The Problem with Passwords Alone
Even a strong, unique password can be compromised. Data breaches expose millions of credentials every year. Phishing attacks trick users into handing over their login details. Credential-stuffing attacks use stolen password lists against hundreds of services automatically. A password, by itself, is a single point of failure.
Two-factor authentication (2FA) addresses this by requiring a second piece of evidence before granting access. Even if someone steals your password, they still can't get in without that second factor.
How Does 2FA Work?
Authentication factors generally fall into three categories:
- Something you know: A password or PIN.
- Something you have: A phone, a hardware key, or an authenticator app.
- Something you are: Biometrics — fingerprint, face recognition.
2FA combines two of these factors. Most commonly, it's your password (something you know) plus a time-based one-time code (something you have).
Types of 2FA: From Weakest to Strongest
| Method | How It Works | Security Level |
|---|---|---|
| SMS code | A code sent to your phone via text | Basic — vulnerable to SIM-swapping |
| Email code | A code sent to your email inbox | Basic — depends on email security |
| Authenticator app (TOTP) | A rotating 6-digit code generated in an app | Good — codes are local and time-limited |
| Hardware security key | A physical USB/NFC device you tap or insert | Excellent — phishing-resistant |
| Passkeys | Cryptographic keys stored on your device | Excellent — phishing-resistant by design |
SMS 2FA is better than nothing, but if you can use an authenticator app instead, you should.
Which Authenticator App Should You Use?
Several solid options exist:
- Aegis Authenticator (Android, free, open-source) — highly recommended for privacy-conscious users.
- Raivo OTP (iOS, open-source) — a clean, reliable iOS option.
- Bitwarden Authenticator — good if you already use Bitwarden as your password manager.
- Google Authenticator or Microsoft Authenticator — widely supported, though tied to big-tech ecosystems.
Whichever you choose, make sure you back up your 2FA codes or seed keys securely — losing access to your authenticator app can lock you out of accounts.
Where to Enable 2FA First
Prioritise accounts that would cause the most damage if compromised:
- Email accounts — your email can reset almost every other account.
- Banking and financial services
- Password manager (critical — this holds the keys to everything)
- Work accounts and cloud storage
- Social media — especially accounts tied to your real identity
How to Set Up an Authenticator App (General Steps)
- Download an authenticator app on your phone.
- Go to the security settings of the account you want to protect.
- Look for "Two-Factor Authentication" or "Two-Step Verification".
- Select "Authenticator App" and scan the QR code shown on screen.
- Enter the 6-digit code to confirm setup.
- Save any backup/recovery codes in a safe, offline location.
Final Thought
Enabling 2FA on your most important accounts takes less than 10 minutes and dramatically reduces your risk of being hacked. It's one of the highest-impact, lowest-effort security steps available to anyone — regardless of technical skill level. Do it today.