Security6 min read

Two-Factor Authentication: The 5-Minute Setup That Could Save Your Accounts

A practical guide to TOTP apps, SMS codes, and hardware keys — and which one you should actually use.

Andri
Andri
Scroll to read

You've heard you should enable two-factor authentication. Maybe you've even enabled it on a few accounts. But do you actually understand what you're doing, or are you just clicking buttons?

Here's a quick, practical guide to 2FA — what the different options mean, which one to pick, and how to set it up without locking yourself out.

Why Bother?

Passwords get stolen. It happens through phishing, data breaches, malware, or just being reused on a site that gets hacked.

Two-factor authentication (2FA) means that even if someone has your password, they still can't get into your account without the second factor — usually your phone or a physical key.

Is it inconvenient? Slightly. Is it worth it? Absolutely. Especially for:

  • Email (it's the keys to your kingdom)
  • Banking and financial accounts
  • Social media
  • Anything work-related

The Options Explained

SMS Codes

The site texts you a code when you log in.

Pros: Easy. Everyone has a phone.

Cons: SIM swapping attacks let criminals port your number to their phone. SMS can be intercepted. It's better than nothing, but it's the weakest option.

Verdict: Use it if it's the only option. Otherwise, use something better.

Authenticator Apps (TOTP)

Apps like Google Authenticator, Authy, or 1Password generate time-based codes that change every 30 seconds.

Pros: Much more secure than SMS. Works offline. No phone number needed.

Cons: If you lose your phone without backup codes, you're locked out.

Verdict: This is what most people should use.

Hardware Keys (FIDO2/WebAuthn)

Physical devices like YubiKey or Google Titan that you plug in or tap.

Pros: Most secure option. Phishing-resistant — the key verifies it's talking to the real site. Can't be remotely stolen.

Cons: Costs €25-50. You need to carry it. Need a backup key in case you lose one.

Verdict: Great for high-security accounts. Journalists, activists, execs, and anyone with elevated risk should use these.

Passkeys

The new kid on the block. Cryptographic keys stored in your device or password manager.

Pros: Phishing-resistant like hardware keys. No codes to type. Getting wider support.

Cons: Still not universally supported. Recovery can be confusing if you switch devices.

Verdict: Use them where available, but keep other methods as backup.

Setting Up an Authenticator App

This takes about 5 minutes per account. I'll use Google Authenticator as an example, but Authy, Microsoft Authenticator, and 1Password all work similarly.

Step 1: Install an Authenticator App

Download one of these (all free):

  • Google Authenticator (iOS/Android) — Simple, no-frills
  • Authy (iOS/Android) — Has cloud backup, can sync across devices
  • Microsoft Authenticator (iOS/Android) — Good if you use Microsoft services
  • 1Password (paid) — Integrates with your password manager

I personally use Authy because it backs up to the cloud. Yes, this is slightly less secure than local-only, but it means I won't lose everything if my phone dies.

Step 2: Enable 2FA on the Account

Go to the security settings of whatever service you're securing. Look for:

  • "Two-factor authentication"
  • "Two-step verification"
  • "Login security"

Choose "Authenticator app" (not SMS if you have the choice).

Step 3: Scan the QR Code

The site will show a QR code. Open your authenticator app, tap the + button, and scan it. The app will start generating 6-digit codes.

Step 4: Enter the Code

Type the current code from your app into the website to confirm it worked.

Step 5: Save Your Backup Codes

This is the step people skip and then regret.

Most sites give you a set of backup codes (usually 8-10 of them). These are one-time codes that work if you lose access to your authenticator.

Save these somewhere safe:

  • Print them and put them with important documents
  • Store them in your password manager
  • Save them in an encrypted note

Do NOT just screenshot them and forget about it.

Which Accounts to Prioritize

Don't try to do everything at once. Start with the accounts that would hurt most if compromised:

  1. Primary email — If someone has this, they can reset passwords to everything else
  2. Financial accounts — Banking, investment, PayPal, Venmo
  3. Password manager — If you use one (you should)
  4. Social media — Especially if you have a following or use it professionally
  5. Work accounts — Your employer may require this anyway
  6. Cloud storage — Google Drive, Dropbox, iCloud

Setting Up a Hardware Key

If you want to go a step further (or if you're a high-value target), here's how to set up a YubiKey.

Step 1: Buy Two Keys

Yes, two. One primary, one backup. If you lose your only key, you're locked out of everything. YubiKey 5 series works with most services. About €50 each.

Step 2: Register Both Keys

For each account you want to protect:

  1. Go to security settings
  2. Add security key
  3. Touch or insert your key when prompted
  4. Repeat with your backup key

Step 3: Store the Backup Key Safely

Put it somewhere secure but accessible — a home safe, safety deposit box, or at a trusted family member's house.

Step 4: Keep Other 2FA Methods as Fallback

Most services let you have multiple 2FA methods. Keep your authenticator app set up as a backup.

Common Mistakes to Avoid

Not saving backup codes. Please. I'm begging you.

Using only SMS. It's better than nothing, but upgrade to an authenticator app if the service supports it.

Putting all 2FA in one place. If your only 2FA is on your phone and your phone gets stolen/destroyed, you're in trouble. Have backups.

Ignoring "Remember this device." Using this on your personal computer is fine. Using it on public or shared computers is not.

Not testing it. After setup, log out and log back in to make sure it works.

What If I Lose Access?

If you lose your phone and didn't save backup codes:

  1. Try backup codes (you did save them, right?)
  2. Check other devices — some authenticators sync across devices
  3. Contact support — most services have account recovery processes, but they're slow and you'll need to verify your identity
  4. Use a recovery phone number if you set one up

This is why backup codes matter. Recovery is a pain.

Quick Setup Checklist

Here's your 15-minute security upgrade:

  • [ ] Install an authenticator app (Authy, Google Authenticator, etc.)
  • [ ] Enable 2FA on your primary email
  • [ ] Save the backup codes somewhere safe
  • [ ] Enable 2FA on your bank accounts
  • [ ] Enable 2FA on your password manager
  • [ ] Enable 2FA on social media

Done? Congratulations. You're now significantly harder to hack than 90% of people.

The Bottom Line

Two-factor authentication isn't perfect, but it stops the vast majority of account takeovers. The few seconds it adds to logging in are nothing compared to the hours you'd spend recovering a compromised account.

Start with your email. Do it today. The setup takes less time than reading this article did.

#2FA#security#passwords#authentication

Join the Newsletter

Weekly insights on cybersecurity, digital privacy, and AI tools. Practical advice for non-technical people.

No spam. Unsubscribe anytime.

Back to all posts