Two-Factor Authentication (2FA) Setup Guide — 2026 Edition

The three types of second factors

Not all 2FA is created equal. Here's what's available and how they compare:

• Authenticator apps (TOTP) — Apps like Google Authenticator, Authy, or Aegis generate a new six-digit code every 30 seconds based on a shared secret. The code is calculated locally on your device, so it works without an internet connection. This is the best balance of security, convenience, and compatibility for most people.
• SMS codes — The service sends a text message with a code. This is the weakest form of 2FA because phone numbers can be hijacked through SIM-swapping (an attacker convinces your carrier to transfer your number to their SIM). That said, SMS 2FA still blocks the vast majority of automated credential-stuffing attacks. It's not ideal, but it's far better than password-only.
• Hardware security keys — Physical USB/NFC devices like YubiKey or Google Titan Key. When you log in, you plug in or tap the key to prove you're physically present. These are phishing-resistant by design — the key verifies it's communicating with the real site, not a fake. This is the strongest option and the only one that completely defeats phishing.

If you can only pick one: use an authenticator app for everything. If you want the best possible security on your most important accounts (email, financial), add a hardware key.

Setting up TOTP (authenticator app)

The process is nearly identical across all services:

1. Go to the account's security settings and find the 2FA or "two-step verification" option
2. Select "Authenticator app" as the method
3. The service displays a QR code — scan it with your authenticator app
4. The app starts generating six-digit codes that rotate every 30 seconds
5. Enter the current code to confirm setup
6. The service gives you backup codes — save these immediately (see below)

Choosing an authenticator app: Google Authenticator is the most widely known but lacks cloud backup. Authy adds encrypted cloud sync so you can recover if you lose your phone. Aegis (Android, open-source) and Raivo (iOS, open-source) are good privacy-focused alternatives. For password manager users, some password managers (Bitwarden, 1Password) can also store TOTP codes — convenient, though it does put both factors in one app.

Backup codes: the step most people skip

When you enable 2FA, almost every service gives you a set of one-time backup codes. These are your emergency access method if you lose your phone, break your security key or can't access your authenticator app. If you skip saving these, you are setting yourself up for a lockout that can take days or weeks to resolve.

How to store backup codes safely:

• Print them on paper — Store in a fireproof safe, safety deposit box, or another secure physical location. Paper can't be hacked remotely.
• Save in your password manager — If you use a password manager, store codes alongside the login entry. This is convenient but means losing access to your vault also means losing your backup codes.
• Don't screenshot and leave on your phone — If someone gains access to your phone, they have both your authenticator app AND your backup codes.

Test one backup code after setting up 2FA. Log out, then log back in using a backup code instead of your authenticator app. Confirm it works before you actually need it.

Which accounts to secure first

If you're just getting started with 2FA, prioritise in this order:

1. Email — Your email is the master key. Anyone who controls it can reset passwords on everything else. Secure this first. See our email security guide for more.
2. Financial accounts — Banks, investment accounts, payment services (PayPal, Venmo, etc.)
3. Cloud storage — Google Drive, Dropbox, iCloud — wherever your documents and photos live
4. Social media — Accounts with large followings are targeted for impersonation and scams
5. Password manager — If you use one, protect the vault itself with 2FA
6. Everything else — Work through the rest of your accounts over time. Most services now support 2FA.

What to do when you lose your phone

This is the scenario everyone worries about, and it's manageable if you prepared:

• If you saved backup codes — Use a backup code to log in, then set up 2FA on your new device. Rotate all TOTP secrets afterward (disable and re-enable 2FA) since your old device still has the old secrets until remotely wiped.
• If you use Authy with cloud sync — Install Authy on your new device, verify via your phone number (assuming you can recover your SIM), and all your TOTP codes sync back.
• If you used Google Authenticator without transfer — You'll need those backup codes. Without them, you'll have to go through each service's account recovery process, which may require identity verification and can take days.
• If you have a hardware security key — The key is unaffected by phone loss. Use it to log in and reconfigure your authenticator on the new device.

Remotely wipe your lost phone as soon as possible through Find My iPhone (Apple) or Find My Device (Google) to prevent anyone from accessing your authenticator app and other data.