Two-Factor Authentication (2FA): The Complete Setup Guide
Master two-factor authentication. Learn about TOTP apps, hardware keys, SMS codes, and passkeys — and how to set them up on every major platform.
In This Guide
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if someone steals your password, they can't access your account without the second factor.
The three factors of authentication:
- Something you know — Password, PIN, security question
- Something you have — Phone, hardware key, authenticator app
- Something you are — Fingerprint, face scan, voice
- Google reports that 2FA blocks 100% of automated bot attacks, 99% of phishing attacks (with hardware keys), and 96% of bulk phishing attacks (with TOTP)
2FA combines two of these factors. A password (know) + authenticator code (have) is the most common combination.
Why it matters:
Not all second factors are equal. Here's a ranking from most to least secure:
1. Hardware Security Keys (FIDO2/WebAuthn) — ⭐⭐⭐⭐⭐
Physical devices like YubiKey or Google Titan. Phishing-proof because the key verifies the website's domain.
- Pros: Phishing-resistant, works offline, no batteries
- Cons: Costs $25-60, can be lost, limited NFC on some phones
- Best for: High-value accounts, journalists, activists
- Pros: Phishing-resistant, no password needed, syncs across devices
- Cons: Still being adopted, not universally supported
- Best for: All accounts that support them
- Pros: Free, works offline, widely supported
- Cons: Can be phished, device loss = lockout (if no backup)
- Best for: Most accounts, good balance of security and convenience
- Pros: Easy to use, shows location info
- Cons: Requires internet, vulnerable to "MFA fatigue" attacks
- Best for: Corporate environments
- Pros: Works on any phone, easy setup
- Cons: Vulnerable to SIM swapping, SS7 attacks, network interception
- Best for: Only when no better option exists
- Pros: No phone needed
- Cons: Email may already be compromised, delays
2. Passkeys — ⭐⭐⭐⭐⭐
Cryptographic credentials stored on your device or password manager. The next generation of authentication.
3. Authenticator Apps (TOTP) — ⭐⭐⭐⭐
Apps like Google Authenticator, Authy, or Aegis generate time-based 6-digit codes.
4. Push Notifications — ⭐⭐⭐
Apps like Duo or Microsoft Authenticator send approve/deny prompts.
5. SMS Codes — ⭐⭐
One-time codes sent via text message.
6. Email Codes — ⭐
One-time codes sent to your email.
TOTP (Time-based One-Time Password) is the most practical 2FA method for most people.
Recommended apps:
| App | Platform | Backup | Open Source |
|---|---|---|---|
| Aegis | Android | Encrypted export | ✅ Yes |
| Raivo/2FAS | iOS | iCloud/export | ✅ Yes |
| Ente Auth | iOS/Android | End-to-end cloud | ✅ Yes |
| Bitwarden | All | Cloud vault | ✅ Yes |
| Google Authenticator | All | Google account | ❌ No |
| Authy | All | Encrypted cloud | ❌ No |
Setup steps:
- Go to your account's security settings
- Find "Two-factor authentication" or "2-step verification"
- Choose "Authenticator app"
- Scan the QR code with your authenticator app
- Enter the 6-digit code to verify
- Save your backup/recovery codes in your password manager
- Export your authenticator data regularly
Critical: Backup your TOTP secrets!
Hardware keys are the gold standard, providing phishing-proof authentication.
How they work:
- You insert or tap the key when prompted during login
- The key cryptographically verifies the website's domain
- A unique response is generated — different for every site
- A phishing site at "g00gle.com" would get a different (invalid) response
- YubiKey 5 series ($50-75): USB-A/C + NFC, supports FIDO2, TOTP, PIV
Recommended keys:
Best practices:
Google:
- Go to myaccount.google.com → Security → 2-Step Verification
- Choose "Security Key" or "Authenticator App"
- Follow prompts, save 10 backup codes
- Go to account.microsoft.com → Security → Advanced security
- Add "Authenticator app" or "Security key"
- Save backup/recovery code
- Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication
- Apple uses push notifications to trusted devices by default
- Consider adding a hardware key under Security Keys
- Settings → Password and authentication → Two-factor authentication
- Add TOTP app, then add security key for phishing protection
- Save recovery codes, download them
- All support TOTP and hardware keys
Microsoft:
Apple:
GitHub:
Social Media (Facebook, Instagram, Twitter/X):
Banking & Financial:
The biggest risk with 2FA is losing access to your second factor.
Your recovery plan:
- Save recovery codes — Store them in your password manager AND print a copy
- Register multiple methods — TOTP app + hardware key + backup codes
- Register multiple devices — If your authenticator supports it
- Keep a backup hardware key — Registered on all important accounts
- Document your 2FA inventory — Which accounts use which methods
- Use saved backup codes to log in
- Use your backup hardware key
- Contact the service's support team with identity verification
- Reconfigure 2FA with your new device
- Some password managers (1Password, Bitwarden) support emergency access
If you lose your phone:
Emergency access: