A Practical Guide to Two-Factor Authentication for Normal People

Two-factor authentication is the single most effective security improvement most people can make. It is also the most common cause of being locked out of your own accounts. Both things are true, and both can be planned for.

Two-factor authentication (2FA, sometimes also called multi-factor authentication or MFA) is a security technique that requires a second piece of evidence in addition to your password before letting you log in. The principle is simple: even if someone steals or guesses your password, they still need the second factor — usually something you physically have — to get in.

Properly set up, 2FA prevents the vast majority of account takeover attacks. Improperly set up, it locks you out of accounts you genuinely need. This guide is the version most security-explainers don't write, because it covers both halves honestly.

What counts as a "second factor"

The accepted categorisation:

Something you know (password, PIN)
Something you have (phone, hardware key, app)
Something you are (fingerprint, face, voice)

A genuine two-factor login uses two of these three categories. A login that uses your password plus a security question uses two things you know — that's not really 2FA.

Which kinds of 2FA to actually use

Three options dominate, with meaningfully different security and usability:

SMS codes

The bank sends a six-digit code to your phone. You type it in. It's familiar, low-friction, and works on any phone. It is also the weakest form of 2FA, because attackers can sometimes hijack your phone number through "SIM swap" fraud and intercept the code. SMS 2FA is much better than no 2FA, but it's not what you should use for your most important accounts.

Authenticator app codes

You install an app (Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden — all reasonable options) that generates a fresh six-digit code every 30 seconds. The code is generated on your device using a shared secret, with no SMS in the loop. Resistant to SIM swap. Works offline. Recommended for most accounts.

Hardware security keys

A small physical USB or NFC device (YubiKey is the best-known) that you tap to authenticate. The strongest available option for high-value accounts. Costs £25–£60 per key. Worth it for your primary email account and any administrative work accounts. Get two and register both, so losing one doesn't lock you out.

Biometric and "passkey" logins

Increasingly, services support passkeys — cryptographic credentials stored on your phone or laptop that you unlock with a fingerprint or face. These are functionally a form of strong 2FA. Apple, Google, and Microsoft accounts all support them, and they're spreading to other services through 2026.

What to enable on which accounts

A practical priority order:

Your primary email account. Whoever controls your email can reset passwords on most other accounts. Use the strongest 2FA method available — ideally a hardware key plus an authenticator app as backup.
Your bank and other financial accounts. Banks usually mandate this and use their app for the second factor. Use it.
Cloud storage accounts (iCloud, Google Drive, Dropbox). These often hold authentication codes for other services. Strong 2FA here matters disproportionately.
Social media accounts. Particularly any used professionally. Use authenticator app, not SMS.
Other accounts. As convenient. Authenticator app where supported.

How to avoid being locked out

The most common 2FA failure mode is losing access to the second factor — your phone breaks, gets stolen, or is replaced and the codes don't transfer. The solutions are all about backups, and they're worth setting up before you need them:

Save the recovery codes. When you set up 2FA, services give you a list of one-time recovery codes (usually 8–10 of them). Save these somewhere physical and secure — printed in a desk drawer or written in a paper notebook. Not in the same password manager that holds your password.
Register multiple second factors. If a service allows both an authenticator app and a hardware key, register both. If you lose access to one, the other still works.
Enable cloud backup of authenticator codes. Authy, 1Password, and Bitwarden all sync your 2FA codes to your account so that a new phone can recover them. Google Authenticator now does this too. Each has trade-offs (cloud-synced codes are slightly less secure than device-only codes) but for most users the trade-off is worth it for not being locked out.
Keep one trusted recovery contact. Several services let you nominate a trusted contact who can help you recover access. Worth setting up if you have a partner or family member you trust with this responsibility.

What 2FA does not protect against

A few things 2FA does not stop, which are worth knowing:

It doesn't stop someone who tricks you into typing your code into a fake login page. (This is "phishing through the 2FA prompt" — increasingly common.)
It doesn't stop someone who has access to your unlocked phone or laptop.
It doesn't stop someone reading your screen in a coffee shop.
It doesn't stop social engineering of customer-service staff to reset your account.

For these, the defences are different — primarily attentiveness, screen privacy, and using a password manager that won't autofill credentials on a fake site.

A weekend setup that materially improves your security

If you've not enabled 2FA on your main accounts and you can spend an hour on it this weekend, the order is:

Install an authenticator app (Authy or 1Password are good starting choices)
Enable 2FA on your primary email account
Save the recovery codes somewhere physical
Enable 2FA on your bank's app if it isn't already
Enable 2FA on the cloud storage account that holds your photos

Five steps, an hour, and a substantial improvement in how hard it would be for someone to take over your accounts.

Two-factor authentication is a one-time setup with permanent benefits. The setup is mildly tedious. The protection lasts as long as the account exists.