.google.com → Security → 2-Step Verification → Get started. Google supports SMS, authenticator apps, hardware keys, and Google prompts (push notifications). For maximum security, enroll a hardware key as your primary method.

Apple ID: On iPhone, go to Settings → [Your Name] → Password & Security → Two-Factor Authentication. On Mac, go to System Settings → [Your Name] → Password & Security. Apple's 2FA sends a code to your trusted Apple devices — you cannot use a third-party authenticator app.

Microsoft: Go to account.microsoft.com → Security → Advanced security options → Two-step verification. Microsoft Authenticator with push notifications is the easiest option; you can also use hardware keys.

Banks and financial accounts: Most major banks now offer 2FA under Settings → Security. If your bank only offers SMS codes, use them — it is still meaningfully better than password-only. If your bank offers no 2FA option, consider switching to one that does.

Social media: Every major platform (Instagram, Facebook, X/Twitter, LinkedIn, TikTok) now offers 2FA under Settings → Security. Enable it everywhere — social accounts are commonly hijacked for scams targeting your followers.

Backup Codes: What They Are and Where to Store Them

Every service that offers 2FA also provides backup codes — a set of one-time-use codes you can use if you lose access to your authenticator app or phone. These are critical. Without them, losing your phone can lock you out of your accounts permanently.

When you enable 2FA, download or print your backup codes immediately. Store them in at least two places: a printed copy in a secure location (like a home safe or lockbox) and a digital copy in a password manager. Never store them only on the phone that has your authenticator app — if you lose the phone, you lose both the 2FA method and the backup codes.

Store the backup codes for each service alongside its password in your password manager vault. NordPass and 1Password both have secure note fields designed for exactly this purpose.

2FA Action Plan: Do These 5 Things Today

If you are starting from zero, work through this list in order of account importance:

1. Enable 2FA on your primary email account first — it is the account recovery key for everything else. Use an authenticator app, not SMS.

2. Enable 2FA on your password manager, if you use one. A compromised password manager is a disaster; protect it with your strongest 2FA method.

3. Enable 2FA on your bank and financial accounts. SMS is acceptable here if it is the only option.

4. Enable 2FA on your Apple ID or Google account — these control access to your devices, photos, and linked apps.

5. Enable 2FA on social media accounts. These are frequently targeted to scam your contacts.

Set a reminder to do one account per day if five feels overwhelming. The first three are the most critical and take less than ten minutes each.

Recommended Tools

For storing the passwords and backup codes you generate, we recommend NordPass (zero-knowledge encryption, free tier available) or 1Password for family or team use. Both include secure note storage for backup codes and support 2FA on the vault itself.

See our full security tools guide for more recommendations.