2FA stops most account takeovers even when your password is already known. Here’s how to enable it on your most important accounts in a few minutes.
Two-factor authentication (2FA) adds a second verification step beyond your password. After entering your password correctly, you're asked for a second factor — typically a 6-digit code that expires every 30 seconds, generated by an app on your phone or sent via SMS. Even if someone obtains your password through a data breach or phishing attack, they cannot access your account without the second factor. This stops the vast majority of automated account takeover attempts.
You have two main options for the second factor. Authenticator app: an app on your phone generates time-based codes (Google Authenticator, Authy, or Microsoft Authenticator — all free). This is the more secure option. SMS: a text message is sent to your phone number with a code. This works without installing an app but is less secure due to SIM swapping attacks. For most people, either option is dramatically better than no 2FA. Download an authenticator app before proceeding to the next steps.
Email is your highest-priority account because it's used for password reset on every other service. Find 2FA in your email provider's security settings: Google: myaccount.google.com > Security > 2-Step Verification. Apple: appleid.apple.com > Sign-In and Security > Two-Factor Authentication. Microsoft/Outlook: account.microsoft.com > Security > Advanced security options. Follow the setup flow, scan the QR code with your authenticator app, and confirm the code works before finishing.
After linking your authenticator app, most services provide 8–10 single-use backup codes — these let you access your account if you lose your phone. This step is critical: without backup codes and without your phone, you may be permanently locked out. Store backup codes in a password manager, or print and store them somewhere only you can access. Do not store them in email (which is the account you're trying to protect) or in cloud notes that aren't secured.
After email, work through your other high-value accounts in priority order: (1) Password manager — if you use one, this is critical since it holds everything else. (2) Banking and financial accounts. (3) Social media accounts, which are increasingly used for account recovery elsewhere. (4) Shopping accounts with saved payment methods. (5) Any service where you store sensitive personal information. Each service has slightly different settings paths — search '[service name] enable two-factor authentication' for exact steps.
Before closing the setup flow, verify the 2FA is working: log out of the account on one device and log back in. You should be prompted for your password, then immediately after for the authenticator code. Open your authenticator app, enter the 6-digit code for that account (it refreshes every 30 seconds), and confirm you get in. This confirms the setup is correct — it's much easier to troubleshoot during setup than after you've been locked out.
Tell our AI which account you're trying to secure — it can walk you through the exact steps for your provider.
Our AI can help you audit your accounts for 2FA coverage, check for password reuse, and prioritize what to secure first.
Start Free Diagnostic Chat →