How to set up two-factor authentication (and why it's worth 5 minutes)
Two-factor takes 5 minutes per account and prevents 99% of account takeovers. Here's how to do it right.
Quinn Yoo
March 1, 2026
Authenticator app, not SMS
SMS-based 2FA is better than nothing, but text codes can be intercepted (SIM-swap attacks). Authenticator apps generate codes locally, immune to that risk.
Recommended apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password (built-in). Pick one and use it for everything.
The top three to enable first
Email: if attacker controls your email, they reset every other account. Email comes first.
Bank/financial accounts: highest direct loss risk.
Social media: if you use 'Sign in with Google/Apple/Facebook' anywhere, those count too.
Save the backup codes
When you enable 2FA, services give you backup codes — one-time use codes for if you lose your phone.
Save them in a password manager or print and store in a drawer. Without backup codes, losing your phone = losing access.
People also ask
What if I lose my phone?+
Use backup codes to log in, then re-enable 2FA on the new device. If you didn't save backup codes, account recovery is slow and painful.
What about hardware security keys (YubiKey)?+
Most secure option. Worth it for high-value accounts (Google Workspace admin, bank). Overkill for most personal use.
Should I trust 'remember this device' options?+
Only on devices you fully trust. Don't tick it on shared computers.