Stolen and guessed passwords account for over 80% of data breaches. Two-factor authentication (2FA) adds a second verification step beyond your password — and it stops 99% of automated account takeover attacks dead in their tracks. Yet adoption remains surprisingly low. This guide explains what 2FA is, why SMS-based 2FA is better than nothing but not ideal, and how to set it up on the accounts that matter most.
What Is Two-Factor Authentication?
Two-factor authentication requires something you know (your password) plus something you have (your phone, a hardware key) or something you are (biometric). Even if an attacker obtains your password through a data breach or phishing attack, they still can't access your account without the second factor.
The three main types of second factor, from least to most secure:
- SMS/text message codes: A 6-digit code texted to your phone. Better than no 2FA, but vulnerable to SIM swapping attacks where criminals convince your carrier to transfer your phone number to their device.
- Authenticator app codes (TOTP): Time-based one-time passwords generated by an app on your phone (Google Authenticator, Authy, Microsoft Authenticator). Much more secure than SMS — the code never travels over a phone network and can't be intercepted by SIM swapping.
- Hardware security keys (FIDO2): Physical devices like YubiKey that you plug into USB or tap via NFC. The most secure option — completely phishing-resistant. Recommended for high-value accounts (business banking, domain registrars, critical cloud services).
Use an authenticator app (Authy or Google Authenticator) for everything that supports it. Use SMS 2FA where authenticator apps aren't available — it's still dramatically better than password-only. For your most critical accounts, invest $25–$50 in a YubiKey.
How to Enable 2FA on Google/Gmail
Go to your Google Account security settings
Visit myaccount.google.com → Security → 2-Step Verification.
Click "Get Started" and verify your password
Google will walk you through the setup. Start with a phone prompt or SMS for initial setup.
Add an authenticator app as a second factor
Scroll down to "Authenticator App," click "Set Up," and scan the QR code with Google Authenticator, Authy, or Microsoft Authenticator.
Save your backup codes
Google provides 10 single-use backup codes. Download and store them somewhere safe — these are your recovery option if you lose your phone.
How to Enable 2FA on Microsoft/Outlook
Visit account.microsoft.com → Security → Advanced Security Options → Two-step verification. Microsoft supports SMS, email codes, and the Microsoft Authenticator app. For the best security, use the Microsoft Authenticator app and enable passwordless sign-in, which eliminates the password entirely and relies solely on biometric or PIN verification on your phone.
Banking and Financial Accounts
Most major banks support SMS 2FA, and an increasing number support authenticator apps. Enable 2FA on every financial account, even if only SMS is available — SMS 2FA stops most attacks, even if it's not perfect. Check each bank's security settings individually, as the option is usually buried under Security or Account Settings.
For investment accounts (brokerage, 401k portals), prioritize immediately. These accounts are high-value targets and often have weaker default security than major consumer banks.
Social Media Accounts
Compromised social media accounts are used to spread scams, phishing links, and malware to your followers. Enable 2FA on Facebook (Settings → Security and Login), Instagram (Settings → Security → Two-Factor Authentication), and any other platform where you have a following or business presence. All major social platforms support authenticator apps.
Best Authenticator Apps
- Authy: Our top recommendation. Supports encrypted cloud backup of your 2FA codes, so switching phones doesn't lock you out of accounts. Available on iOS and Android.
- Google Authenticator: Simple and widely compatible. Added cloud backup feature in recent versions. The baseline choice if you use Google services heavily.
- Microsoft Authenticator: Best choice if you use Microsoft 365. Supports passwordless login and 2FA for all TOTP-compatible accounts.
- 1Password / Bitwarden: If you use a password manager (you should), both 1Password and Bitwarden can also store TOTP codes — consolidating passwords and 2FA in one place. Convenient but slightly less secure than a separate app since a compromised password manager also yields the 2FA codes.
What to Do If You Lose Your Phone
The most common objection to 2FA is "what if I lose my phone?" This is manageable with preparation. Most services provide backup codes at setup — save these in a secure location (printed and in a safe, or in your password manager). Authy's encrypted cloud backup lets you restore all your 2FA accounts after getting a new phone. Hardware keys like YubiKey can be registered alongside your app, so either method works.
The risk of being locked out of your own account is real but manageable with preparation. The risk of your account being compromised without 2FA is far more likely and far more damaging.
Need help securing your accounts or business devices?
Ray's Custom Computers provides cybersecurity consulting for homes and small businesses — from 2FA setup to full network security assessments. Serving Tennessee, Alabama, and California.
Published by Ray's Custom Computers — serving Fayetteville, TN, Huntsville, AL, and McKinleyville, CA since 1996. Questions? Contact us or call (931) 557-6104.