Two-Factor Authentication Explained: Why Every Account Needs It
Affiliate disclosure: This article contains affiliate links. If you click a link and make a purchase, we may earn a commission at no extra cost to you. Our editorial recommendations are never influenced by commissions — read our full disclosure policy.
The Microsoft Statistic You Should Know
In 2019, Microsoft analysed over 1.2 million compromised accounts over 30 days. Their finding: 99.9% of compromised accounts did not have multi-factor authentication enabled.
Think about that. A single 30-second setup step would have prevented almost all of them.
What Two-Factor Authentication Is
Authentication factors are categories of proof that you are who you claim to be:
- Something you know: your password
- Something you have: your phone, a hardware key
- Something you are: your fingerprint, face
Even if an attacker has your password — through a breach, phishing, or guessing — they cannot log in without the second factor. The temporary code expires in 30 seconds and cannot be reused.
Types of 2FA (Ranked by Security)
Hardware Security Keys (most secure): Physical devices (YubiKey, Google Titan) that you plug in or tap. Cannot be phished — the key only responds to the legitimate site. Used by high-security organisations and recommended for your most important accounts.
Authenticator Apps (highly secure): Apps like Authy, Google Authenticator, Microsoft Authenticator, or 1Password generate time-based one-time codes (TOTP). More secure than SMS, not dependent on your phone carrier.
SMS/Text Message (least secure but still valuable): A code is texted to your phone number. Vulnerable to SIM swapping attacks, where an attacker convinces your carrier to transfer your number to their SIM. Still vastly better than no 2FA.
Which Accounts Need 2FA First
Prioritise in this order:
1. Email — your email can reset everything else. This is the most important account to secure. 2. Banking and financial accounts 3. Password manager 4. Social media (compromised accounts are used for fraud targeting your contacts) 5. Work accounts 6. Everything else that offers it
Setting Up 2FA in 5 Minutes
1. Download Authy or enable 2FA in your password manager (1Password and Bitwarden both support TOTP) 2. Go to your email account's security settings 3. Find "Two-factor authentication" or "Two-step verification" 4. Select "Authenticator app" 5. Scan the QR code with your authenticator app 6. Enter the 6-digit code to confirm 7. Save your backup codes somewhere safe
That is it. Repeat for your other priority accounts.
The Backup Code Warning
Every service that offers 2FA also gives you backup codes — single-use codes for when you lose your phone. Print these or store them in your password manager. Losing your 2FA device without backup codes can lock you out of your own accounts.
Written by Øyvind — NorwegianSpark SA.
Reviewed by Øyvind — NorwegianSpark · Last updated: 4 April 2026