What Is 2FA? How to Set Up Two-Factor Authentication

2FA means Two-Factor Authentication. It reduces the damage from password leaks by requiring something else before a sign-in is accepted.

Authentication factors usually fall into three groups:

• Something you know: a password or PIN.
• Something you have: a phone, authenticator app, security key, or trusted device.
• Something you are: fingerprint, face recognition, or another biometric check.

Strictly speaking, 2FA uses two different categories. Many websites also use the labels 2FA or 2-Step Verification for "password plus one-time code" flows.

Method	How it works	Strengths	Watch out for
Authenticator app / TOTP	Google Authenticator, Microsoft Authenticator, 1Password, Bitwarden, and similar apps generate short-lived codes	Works offline, widely supported, more reliable than SMS	Migrate the app or save recovery codes before replacing your phone
Passkey / security key	A device passkey, biometric check, or hardware key such as a YubiKey verifies the sign-in	Strong phishing resistance, good for critical accounts	Keep a backup device or second key
Push prompt	A signed-in phone or app asks you to approve the sign-in	Convenient for daily use	Never approve a prompt you did not start
SMS / email code	The service sends a one-time code to a phone number or email address	Easy to start with	Can be affected by SIM swap, email compromise, or delivery delays
Recovery codes	One-time backup codes generated when 2FA is enabled	Can save you when your phone is lost	Store them offline or in an encrypted vault, not only on the same phone
App passwords	Separate passwords for older mail clients or legacy apps	Supports apps that cannot handle modern 2FA	Revoke them when no longer needed

Google / Gmail

Path: Google Account → Security → How you sign in to Google → 2-Step Verification.

Common methods: Google Prompt, Authenticator, passkeys/security keys, and backup codes. Enable an authenticator app or passkey, then save backup codes.

GitHub

Path: GitHub → Settings → Password and authentication → Two-factor authentication.

Common methods: TOTP app, SMS, GitHub Mobile, passkey/security key, and recovery codes. Developer accounts should prefer TOTP or security keys instead of relying only on SMS.

Microsoft / Outlook / Xbox

Path: Microsoft account → Security → Advanced security options → Two-step verification.

Common methods: Microsoft Authenticator, email, phone, and security keys. After enabling 2FA, older mail clients may need app passwords.

Apple Account / iCloud

Path: iPhone/iPad Settings → your name → Sign-In & Security; or macOS System Settings → Apple Account → Sign-In & Security.

Common methods: trusted-device prompts, trusted phone numbers, verification codes, and security keys. Make sure your trusted phone number is still reachable.

Facebook / Instagram

Path: usually Meta Accounts Center → Password and security → Two-factor authentication. You can enter Accounts Center from Facebook or Instagram settings.

Common methods: authenticator app, SMS, WhatsApp/login notification, recovery codes, and security keys depending on account, region, and client. Prefer an authenticator app and save recovery codes.

X / Twitter

Path: Settings and privacy → Security and account access → Security → Two-factor authentication.

Common methods: authenticator app, security key, and SMS. SMS availability can depend on account type, region, and platform policy, so prefer an authenticator app or security key.

• Before replacing a phone: migrate the authenticator app and confirm the new phone can generate working codes.
• If the phone is already lost: use recovery codes, a backup phone number, a backup security key, or an already trusted device.
• For team accounts: keep more than one administrator so one lost 2FA device does not lock out the whole team.
• If none of that works: use the platform's account recovery flow. Important accounts should have recovery email, phone, and codes prepared ahead of time.