Two-Factor Authentication (2FA): The Complete Setup Guide
Master two-factor authentication. Learn about TOTP apps, hardware keys, SMS codes, and passkeys โ and how to set them up on every major platform.
In This Guide
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if someone steals your password, they can't access your account without the second factor.
The three factors of authentication:
- Something you know โ Password, PIN, security question
- Something you have โ Phone, hardware key, authenticator app
- Something you are โ Fingerprint, face scan, voice
- Google reports that 2FA blocks 100% of automated bot attacks, 99% of phishing attacks (with hardware keys), and 96% of bulk phishing attacks (with TOTP)
2FA combines two of these factors. A password (know) + authenticator code (have) is the most common combination.
Why it matters:
Not all second factors are equal. Here's a ranking from most to least secure:
1. Hardware Security Keys (FIDO2/WebAuthn) โ โญโญโญโญโญ
Physical devices like YubiKey or Google Titan. Phishing-proof because the key verifies the website's domain.
- Pros: Phishing-resistant, works offline, no batteries
- Cons: Costs $25-60, can be lost, limited NFC on some phones
- Best for: High-value accounts, journalists, activists
- Pros: Phishing-resistant, no password needed, syncs across devices
- Cons: Still being adopted, not universally supported
- Best for: All accounts that support them
- Pros: Free, works offline, widely supported
- Cons: Can be phished, device loss = lockout (if no backup)
- Best for: Most accounts, good balance of security and convenience
- Pros: Easy to use, shows location info
- Cons: Requires internet, vulnerable to "MFA fatigue" attacks
- Best for: Corporate environments
- Pros: Works on any phone, easy setup
- Cons: Vulnerable to SIM swapping, SS7 attacks, network interception
- Best for: Only when no better option exists
- Pros: No phone needed
- Cons: Email may already be compromised, delays
2. Passkeys โ โญโญโญโญโญ
Cryptographic credentials stored on your device or password manager. The next generation of authentication.
3. Authenticator Apps (TOTP) โ โญโญโญโญ
Apps like Google Authenticator, Authy, or Aegis generate time-based 6-digit codes.
4. Push Notifications โ โญโญโญ
Apps like Duo or Microsoft Authenticator send approve/deny prompts.
5. SMS Codes โ โญโญ
One-time codes sent via text message.
6. Email Codes โ โญ
One-time codes sent to your email.
TOTP (Time-based One-Time Password) is the most practical 2FA method for most people.
Recommended apps:
| App | Platform | Backup | Open Source |
|---|---|---|---|
| Aegis | Android | Encrypted export | โ Yes |
| Raivo/2FAS | iOS | iCloud/export | โ Yes |
| Ente Auth | iOS/Android | End-to-end cloud | โ Yes |
| Bitwarden | All | Cloud vault | โ Yes |
| Google Authenticator | All | Google account | โ No |
| Authy | All | Encrypted cloud | โ No |
Setup steps:
- Go to your account's security settings
- Find "Two-factor authentication" or "2-step verification"
- Choose "Authenticator app"
- Scan the QR code with your authenticator app
- Enter the 6-digit code to verify
- Save your backup/recovery codes in your password manager
- Export your authenticator data regularly
Critical: Backup your TOTP secrets!
Hardware keys are the gold standard, providing phishing-proof authentication.
How they work:
- You insert or tap the key when prompted during login
- The key cryptographically verifies the website's domain
- A unique response is generated โ different for every site
- A phishing site at "g00gle.com" would get a different (invalid) response
- YubiKey 5 series ($50-75): USB-A/C + NFC, supports FIDO2, TOTP, PIV
Recommended keys:
Best practices:
Google:
- Go to myaccount.google.com โ Security โ 2-Step Verification
- Choose "Security Key" or "Authenticator App"
- Follow prompts, save 10 backup codes
- Go to account.microsoft.com โ Security โ Advanced security
- Add "Authenticator app" or "Security key"
- Save backup/recovery code
- Settings โ [Your Name] โ Sign-In & Security โ Two-Factor Authentication
- Apple uses push notifications to trusted devices by default
- Consider adding a hardware key under Security Keys
- Settings โ Password and authentication โ Two-factor authentication
- Add TOTP app, then add security key for phishing protection
- Save recovery codes, download them
- All support TOTP and hardware keys
Microsoft:
Apple:
GitHub:
Social Media (Facebook, Instagram, Twitter/X):
Banking & Financial:
The biggest risk with 2FA is losing access to your second factor.
Your recovery plan:
- Save recovery codes โ Store them in your password manager AND print a copy
- Register multiple methods โ TOTP app + hardware key + backup codes
- Register multiple devices โ If your authenticator supports it
- Keep a backup hardware key โ Registered on all important accounts
- Document your 2FA inventory โ Which accounts use which methods
- Use saved backup codes to log in
- Use your backup hardware key
- Contact the service's support team with identity verification
- Reconfigure 2FA with your new device
- Some password managers (1Password, Bitwarden) support emergency access
If you lose your phone:
Emergency access: