Most of us carefully protect our most important objects. We lock our homes with a deadbolt, perhaps invest in a security system or store valuables in a safe with its own lock and key, and make sure our cars are locked with the alarm turned on. We might even be secretive about our address to keep our home location private or train a pet to scare off intruders.
Our digital assets, though? We're apt to rely only on passwords to protect our accounts—the digital equivalent locking a flimsy screen door but leaving the front door wide open. And on average, you're more likely to be the victim of a digital breach than have a thief break into your home.
Most passwords are trivial for hackers to crack. That's why you need two-factor authentication. It adds a critical layer of security that keeps intruders out and makes sure your data doesn't get hacked, as 1 in 5 internet users experience.
Here's how to set up two-factor authentication on your most important accounts and use it to keep your memories, finances, and everything else in your digital life safe.
What Is Two-Factor Authentication?
Two-factor authentication—also known as 2FA or TOTP as an abbreviation for time-based one-time passcode, and often substituted with two-step verification—is an additional layer of security that requires at least two of the following: What you know, what you have, and who you are. Those three factors are the classic secure login ingredients—and the more of them you use to protect your assets, the better.
Opening your front door requires the first two: What you know (your address) and what you have (a physical key). An ATM withdraw similarly covers two: You know your PIN code, and have your debit card. A bank vault might use all three, with passcodes, access cards, and fingerprint scans needed to open the safe.
Traditional email and password logins, however, cover only the first—what you know. You know your email address and password, and often they're easy enough for someone else to guess or crack. That's what makes them so insecure. Two-factor authentication adds a second what you have layer to digital logins, using an app and your phone to generate a unique login code. It can even cover all three if your phone is secured with a fingerprint for who you are security.
To break into your home, someone would need a copy of your key or an unlocked door or window. Or they could pick the lock or just kick the door in—something they're less likely to do especially in a busy area during the day. With digital accounts, most of us are terrible at creating unique passwords—91% of passwords used online are common passwords like 12345. If you want to hack an online account, it's trivial to try common passwords and phrases over and again until you find the right combination without anyone noticing. And if one of your accounts is part of a massive data leak—like the recent hack of over a billion Yahoo! accounts—anyone could easily log into any of your accounts that use the same passwords.
Two-factor puts a smart lock on your digital accounts. Perhaps someone can guess your email address and password—the digital equivalent of knowing your address and having a copy of your house key. But they won't have the security code needed to open your account—just as they wouldn't have the code to disarm your house alarm and keep it from calling the authorities.
Here's how it works. You'll enable two-factor authentication on an account, say your Gmail account. When setting that up, you'll be asked to add a mobile phone number to your account, and optionally add your Gmail account to an authenticator app. Then, whenever you login to your Gmail account from a new device, you'll open the app to get a unique code—one that changes every 30 seconds—or you'll receive the code via an SMS message. Enter that code, and only then will you see your Gmail account.
To hack your Gmail account with two-factor authentication, someone would now need to know your email address and password, and they would need to steal your phone and know how to get the authentication code from it. And just like that, your email account is now harder to break into than your house ever will be.
If you're traveling far from home or using a new computer, Google—and many other accounts—may by default ask to verify a phone number or security question as a basic form of two-step authentication. That helps prevent some hacking, but enabling full two-factor authentication gives you that security all the time.
Two-step authentication is often interchangeably with two-factor, but it's a bit different: Instead of using an app or device to generate the code, a code is sent to you via SMS or email. It's better than nothing, but less secure than true two-factor authentication since if someone hacked your email account or hijacked your phone number—or simply convinced your mobile carrier to give them a SIM card with your phone number—they could receive the verification code and use it to log in to your account.
Secure computers in governments and businesses have long relied on fingerprints, iris scans, and unique login codes from devices such as RSA keys—the stuff of spy movies. Such multi-factor authentication is traditionally expensive and time consuming to use. Forget to bring your keycard or lose your RSA key, and you're locked out of your equipment. With two-factor codes from a mobile app or SMS message, though, there's little reason today to not add an extra layer of security to your account.
So let's do just that.
How to Enable Two-Factor Authentication
One of the first places you should enable two-factor authentication is your email account. It's one of your most valuable accounts—you use your email address to log into every other account, and if your email gets hacked, every other account is vulnerable since password reset emails will come into that email account.
So let's start out by securing your Gmail account. Just go to myaccount.google.com/security—or from your Gmail or other Google app account, tap your profile picture and select My Account, then select the Sign-in and Security box on that page.
Select the 2-Step Verification option under Password—that's what Google calls two-factor authentication. You'll be asked to sign into your Google account again, then will need to enter your phone number. Google will text a code or call you with it if you'd prefer. Enter the code, and you can then turn on phone-based two-factor authentication—the default with a Google account.
