Listen to this post: How to use two-factor authentication on all your accounts (without lockouts)
It’s a normal day. You make a brew, open your inbox, and notice a “password reset” email you didn’t ask for. Five minutes later, your socials are posting nonsense and your shopping account has a new delivery address.
That’s the ugly truth of reused or leaked passwords. Two-factor authentication (2FA) fixes the weak point by asking for a second proof after your password, usually a code, prompt, or key on a device you control.
This guide helps you switch on 2FA across the accounts that matter most in under an hour, pick the safest option available, and set up recovery so you don’t lock yourself out when you change phones.
Pick the right kind of 2FA (and know what to avoid)
Not all 2FA is equal. Some methods stop phishing cold, others mostly stop lazy password spraying. If you can choose, use this strength order:
1) Passkeys (best, when available)
A passkey uses cryptography tied to the real website or app, then unlocks with Face ID, fingerprint, or a device PIN. It’s hard to trick because it won’t work on lookalike sites. Passkeys are also quicker, no code typing.
2) Hardware security keys (best for high-value accounts)
A small USB or NFC key you plug in or tap. It’s strong against remote attacks, and it doesn’t rely on mobile signal. Great for email, password managers, and anything linked to money.
3) Authenticator apps (strong and widely supported)
These generate time-based one-time codes (often called TOTP). You scan a QR code once, then the app shows a new code every 30 seconds. For an independent comparison of options, see PCMag’s authenticator app picks.
4) Push approvals (fine, but easy to mis-tap)
You get a pop-up asking “Was this you?” It’s handy, but people can approve by habit. Treat it like a doorbell at night: if you didn’t ring it, don’t open.
5) SMS codes (last resort)
Text messages can be intercepted, and phone numbers can be hijacked via SIM swap. If an account offers app codes or passkeys, choose those instead.
A simple rule that saves headaches: protect your email and password manager first, because they unlock everything else.
Quick cheat sheet: best 2FA for everyday people
Use this as your decision guide:
| If your account offers… | Choose… | Why it’s a good pick |
|---|---|---|
| Passkeys | Passkeys | Fast, phishing-resistant, no codes |
| No passkeys, but app codes | Authenticator app | Strong, works offline |
| High-value account (email, password manager, crypto, admin) | Hardware key + app/passkey | Extra protection, strong backup |
| Only SMS available | SMS (for now) | Better than nothing, upgrade later |
Authenticator apps people commonly use include Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, and 2FAS. When choosing, look for device lock, simple transfer to a new phone, and safe backups (some apps can sync, some need manual migration).
Before you switch anything on: set up backups so you do not get locked out
2FA should feel like a seatbelt, not a trap. Do these three things first:
Backup codes: Many services give one-time recovery codes. Print them or write them down, then store them offline (a drawer, a safe, with your passport).
One warning: never store backup codes in the same place as your passwords.
Add a second method: If the site allows it, add a second authenticator device or a second hardware key. Two is calmer than one.
Check recovery details: Confirm your recovery email, phone number, and trusted devices are correct.
Right after setup, do one quick test: sign in on a second device (laptop or tablet) to confirm the new method works while you’re still calm.
Turn on 2FA everywhere that matters (a simple rollout plan)
Trying to secure 30 accounts in one sitting is how people skip backups and regret it later. The better approach is a clear order, with repeatable steps.
Here’s a low-risk rollout plan:
1) Email accounts (Gmail, Outlook, iCloud)
Turn on passkeys or an authenticator app, then remove SMS if you can. Email resets most passwords, so it’s the master key.
2) Password manager (if you use one)
Use the strongest option offered. If hardware keys are supported, register one and keep it somewhere separate from your everyday keys.
3) Banking and payments
Banks vary. Some use in-app approval or biometrics rather than TOTP. Open your bank’s Security or Login settings and switch on every protection offered (new payee alerts, new device alerts, transaction notifications). If options are buried, ask support what stronger sign-in methods exist.
4) Social media and messaging
These get taken over for scams, not fame. Lock them down before someone impersonates you.
