Passwords alone are no longer enough. Data breaches expose billions of credentials every year, and once a password is compromised, an attacker can log into your accounts within seconds. Two-factor authentication (2FA) changes that equation entirely — Microsoft's research found that enabling multi-factor authentication blocks 99.9% of automated account compromise attacks. If you only do one thing to improve your digital security this year, enabling 2FA everywhere is it.
What Is Two-Factor Authentication?
Two-factor authentication requires you to verify your identity using two separate factors when logging in:
- Something you know — your password
- Something you have — a code from your phone, a hardware key, or a biometric prompt
Even if an attacker steals your password, they cannot access your account without the second factor. That single layer of additional verification is why 2FA is one of the most cost-effective security measures available to anyone.
The Four Types of 2FA (Ranked by Security)
1. SMS Text Codes — Convenient but Risky
SMS-based 2FA sends a one-time code to your phone number when you log in. It's the most common form of 2FA because almost everyone has a phone, but it's also the weakest option.
The problem is SIM swapping: attackers call your mobile carrier, impersonate you using personal details found on data broker sites, and convince a representative to transfer your phone number to a SIM card they control. Once they have your number, every SMS code goes to them. There are also vulnerabilities in the SS7 protocol that underpins the global phone network, which can allow sophisticated attackers to intercept text messages without ever touching your phone.
SMS 2FA is still far better than no 2FA — use it if it's your only option — but upgrade to an authenticator app as soon as possible.
2. Authenticator Apps — The Recommended Standard
Authenticator apps generate time-based one-time passwords (TOTP) directly on your device, with no network connection required. Because the codes never travel over the phone network, SIM swapping and SS7 attacks cannot intercept them. Popular options include:
- Google Authenticator — simple and widely supported
- Microsoft Authenticator — adds push notifications and password-less login for Microsoft accounts
- Authy — offers encrypted cloud backup for your 2FA codes, useful if you lose your phone
For most people, an authenticator app provides an excellent balance of security and convenience. This should be your minimum standard for any account that matters.
3. Hardware Security Keys — The Gold Standard
Hardware security keys like the YubiKey or Google Titan Key are physical devices you plug into a USB port or tap via NFC. They use public-key cryptography and are bound to specific websites, which means phishing attacks cannot trick you into handing over a code — the key simply will not authenticate on a fake site.
Hardware keys are the strongest 2FA option available. Consider using one for your email account, financial accounts, and any platform that could be used to reset your other passwords.
4. Passkeys — The Future of Authentication
Passkeys are the newest standard, supported by Apple, Google, Microsoft, and a growing number of services. They replace the password entirely with a cryptographic key pair stored on your device. Logging in means authenticating with Face ID, Touch ID, or your device PIN — no password to steal, no code to intercept. If a service offers passkeys, adopt them: they are both more secure and easier to use than passwords with 2FA.
Save Your Backup Codes
Every service that supports 2FA will offer one-time backup codes when you set it up. These codes let you regain access if you lose your phone or authenticator app. Print them or write them down and store them somewhere physically secure — a safe or a locked filing cabinet. Do not store them in a plain text file on your computer or in an unencrypted cloud document. If you use a password manager, storing them there with full-disk encryption enabled is acceptable.
How to Enable 2FA on the Platforms That Matter Most
Go to myaccount.google.com, select Security in the left sidebar, then click 2-Step Verification. Google will walk you through adding a phone prompt, an authenticator app, or a hardware key. Because your Google account is often used to sign into dozens of other services, securing it is a top priority.
Apple ID
On iPhone or iPad: Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication. On a Mac: System Settings > [Your Name] > Sign-In & Security. Apple uses trusted devices and phone numbers as second factors. Make sure your trusted phone number is current.
Go to Settings & Privacy > Settings > Security and Login > Two-Factor Authentication. Facebook supports authentication apps and hardware keys — choose one of those over SMS.
Tap the hamburger menu, go to Settings > Security > Two-Factor Authentication. Select an authentication app for the strongest protection.
X (formerly Twitter)
Go to Settings > Security and account access > Security > Two-Factor Authentication. Note that X has restricted SMS 2FA to paid subscribers — another good reason to use an authenticator app instead.
Amazon
Visit Account & Lists > Account > Login & Security and enable Two-Step Verification. Amazon supports authenticator apps and can send codes via the Amazon app.
Your Bank and Financial Accounts
Log into your bank's website and look in the security or account settings section. Most major banks now offer 2FA, though many still rely on SMS. Use whatever they offer — even SMS 2FA is a meaningful upgrade for financial accounts. If your bank only offers SMS, contact them and ask when they plan to support authenticator apps.
Warning: SMS 2FA and SIM Swap Attacks
SIM swapping is not theoretical — it has been used to drain cryptocurrency wallets, hijack social media accounts with large followings, and compromise email accounts used to reset banking passwords. Attackers gather personal details from data broker sites (your name, address, phone number, last four digits of your Social Security number) and use that information to social-engineer a carrier representative. The more personal data that is publicly available about you, the easier a SIM swap becomes. Removing your data from data brokers directly reduces this risk.
A Practical Priority Order
You don't have to secure everything at once. Work through this list in order:
- Email accounts first. Your email is the master key — it resets every other password. Secure Gmail, Outlook, iCloud Mail, or whatever you use before anything else. Use an authenticator app or hardware key, not SMS.
- Financial accounts. Banks, investment accounts, PayPal, Venmo, and any account connected to a payment method.
- Social media. Compromised social accounts are used to scam your contacts and can be nearly impossible to recover. Facebook, Instagram, and X deserve 2FA.
- Password manager. If you use one, protect it with a hardware key or the strongest 2FA it supports.
- Everything else. Work through your remaining accounts using your password manager's list — most will flag which accounts support 2FA.
2FA Is One Layer — Not the Whole Defense
Two-factor authentication is powerful, but it works best as part of a broader security posture. SIM swap attacks, for example, succeed not because 2FA is broken, but because attackers build a convincing profile of the target using personal data scraped from data broker sites — your phone number, address, date of birth, and family members' names.
PrivacyOn addresses that upstream risk by automating opt-out requests across 100+ data brokers and people-search sites. When your personal information is harder to find, social engineering attacks become harder to execute, SIM swaps become harder to pull off, and targeted phishing becomes less effective. 2FA protects your accounts from unauthorized login; removing your data from brokers makes you a harder target in the first place. Together, they form a much stronger defense than either one alone.
Start today: pick your most important account, turn on 2FA using an authenticator app, and save the backup codes somewhere safe. Then work down the list. An hour of setup now can prevent months of trying to recover a compromised account later.