SMS-based verification isn't as secure as two-factor authentication, and if you travel abroad or don't have cell signal, you can easily be locked out of your accounts. That's why you should also add two-factor authentication codes via an app, a Google alert on your phone, a USB security key (or a secondary phone number for convenience, but that won't help with security). The app's the best option—you can then use the same app to manage all of your login codes—so select the Authenticator app option.
Tip: There's a comparison of the best authenticator apps at the end of this tutorial if you don't have one already.
Google will show a unique QR code for your account. Open your authenticator app, scan the code, then enter the authentication code your app shows.
That's it! Your Google account is now secured with two-factor authentication. Whenever you go to check your Gmail email or open any other Google account, you'll enter your email address, password, and then a code from your authenticator app. Google will remember your recent logins, so you won't have to log in again more than every few weeks on your standard devices. And for a bit of extra security, you can remove your phone number from your Google account to make sure only the randomly-generated codes can be used to login to your account.
Actually, there may be one more step. If your Gmail account uses your personal or company domain with a G Suite account, your G Suite administrator will first need to activate 2-step verification. For that, open admin.google.com, select Security, then under the basic settings check the Allow users to turn on 2-step verification box. Now, everyone in your company can enable two-factor authentication in their G Suite accounts.
Tip: Learn more about setting up G Suite on your domain.
The steps will be slightly different for every account, but once you've added two-factor authentication to a few accounts, you'll know what to look for. For instance, in Zapier, you'll open your account security settings at zapier.com/app/settings/security—or just open your Zapier settings page and select the Security tab. Click Enable beside the two-factor authentication option to get started. Zapier will ask you if you have an authenticator app—if not, download one from the links, then click Next Step.
Enter your password—as with your Google account, this is a standard security step to make sure you are the one adding two-factor security to your account. Then scan the QR code with your authenticator app, enter the verification code, and Zapier will give you backup codes to save if you ever need them (more on that below).
Do note: When you first add two-factor authentication to an account, you'll need to log in again to that account on all of your apps and devices.
What If You Lose Your Authenticator App?
There is one thing to be extra careful about with two-factor authentication. If you lose or break your phone, have a problem with your authenticator app, or no cell reception for SMS-based authentication, you won't be able to log into your account.
That's why most accounts offer backup or recovery codes to use instead of your authenticator app. In Google's 2-Step Verification setup page, you'll see a Backup codes option as a second step. Open it and copy the recovery codes or print them out, and store them in a safe place—literally, you could print them and store them in a safe, or encrypt the file and save it in your password manager app.
Tip: Need a safe, encrypted place to save important data? Here are a dozen of the best password management apps to save passwords, login details, and secure notes including backup login codes.
If you're ever locked out of your account, you can then choose an alternate login method and can use the recovery codes instead of your default authentication method.
Be sure to take the time to at least add backup codes, along with adding a phone number to your accounts if you have that option, as Google allows. That way you'll always have an alternative way to access your account if needed.
How Do You Use Two-Factor Logins with 3rd Party Apps?
Want to use 3rd party apps with your accounts, perhaps to add your Google account to your favorite email or calendar app? Many newer apps—including the built-in email apps on most smartphones—work natively with two-factor logins. Others, however, ask for a standard email and password, with no option to enter your two-factor code.
For that, you'll need to make App passwords. These one-time use passwords let you log into your account on a single app with a unique password just for that app.
In Google, for instance, open myaccount.google.com/security again, and select the new App password option under the Password section. Enter your password again, then select the app you want to add to your account.
Google will then give you a unique password to use with that app. Copy the password, and use it along with your email address to log into Gmail in that app.
Repeat those steps for every other app you want to use, and you'll keep your accounts secure even if those apps happened to be hacked. After all, this password works only on that one app.
Which Accounts Need Two-Factor Authentication?
Every online account requires either a username and password, or an account on another site like Facebook—no way around that. But which accounts are worth adding the additional security of a two-factor authentication?
Email's an obvious one. As your digital passport of sorts, the thing you use to log into every other account, your email account needs all the security it can get. And with a Google, Microsoft, or even Apple iCloud email account, that same account also secures your documents, files, and even your devices themselves. It's worth the extra trouble to keep that data under lock and key.
Critical business applications are next most important to secure. Your business Amazon account might include your company's best-selling products or its code in Amazon Web Services (AWS). Salesforce includes your business contacts and customer data; Stripe contains all of your financial data. Your team projects and chats and notes are equally critical, and your password manager doubly so—and all should be secured with a two-factor login.
Many of your personal apps aren't quite as important to add two-factor authentication to. If you use an app to track your home repair tasks or are trying out a new notes tool, it's likely ok to just use a regular password. But social networks can be critical—one hacked Tweet could ruin your career, and you'd likely be sad to lose the pictures you've saved in Facebook if a hacker decides to wipe them. Your financial institutions are even more valuable—and often just as vulnerable. Any accounts like those that include loads of private, sensitive information are worth taking the extra step to secure.
