Passwords leak. They leak in breaches, in phishing, in reuse — reliably enough that you should assume some password of yours is circulating right now. Two-factor authentication (2FA) is the system that makes a leaked password insufficient: logging in requires something you know plus something you have. It’s the single highest-value security upgrade available, and setting it up correctly takes minutes.
The methods, ranked
Passkeys (best, where offered). The newest standard skips the password entirely — your phone or laptop proves identity with a cryptographic key unlocked by your fingerprint or face. Phishing-proof by design: there’s no code to steal and the key only answers the genuine site. Google, Apple, Microsoft and a growing list support them; adopt wherever you see the option.
Authenticator apps (the strong default). Google Authenticator, Microsoft Authenticator, or your password manager generate six-digit codes that rotate every 30 seconds, on your device, with no network involved. Immune to SIM-swapping, resistant to interception.
Push approvals. Tap “yes, it’s me” on your phone. Convenient and good — with one rule: never approve a prompt you didn’t trigger. Attackers spam approval requests hoping for one tired tap (“MFA fatigue”); a prompt from nowhere means your password is already stolen — change it.
SMS codes (better than nothing, last choice). Texted codes defeat casual attacks but fall to SIM-swapping and phishing relays. Use SMS only where it’s the sole option — and never as the 2FA on your primary email if anything better exists.
Where to enable it first
Priority order: your email account (it resets everything else — this is the kingdom’s master key), your Apple/Google account, banking and payment apps, your password manager, then social accounts (account theft there targets your contacts, not you). Most services hide the setting under Security → Two-factor / Two-step verification.
The step everyone skips: backup codes
The moment you enable 2FA, the service offers backup codes. Save them — in your password manager or printed somewhere safe. The classic 2FA disaster isn’t hackers; it’s a lost or dead phone meeting an account that now demands the phone. Backup codes are the exit. Related: when switching phones, transfer your authenticator app’s contents before wiping the old device — modern authenticators sync to your account, but verify each entry exists on the new phone first.
What 2FA doesn’t fix
It doesn’t excuse weak or reused passwords (pair it with a password manager), and codes can still be phished in real time — a fake page that asks for your password and your current code, relaying both instantly. The defense is the same rule as ever: type the site’s address yourself rather than following emailed links, and treat anyone asking you to read out a code as a thief, because they are.
The bottom line
Enable 2FA on your email today — five minutes. The rest of the priority list this week. Prefer passkeys and authenticator apps, save the backup codes, never approve a prompt you didn’t cause. That’s the whole playbook, and it stops the overwhelming majority of real-world account takeovers.
Related reads
- How to Extend Android Battery Life: 12 Settings That Actually Work
- How to Make Your iPhone Battery Last Longer: A No-Myths Guide
- How to Speed Up a Slow Laptop: The Fixes That Work (and the Ones That Don't)