Password managers

Two-factor authentication (2FA): what it is and how to switch it on

By Iulian · Published 4 June 2026

Some links on this page may be affiliate links. If you buy through them we may earn a small commission, at no extra cost to you. We only recommend tools we believe are genuinely worth it. Learn more.

If a strong, unique password is lock number one, two-factor authentication is lock number two. It is the single most effective thing you can switch on to stop your accounts being taken over, and it takes a couple of minutes per account.

What it actually is

Two-factor authentication, also called 2FA, MFA or two-step verification, means logging in needs two things: something you know (your password) and something you have (a code, or a tap on your phone). So even if a criminal steals or guesses your password, it is useless to them on its own.

This matters because most account takeovers come down to stolen, leaked or reused passwords. 2FA shuts the door on the large majority of them.

The types, weakest to strongest

  • Text-message codes (SMS). Better than nothing, and fine if it is the only choice. The weakness is that criminals can sometimes hijack your phone number through a “SIM swap”, so it is the least secure option.
  • Authenticator apps. An app on your phone generates a fresh six-digit code every 30 seconds. Examples include Google Authenticator, Microsoft Authenticator and Authy, and most password managers can do this too. Much stronger than SMS.
  • Passkeys and hardware keys. The strongest option, and resistant to phishing. Passkeys are now built into most phones, and a hardware key like a YubiKey is the gold standard for your most important accounts.
The YubiKey link above is an affiliate link. As an Amazon Associate we earn from qualifying purchases, at no extra cost to you.

How to turn it on

It is usually in the same place on most services:

  1. Go to Settings, then Security (sometimes “Sign-in and security”).
  2. Find Two-factor authentication or Two-step verification and start the setup.
  3. Choose a method. An authenticator app is the best balance of strong and easy: you scan a QR code and you are done.
  4. Save your backup codes somewhere safe, ideally in your password manager, so you can still get in if you lose your phone.

Do your email account first, since it can reset everything else, then your bank, then any account that holds your money or personal details.

Worth knowing: many password managers can store your 2FA codes next to your logins, which makes signing in quick. Keeping them in the same place as your passwords trades a little separation for a lot of convenience, and it is still far safer than having no 2FA at all.

Pair this with the basics and you are ahead of almost everyone: a password manager, strong unique passwords, and a quick check for any leaked logins. More in our password section.