5) Shopping, subscriptions, and delivery apps
Anything with saved cards, stored addresses, or gift balances is worth protecting.
6) Work and school logins
These often hold personal data and can be used to email others as you.
While you work through accounts, keep your settings consistent:
- Turn off SMS fallback once app codes or passkeys are working.
- Review trusted devices and remove old phones and browsers.
- Switch on alerts for new sign-ins and security changes.
If you want platform-by-platform screenshots, this 2FA setup guide for major services can help you find the right menu quickly.
The priority list: email, password manager, and money apps first
Email is the reset button for your whole life. If someone controls your inbox, they can usually reset your socials, shopping, and even get bank password reset links.
A password manager is similar. It’s a safe that holds many keys, so guard it like one. Prefer passkeys, hardware keys, or app codes. Avoid SMS if there’s an alternative.
For banking, don’t assume “I have a banking app” means you’re protected. Many banks have extra toggles for sign-in alerts, payee changes, and device approvals. Turn them on, then check your contact details are current.
Social, shopping, and everything else: make it a habit, not a one-off job
Account takeovers often start with the easy targets: older social accounts, marketplaces, and subscription logins you forgot existed. The fix is boring but effective.
Try a “10 minutes a day” approach. Do 2 to 3 accounts daily until you’re done. Keep a simple list of what you’ve secured (account name and method used). Don’t store passwords in this list, it’s just a tracker.
Also take two minutes per service to:
- Turn on login alerts
- Review active sessions and sign out of devices you don’t recognise
For a useful checklist of social account settings to tighten, see Tom’s Guide’s safer social media settings for 2026.
Use 2FA day to day without getting tricked or locked out
2FA doesn’t end phishing, it changes the tricks. Attackers now aim for your second factor, or for your attention when you’re tired.
Treat codes and prompts like cash. You don’t hand cash to a stranger because they sound urgent.
In January 2026, passkeys are also becoming the direction of travel. They cut down on code entry and push fatigue, and they’re harder to use on fake sites. They’re not everywhere yet, but whenever you see “Use a passkey”, take it.
Practical habits that help:
- If a site asks for a code when you didn’t start a login, stop and change your password.
- When travelling, keep at least one recovery option that doesn’t rely on your main phone (backup codes, second key, trusted device).
- Before you wipe or trade in a phone, move or re-link your authenticator accounts first. Some apps sync, some don’t.
For a broader list of current security hygiene that pairs well with 2FA, see these cybersecurity tips for 2026.
Common 2FA mistakes that still lead to hacks
These are the slips that undo good intentions:
Approving a push you didn’t start: That “Yes, it’s me” tap can hand over your account.
Typing codes into fake pages: If you got there from a link, pause and type the site address yourself.
Sharing codes with “support”: Real support won’t ask for your 2FA code.
Leaving SMS turned on as a backup: Attackers will target the weakest path.
Old recovery details: A dead email address is a locked door you can’t unlock.
Ignoring security alerts: Those emails are often your only early warning.
Simple rule: if someone asks for your code, it’s a scam, full stop.
If you lose your phone or change devices: a calm recovery plan
Panic makes people click anything. A calm plan keeps you in control:
- Use backup codes (one-time use) if you have them.
- Use your second factor (second phone, second key, or trusted device).
- Use the service’s account recovery flow, then change your password right after.
- Re-check recovery info and add a fresh second method.
If you use hardware keys, register two and store the spare separately. Once a year, practise a recovery login when you’re not stressed. It’s like finding the torch before the power cut.
Conclusion
Two-factor authentication is a small extra step that blocks a lot of account theft. Pick the strongest method offered (passkeys first, then app codes, then keys), set up backups before you start, and lock down email and money accounts first. After that, work through socials, shopping, and subscriptions in short bursts until everything important is covered.
Do one thing now: choose three accounts you’d hate to lose, switch on 2FA today, and carry on tomorrow. Your future self will thank you when the next leaked password hits.
