Passwords are the worst. They can be cracked, forced open in attacked, guessed, reused, sold in data breaches, created with weak practices and stored poorly even when the best password managers are available.
Having an insecure password leaves you open to having your account breached, your data stolen, your personal information sold and a variety of malicious actions taken against your data and your devices. It can take a long time and tons of effort to recover from, but the good news is that two-factor (and multi-factor) authentication provides an extra layer of security to accounts that offer it.
If you have an account that offers two-factor, or multi-factor authentication, there is every reason to set it up — especially considering that some of the biggest data breaches in history have occurred because the companies in question did not have two-factor authentication enabled.
If you’re not already familiar with two-factor authentication, here’s what it is: a secondary method that involves verifying that your access to your account is legitimate in a way that makes it more difficult for hackers to crack into. It can be a static passcode, an SMS message, a phone call or even a USB key. Most online sites or apps are set up so that you can easily enable it, but it does require some patience to get done initially — and it means an extra step when logging in, but that's usually a million times better than a hacker having easier access to your accounts.
How does 2FA work
When you log in, using your username and password as usual, you’ll be asked to enter in a code which you’ll receive on your smartphone, or you’ll have as available an access code. Sometimes you’ll need to open an app to receive the appropriate verification or code. There are standalone apps that act as 2FA verification apps, and even USB keys that will provide the necessary authorization.
When you return to your log in page or screen, you can enter in your verification details and then access your account. This process makes it very difficult for anyone else to get into your account, since they won’t be able to get both your password and your access code. A threat actor trying to access your account with a stolen, sold or cracked password isn't that unusual, but you'll receive the prompt with the code that lets you know someone is trying to get in — which gives you time to switch your password, lock down your account or perform additional security measures like running a virus scan with your antivirus program.
Some people will avoid enabling two-factor authentication (2FA) or multi-factor authentication (MFA) on the basis that it is cumbersome or time consuming to do each time, but it doesn't usually take longer than entering in one extra field. Also, many apps are also allowing users to switch to passkeys which are even faster and more secure, so if that's an option, take it!
How to set up 2FA on your Microsoft account
First, download the Microsoft Authenticator app, which is available for iOS and Android, and log in. Select the Security tab, then on the next page you'll see an option to select Two-Factor authentication in the top right corner.
Your account will now run you through set up. The main choice is how you want the account to recognize you, which in our case would be by using an app. The account will then send a code that you will need to enter to connect the two accounts. From then on, any time you attempt to log on you will have to verify on the app.
How to set up Gmail 2FA
In a browser window, head to the 2-Step Verification webpage (and sign in to your Gmail account if you haven’t already). Click Get Started when you’re ready.
There will be three ways to set up 2FA in Gmail: a text message or phone call, Google Prompts or a physical key. By default, you’ll be shown the page for text message/phone call as the way to verify your account. Clicking Show more options will allow you to select one of the other two; jumping to step 6 will show you instructions for Google prompts, step 7 will be instructions for security keys.
When using your phone for 2FA, a six-digit code will be sent to you via text message or a phone call whenever you log in to Gmail. You will then be prompted to enter that code — the idea is that a hacker would need to have your phone in hand to gain access, making logins more secure.
In order to set this up, enter your mobile phone number (select a country code if the one shown is incorrect) then click Next. A PIN number will be sent to your phone via text message or you will receive a call. Enter the PIN number and click Next. Once your PIN has been accepted and validated, you will be asked if you want to turn on 2-Step Verification. We’re assuming you do, so click Turn on.
The other steps are similarly easy to follow, though you do need to have a security key (like a Yubikey) in hand to complete the steps for that option.
How to add 2FA to your Apple ID
First head to Settings, then your Apple account at the top of the menu. Next select Sign-in & Security > Two-factor authentication > Add a trusted phone number. The area code replaces the first digit of a phone number.
Once you've added that number, select how you want it to be verified: text message or phone call. That's pretty much it, but keep in mind that if you live in a rural area one of those may be easier to receive than the other. Also, you can add multiple trusted phone numbers but you can only delete them once you've added one.
Overall it's not generally so difficult to navigate through a settings menu and set up a 2FA or MFA on almost any account or app that offers it, and it's entirely worth doing the next time you open your email, social media or banking apps. One by one you'll get them each set up, and you'll feel a lot better about your accounts being secure the next time you see a news post about a massive data breach that includes user names and passwords.
More from Tom's Guide
- AI browsers can’t tell legitimate websites from malicious ones — here’s why that’s putting you at risk
- Major flaw in top password managers lets hackers steal your login details, 2FA codes, credit card info and more
- Popular Chrome VPN extension caught secretly spying on users — uninstall it right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