Here's how to add two-factor authentication to 25 of the most popular and critical app accounts you likely use:
Email and Core Accounts
Set up 2fa at:
If you use the Google Authenticator app, you can log in just by tapping on a notification on your phone.
Apple uses your iPhone or Mac to approve logins—it'll show a map of where the login is being requested from, and then will show you the 2fa code to enter.
Microsoft lets you sign into your account with any email address or Skype ID you've added, so you might also want to remove older addresses so they can't be used to login.
Yahoo! only offers SMS or phone call based 2fa codes.
Set up 2fa at:
Be sure to also add 2fa login to your payment service as well.
An account admin will need to set 2fa settings for the whole company before individuals can add their own 2fa settings.
Dropbox supports security key devices and OATH codes along with apps and SMS.
Only supports SMS 2fa codes.
Only supports SMS 2fa codes.
Be sure to also add 2fa security to the apps you integrate with Zapier.
Set up 2fa at:
Only supports SMS 2fa codes.
Set up 2fa at:
For extra security, be sure to have seperate Amazon accounts for personal purchases and your business AWS use.
Digital Ocean requires a phone number and authenticator app for 2fa—and also supports .
GitHub's 2fa works via the API, too, to secure your terminal-based GIT pushes.
Twilio's Authy app also can help you build 2fa support into your own app.
Set up 2fa at:
Facebook calls 2fa Login Approvals, and can send them through the Facebook app if you want.
Check the Verify login requests box to enable 2fa.
Only supports SMS 2fa codes.
Only available on WordPress.com blogs; for self-hosted blogs, install the WP Google Authenticator plugin.
Passwords & Secure Data
Set up 2fa at:
Account Settings -> Multifactor Options
LastPass offers fingerprint, smart card, and USB key authentication with Premium plans.
1Password only offers 2fa on Team plans, via the Duo app. For personal accounts, if you sync through Dropbox, be sure to add 2fa to your Dropbox account.
You'll also want to make sure your bank and other important personal accounts are secured. Find the two-factor authentication settings for any other important apps and services in the Two Factor Auth List.
The Best Authenticator Apps
All that's left is to grab the perfect app to store all of your login codes. You've likely already come across Google Authenticator, the default app Google recommends for your Gmail two-factor login. It's a great place to start—but there are also a wide range of other apps to store your two-factor codes. Some sync your accounts to all your devices, while others handle passwords and two-factor codes in one place.
Here are the best two-factor authenticator apps:
The first authenticator app you're likely to come across, Google Authenticator is designed to secure your Google accounts but also works with most other two-factor logins. It's quick to use—you'll see codes for each account in the app's launch screen, or can approve Google account logins through a notification.
iOS, Android, Blackberry
Authy makes sure you'll never lose your two-factor logins. Part of the Twilio family of services, it works on your computer and phone, with an account that you can move to a new device when you upgrade. It can even put your login codes in a widget on your phone for 1-tap access, and on your desktop so you can login without your phone.
iOS, Android, macOS, Windows, Linux
Using Microsoft's service to run your business—or have a Windows Phone? Microsoft's new Authenticator app works much like Google's, letting you copy a 2fa code or login by tapping a notification.
iOS, Android, Windows Phone
Duo is an enterprise security tool that can manage all of your company's logins and secure devices—or you can use it just to log into your own 2fa accounts. And it works almost anywhere, even on older J2ME-powered phones.
iOS, Android, Blackberry, Windows Phone, J2ME
Feel more secure using an open source authenticator that lets you look through its code? FreeOTP is a 2fa app from the Red Hat team that lets you manage your codes in an open source app—one you could fork and tweak the way you want.
Want all of your login stuff in one place? 1Password is a password manager that also includes 2fa support. You can scan 2fa QR codes from its mobile or desktop apps, and get your login info and 2fa codes together, synced to all of your devices. Only caveat: It is a paid app, starting at $2.99/month.
iOS, Android, macOS, Windows
Another authenticator option from a password manager, LastPass Authenticator is a separate app you'll use to manage 2fa logins. It simplifies unlocking your LastPass account down to one tap, though it doesn't sync 2fa logins so you'll need to set it up again if you change devices.
iOS, Android, Windows Phone
Ever had to change the locks to your house or reset the passwords on all of your most important accounts? It's a lot of frustrating work—and that's what adding two-factor authentication to your accounts will be like. It'll even add a bit of extra friction every time you sign into an account from a new device or after a certain period of time.
But it's absolutely worth it. The next time you hear of a massive data breach, you'll feel safe, knowing that your accounts and the data in them are safe.
Freelance writer Jimmy Daly contributed to this article.