Two-factor authentication (2FA) means that even if someone steals your password, they still can't get into your account. Enabling it takes 2 minutes. Here's how to do it for every account that matters.
What 2FA Actually Is
When you log in with 2FA enabled, you enter your password (factor 1) and then a second piece of proof (factor 2). The second factor is usually a 6-digit code that changes every 30 seconds, generated by an app on your phone. Even if someone has your password, they can't log in without that code.
Types of 2FA, from most to least secure:
- Authenticator app codes (Google Authenticator, Authy) — best
- Hardware security key (YubiKey) — most secure, overkill for most
- SMS text codes — better than nothing, but can be intercepted
- Email codes — weakest 2FA (if your email is compromised, so is this)
Step 1: Install an Authenticator App
Download one of these free apps (they're all equivalent for basic use):
- Google Authenticator — simplest, most widely compatible
- Authy — best if you want encrypted cloud backup of your codes
- Microsoft Authenticator — best if you use Microsoft accounts
Install it now before you start enabling 2FA — you'll need it ready.
Step 2: Enable 2FA on Google Account
Your Google account protects Gmail, Drive, YouTube, Google Pay, and every site where you use "Sign in with Google."
- Go to myaccount.google.com/security
- Under "How you sign in to Google" → 2-Step Verification → Get started
- Choose "Authenticator app" → scan the QR code with your app
- Enter the 6-digit code to verify it's working
- Save your backup codes somewhere safe (print them or save in a password manager)
Step 3: Facebook and Instagram
Facebook: Settings & Privacy → Settings → Security and Login → Two-Factor Authentication → Get Started → Authentication App
Instagram: Profile → three lines → Settings → Accounts Centre → Password and Security → Two-Factor Authentication → select your account → Authentication App
Step 4: WhatsApp
WhatsApp calls its 2FA "Two-step verification" — it requires a 6-digit PIN when registering your phone number on a new device.
WhatsApp → Settings → Account → Two-step verification → Enable → set a 6-digit PIN → add a recovery email
Step 5: Your Email Provider
Your email is the master key to every other account — it receives password reset emails. Protect it first.
- Gmail: myaccount.google.com/security (covered in Step 2)
- Outlook/Hotmail: account.microsoft.com → Security → Advanced security options → Two-step verification
- Yahoo Mail: account.yahoo.com/security → Two-step verification
Step 6: Banking Apps
Most banking apps have 2FA built-in and may have it already enabled. Check your bank's app security settings — look for "Two-step login," "Security code," or "Authentication method." Enable the strongest option available (app-based over SMS if offered).
What Happens When You Get a New Phone?
If you used Authy: install Authy on your new phone, verify with your phone number, and all your codes transfer automatically (encrypted).
If you used Google Authenticator: On your old phone, open Authenticator → three-dot menu → Transfer accounts → Export accounts. Scan the QR code on your new phone.
If you've lost your old phone: use your backup codes to log in, then set up 2FA fresh on your new device.