How to Set Up Two-factor Authentication on All Your Online Accounts

Two-factor authentication is the single highest-impact security action you can take as a consumer. It blocks the overwhelming majority of automated attacks, including every breach where your password has already leaked. If you only do one thing this year for your digital safety, do this.

This guide walks through which accounts to enable it on, which method to pick, and how to actually do it.

What two-factor authentication is

2FA requires a second proof of identity beyond your password. Even if an attacker has your password, they cannot sign in without that second factor. The factor is usually one of:

• Something you have. A phone, a hardware key, or a passkey on your device.
• Something you are. A fingerprint or face scan.
• Something you know. A one-time code, generally combined with one of the above.

The methods, ranked

1. Passkeys or hardware security keys. Phishing-resistant, fast, and the gold standard. Use these wherever you can.
2. Authenticator apps. Time-based one-time codes generated on your device. Good. Use Google Authenticator, Authy, 1Password, or your password manager.
3. Push notifications. Tap-to-approve prompts. Convenient but vulnerable to MFA fatigue attacks. Acceptable.
4. SMS codes. Better than nothing. Vulnerable to SIM swap. Use only if no other option exists.

The accounts to turn it on first

Prioritise the accounts that, if compromised, let an attacker compromise everything else:

• Your primary email. Every password reset on every other account flows through here. Lock it down first.
• Your password manager. The keys to the kingdom.
• Your cloud storage. iCloud, Google Drive, Dropbox. Tax documents, passport scans, photo libraries.
• Your banks, brokerage, and crypto exchanges. Direct money loss.
• Your phone carrier account. Stops SIM swaps.
• Social media. Reputation, contacts, business presence.
• GitHub or whatever code platform you use. Source code, deploy keys, secrets.

How to actually enable it

The setting lives in nearly every product under Security, Sign-in, or Two-step verification. The flow is almost always:

1. Go to security settings.
2. Choose 2FA method. Pick passkey or authenticator app if offered.
3. Scan a QR code with your authenticator app, or enrol your security key.
4. Enter the verification code to confirm.
5. Save backup codes somewhere offline. This is the step everyone skips and then regrets.

The recovery problem nobody talks about

Losing access to your second factor can lock you out of everything. Plan ahead:

• Print backup codes for each account and store them in a safe place.
• Enrol at least two authenticators or two security keys per critical account.
• Keep your authenticator app's cloud backup turned on if you trust the vendor.
• Tell one trusted person where backup codes live, in case of emergency.

What 2FA does not protect you from

2FA is not magic. It does not stop malware on your device, it does not stop someone who is shoulder-surfing your phone, and most forms do not stop real-time phishing. That is why passkeys and hardware keys matter so much: they bind the login to the legitimate site, so even a perfect phishing page cannot harvest the credential.

Start with email, work through the list, and pick the strongest method each service offers. An afternoon of setup is the best security investment you will ever make.