What two-factor authentication actually does
The idea is simple: logging in requires two things, not one. The first factor is something you know — your password. The second factor is something you have — your phone, a physical key, or a code generator. An attacker who has stolen your password but doesn't have your phone is still locked out.
The term is often shortened to 2FA, or you may see MFA (multi-factor authentication), which is the same concept applied to more than two factors. For most people's purposes, 2FA and MFA are interchangeable in everyday conversation.
The three main types, from weakest to strongest
SMS codes — A text message with a six-digit code is sent to your phone when you log in. This is the version most people encounter first. It's better than nothing, but it's not particularly strong. SMS messages can be intercepted via SIM-swapping attacks, where an attacker convinces your mobile carrier to port your number to a SIM card they control. High-profile account takeovers often involve SIM swaps. If a service only offers SMS-based 2FA, use it — but upgrade to a better option if one's available.
Authenticator apps — Apps like Google Authenticator, Authy, or the built-in authenticator in many password managers generate time-based codes (called TOTP codes) locally on your device. These change every 30 seconds and don't require a network connection to generate. Because the codes are generated on your device rather than sent over a phone network, they're not vulnerable to SIM swapping. This is a meaningfully stronger option than SMS and the one I'd recommend for most people.
Hardware security keys — Physical devices (like a YubiKey) that plug into a USB port or tap against your phone's NFC reader. These are the strongest form of 2FA and are completely phishing-resistant — even if you're tricked into entering your password on a fake site, the key won't authenticate because the domain doesn't match. For most people this level of protection is more than they need day-to-day, but for high-value accounts (business email, financial accounts, anything that controls other accounts) they're worth considering.
Which accounts to protect first
Your email is the single most important account to protect with 2FA. Almost all other account recovery flows run through email — if an attacker can get into your email, they can reset the passwords on nearly everything else. Enable 2FA on your email before any other account.
After that: your primary password manager (if you use one), your bank and financial accounts, your main social media accounts, and anywhere you have payment information stored.
The calculus is roughly: how much damage could someone do with access to this account, and how hard would it be to recover from? Answer those two questions and you'll have a reasonable priority list.
How to set it up on common platforms
The exact steps vary by platform, but the general process is always the same: go to your account's security settings, find the two-factor or two-step verification section, and follow the setup wizard. Here's what to expect on the most common ones.
Google Account — Security settings are at myaccount.google.com. Look for "2-Step Verification" under the "Security" tab. Google supports SMS, the Google Authenticator app, Google prompts (a notification to your phone), and hardware keys. If you own an Android phone, Google prompts are already set up by default and work well.
Apple ID — Two-factor authentication is under Settings on iPhone (tap your name, then Password & Security) or at appleid.apple.com on a browser. Apple uses trusted devices and trusted phone numbers. Once enabled, signing into a new device requires a code sent to a device you're already signed into.
Microsoft / Outlook — Account settings at account.microsoft.com, then "Security" and "Advanced security options." Supports SMS, authenticator app, and hardware keys.
Facebook and Instagram — Facebook's setting is in Settings & Privacy → Settings → Security and Login → Two-Factor Authentication. Instagram's is in Settings → Security → Two-Factor Authentication. Both support SMS and authenticator apps.
Your bank — Log into your online banking portal and look for security settings. Most banks support SMS at minimum; larger banks increasingly support authenticator apps. If your bank only offers security questions and no 2FA at all, that is worth knowing.
What to do about backup codes
When you set up 2FA, most services will give you a set of one-time backup codes. These are for emergencies — if you lose your phone or your authenticator app, backup codes let you get back into your account. They are single-use, meaning each code only works once.
Print them out or write them down and store them somewhere physically secure. Some people keep them in a safe; others put them in a sealed envelope with other important documents. What you should not do is store them in the same password manager that they're the backup for, or in the same email account they protect. If both your phone and your backup codes are in the same place you're trying to secure, neither is really a backup.
A note on recovery phone numbers
Most security settings ask for a recovery phone number. This is useful for account recovery but also creates a weaker authentication path — some platforms will fall back to SMS if you claim you can't access your authenticator app. One mitigation is to review and minimize recovery options where possible, keeping only what you genuinely need. A hardware key registered as the recovery method is stronger than a phone number.
For most users, the immediate goal should simply be to get 2FA enabled on critical accounts, starting with email. Perfect configuration can come later; having any second factor is dramatically better than having none.