← Guides
TECH

How to Set Up Two-Factor Authentication on All Your Accounts

security

A practical guide to enabling two-factor authentication across your most important accounts, choosing an authenticator app over SMS codes, understanding SIM swapping, and making sure you never get locked out.

April 14, 2026 · 6 min read
1

Understand your options before you start

Most people turn on two-factor authentication and leave it set to SMS because it was already there. The method you choose matters: not all 2FA is equally difficult to bypass, and the weakest option is the one most people are using.

The three tiers of 2FA
  • SMS codes: a text sent to your phone number. The most common option and the weakest. Vulnerable to SIM swapping, where an attacker calls your carrier and convinces them to transfer your number to a new SIM. Once they have your number, your codes come to them. SIM swap fraud rose 1,055% in a single year in the UK, with average US victims losing $26,400 per incident
  • Authenticator apps (Google Authenticator, Authy, Bitwarden): generate 6-digit codes directly on your device, with no network involved. Not vulnerable to SIM swapping because nothing leaves your phone. This is the right default for most people
  • Hardware security keys (YubiKey, Google Titan Key): a physical device you plug in or tap to authenticate. Completely phishing-proof and the strongest option available. Overkill for most accounts, but worth considering for your email and financial accounts
  • If a service offers an authenticator app option, always choose it over SMS. If SMS is the only option, enable it anyway. Any 2FA is significantly better than none
Which method fits which account 2 min
  • Email accounts (Gmail, Outlook, iCloud): use an authenticator app or hardware key. Your email resets every other account, making it the highest-value target. Treat it accordingly
  • Social media (Instagram, Facebook, X): authenticator app. These are frequently targeted for account takeover, impersonation, and selling access to followers
  • Financial accounts (banking, PayPal, investment apps): use whatever the account offers. Authenticator app if available, SMS if it is the only option. Never leave these accounts with no 2FA at all
  • Password managers: Bitwarden and 1Password both support 2FA on the vault itself. Set this up first, since your password manager protects everything else
  • Start with email, then financial accounts, then social media. In that order, you cover the accounts where a takeover causes the most damage
2

Set up your authenticator app

An authenticator app generates codes locally on your device every 30 seconds, with no SMS or network involved. Setup takes under 5 minutes and you use the same app for every account you protect.

Which app to use 5 min
  • Authy: the most practical option for most people. Backs up your codes to the cloud so you can restore them if you switch phones. Works on iPhone, Android, and desktop. Free
  • Google Authenticator: simple and widely supported. Added encrypted cloud sync through your Google account in 2023, making it more viable than it used to be. Free
  • Built into your password manager: if you use Bitwarden Premium ($10/year) or 1Password, both include a built-in authenticator. Storing your password and 2FA code together in one app is slightly less separate than using a dedicated app, but still far stronger than SMS and much more convenient to manage
  • For most people starting out: Authy for its straightforward phone transfer, or your password manager's built-in option if you already use one
How the setup flow works on any account 3 min
  • When you enable 2FA on any account, the site will display a QR code on screen
  • Open your authenticator app, tap the + button or Add account, then point your camera at the QR code to scan it
  • The app immediately starts generating 6-digit codes that refresh every 30 seconds. Enter the current code on the site to confirm setup
  • From this point forward, every new sign-in on an unrecognized device will ask for a code from the app
  • Before you close the setup page: save the backup codes the site shows you. This is covered in Section 4 and it is the step most people skip and later regret
3

Enable 2FA on your most important accounts

Start with your email and Apple or Google account. These two control password resets for everything else. Then move to social media and financial accounts.

Google and Gmail 5 min
  • Go to myaccount.google.com/security, then click 2-Step Verification
  • When prompted to choose a method, select Authenticator app rather than the default Google prompt or SMS
  • Scan the QR code with your app, enter the 6-digit code to verify, and save the backup codes Google provides on the next screen
  • Also consider enabling a Passkey as an additional sign-in method. Passkeys sign you in with Face ID or fingerprint and are phishing-proof
  • Once 2FA is on, a stolen Gmail password alone cannot access your account
Apple ID and iCloud 5 min
  • On iPhone: go to Settings, tap your name, then Sign-In & Security, then Two-Factor Authentication
  • Apple uses its own system rather than a third-party authenticator app. When you sign in on a new device, a verification code is pushed to your other trusted Apple devices
  • Make sure your trusted phone number is current. This is used as a fallback when none of your Apple devices are nearby
  • Apple ID 2FA cannot be turned off on accounts created after 2019. This is by design and not a bug
  • On Mac: go to System Settings, click your name, then Sign-In & Security
Instagram, Facebook, PayPal, and banking 10 min
  • Instagram: go to your profile, then Settings, then Accounts Center, then Password & Security, then Two-Factor Authentication. Select Authentication App and scan the QR code
  • Facebook: same path through Accounts Center. Authentication app is available and is the better choice over SMS
  • X (Twitter): go to Settings, then Security and account access, then Security, then Two-factor authentication. Note: SMS 2FA requires a paid subscription; use an authenticator app instead
  • PayPal: go to Settings, then Security, then 2-step verification. Authenticator app is available
  • Banking: log in via the website, go to Security or Profile settings, and enable 2FA. Enable SMS if it is the only option. Something is always better than nothing
4

Save your backup codes before you close the setup page

Backup codes are one-time-use codes that let you back into your account if you lose your phone. Every service provides them during setup. Most people skip saving them. Most people who get locked out are the same people who skipped this step.

What they are and where to save them 5 min
  • Every service that supports 2FA generates a set of single-use backup codes at the point of setup, usually 8 to 10 codes that look like short random strings
  • Save them somewhere offline: print them and keep them with your important documents, or store them in a secure notes app that is itself protected by 2FA
  • Do not save backup codes only in the password manager that requires 2FA to open. If you lose your phone and your password manager access at the same time, you need a way back in from outside that loop
  • If you forgot to save your codes during setup, go back to the 2FA settings page for each account. Most services let you regenerate them. Once regenerated, the old codes stop working immediately
  • Each code can only be used once, so keep the full list somewhere safe and cross them off as you use them
What to do if you lose your phone Know before it happens
  • If you use Authy: your codes are backed up and tied to your verified phone number. Install Authy on your new device, verify your identity via SMS, and your codes are restored
  • If you use Google Authenticator: your codes sync to your Google account. Sign in on the new device and they restore automatically
  • If you have backup codes saved: use one to sign in, then go to the 2FA settings and re-link your new authenticator app
  • If you have none of the above: go through the service's account recovery flow. This usually involves verifying your identity via a backup email address or a backup phone number. Recovery can take 24 to 48 hours and requires identity verification for high-security accounts
  • Set up a backup contact method (recovery email address, backup phone number) when you first enable 2FA on each account. This is what gets you back in when everything else fails

A stolen password alone is enough to access your accounts if 2FA is not in place. Most account takeovers rely on credentials leaked in data breaches, tested automatically across thousands of sites within hours of the breach becoming public. Two-factor authentication breaks that chain completely. Setting it up on your email account, your Apple or Google account, and your main financial accounts (Sections 2 and 3) covers the majority of your exposure in under 30 minutes. The backup code step in Section 4 is what most guides skip, and it is the only thing standing between you and a days-long account recovery process if you lose your phone. Do that step before you close the setup page.