Every week, someone you know gets hacked. Their Instagram starts sending dodgy links, their email locks them out, or their bank messages them at 3am about a transfer they never made. Most of these disasters could have been prevented by one simple habit: switching on two-factor authentication. In 2026, this is no longer optional. It is basic online hygiene, like brushing your teeth or locking your front door.
Thank you for reading this post, don't forget to subscribe!This guide explains what two-factor authentication really is, why it matters, and exactly how to set it up on the accounts that matter most. No jargon, no gatekeeping. Just a sensible plan you can finish in one sitting.
What Two-Factor Authentication Actually Is
Two-factor authentication, usually written as 2FA, means logging in needs two things instead of one. The first is your password. The second is something else that only you have, usually a six-digit code from an app or a security key. Even if a criminal steals your password in a data breach, they still cannot get into your account without that second piece.
Think of it like having a key and a PIN for your bank card. Losing one without the other is annoying, but not disastrous. 2FA does the same for your online life.
The Different Types of 2FA, Ranked
Not all 2FA is equally strong. In order from good to excellent, your options are: SMS codes, authenticator apps, and hardware security keys. SMS is the weakest because text messages can be intercepted through SIM-swap attacks. Use it only when nothing else is available.
Authenticator apps like Google Authenticator, Microsoft Authenticator and Authy generate a fresh code every 30 seconds. They are free, work offline, and are much safer than SMS. Hardware keys like a YubiKey are the gold standard. You plug them into your computer or tap them against your phone to log in. Nothing beats them for sensitive accounts.
Start With Your Email
Your email account is the master key to almost everything else. Password resets, new account confirmations, payment notifications, they all flow through it. If someone takes over your email, they can reset the password on every other account you own. Protect email first, before anything else.
For Gmail, go to your Google account, then Security, then 2-Step Verification, and follow the steps. Use an authenticator app rather than SMS. For Outlook, open your Microsoft account security settings and do the same. For Proton Mail, go to Account and security. The process is similar everywhere and takes about three minutes per account.
Protect Your Bank and Financial Apps
UK banks now require strong customer authentication by law, so your banking app probably already uses 2FA through its own app. But double-check. If you still log in with only a password, find the security settings and switch on app-based confirmation.
For PayPal, Revolut, Wise and any crypto exchanges, enable an authenticator app immediately. These are among the most attacked accounts online, and SMS alone is not enough. When given the choice, pick the app or hardware key option.
Secure Your Social Media
Social accounts are the second most common target for hackers, because hijacked accounts are used to scam your friends and family. Open Instagram, Facebook, Twitter or X, TikTok, LinkedIn and any other platform you use, and find the security settings.
Turn on 2FA, ideally through an authenticator app. While you are there, check which devices are currently logged in. You will often find old phones, someone else’s laptop, or unrecognised sessions. Log them all out and change your password for good measure.
Add 2FA to Your Password Manager
If you use a password manager like Bitwarden, 1Password, Dashlane or LastPass, this account is arguably more important than your email. Protect it fiercely. Enable 2FA, and seriously consider buying a hardware key to act as the second factor here. Two YubiKeys are ideal, one to carry and one to keep safely at home as a backup.
Yes, hardware keys cost around £40 each. When you compare that to the damage a breached password vault could do, it is the best money you will spend on security this year.
Back Up Your Recovery Codes
When you turn on 2FA, the service usually shows you a set of recovery codes. These are one-time passwords you can use if you ever lose your phone. Save them. Write them down on paper, store them in a locked drawer or safe, or keep them in an encrypted note inside your password manager.
Do not skip this step. A surprising number of people panic after losing their phone because they also lost access to their accounts. Recovery codes prevent that nightmare in about ninety seconds.
Be Careful With Phishing
2FA is not magic. Clever phishing sites can trick you into entering your code on a fake login page. Never log in through a link from an email or text message. Always type the website address yourself or use a bookmark. If a site asks for your 2FA code as soon as you arrive, stop and check the URL carefully.
Hardware keys make this kind of attack much harder, because they refuse to work on fake sites. It is another reason they are worth the investment.
Check Your Accounts Every Few Months
Once 2FA is set up, log in to each account at least every few months. Remove old devices from the authorised list, re-download recovery codes if needed, and make sure your recovery phone and email are still correct. Security, like fitness, does not stay in place on its own. Small regular check-ins keep it sharp.
Final Thoughts
Setting up 2FA on every important account is one of the few tech chores with a genuinely huge return. A couple of hours on a Saturday protects you from nearly all of the most common online attacks. Start with email, then banking, then social media, then everything else. Use an authenticator app by default, hardware keys for the most valuable accounts, and write down your recovery codes. Do that and you have already done more for your online security than most people ever will.