Last month, a friend called me at 11 PM. Someone had gotten into his Gmail, changed the password, and was sending emails to his contacts asking for money. Classic account takeover.
The first thing I asked: "Did you have two-factor authentication turned on?"
Silence.
Here is the thing — my friend is a software developer. He knows better. But knowing and doing are different things, and 2FA setup always fell into the "I will do it later" category. Until later became too late.
This guide exists so you do not end up making that same call. I am going to walk you through setting up 2FA on the accounts that matter most, in order of priority. The whole process takes about 20 minutes.
Before We Start: Choosing Your 2FA Method
Hardware Security Keys (Best)
Physical devices like YubiKey or Google Titan that you plug into your computer or tap against your phone. A phishing site cannot steal what exists on a physical device. A YubiKey costs about $25-50.
Authenticator Apps (Great)
Apps like Google Authenticator, Authy, or Microsoft Authenticator generate a new 6-digit code every 30 seconds. These codes are generated locally on your device — they never travel over the network. My pick: Authy. It supports encrypted cloud backup so you do not lose everything if your phone dies.
SMS Codes (Better Than Nothing)
A code sent via text message. Better than no 2FA, but vulnerable to SIM swapping attacks. Use SMS only if the service does not support authenticator apps.
Step 1: Your Email (5 Minutes)
Your email is the skeleton key. Reset almost any account? It goes through email. If an attacker controls your email, they control everything.
Gmail / Google Account
- Go to myaccount.google.com/security
- Under "How you sign in to Google," click 2-Step Verification
- Click Get Started and choose Authenticator app
- Open Authy on your phone and scan the QR code
- Enter the 6-digit code to confirm
- Save the backup codes Google gives you
Pro tip: While you are here, also remove your phone number as a recovery option if possible. A phone number is a liability if someone SIM swaps you.
Outlook / Microsoft
- Go to account.microsoft.com/security
- Click Advanced security options
- Turn on two-step verification and choose An app
Step 2: Your Bank and Financial Accounts (5 Minutes)
After email, your money is the next priority. Most major banks now support 2FA, though many still default to SMS.
- Log into your online banking
- Go to Security Settings
- Look for "Two-factor authentication"
- Choose authenticator app if available, SMS if not
Do this for: your primary bank, credit cards, PayPal, Venmo, Cash App, and any investment accounts. All of them. Right now.
Step 3: Social Media (5 Minutes)
A compromised Instagram account with a decent following sells for hundreds of dollars on dark web forums.
Open the app → Profile → Settings → Accounts Center → Password and security → Two-factor authentication → Choose Authentication app.
X (Twitter)
Settings → Security and account access → Security → Two-factor authentication → Choose Authentication app. Note: X removed free SMS 2FA in 2023.
Settings & Privacy → Settings → Security and Login → Use two-factor authentication → Choose Authentication app.
Step 4: Cloud Storage (3 Minutes)
Dropbox: dropbox.com → Settings → Security → Two-step verification → Enable → Use a mobile app.
iCloud: Apple actually requires 2FA for all Apple IDs now. Settings → [Your Name] → Password & Security → Two-Factor Authentication.
Step 5: Password Manager (2 Minutes)
If you use a password manager (and you should), enabling 2FA on it is critical. This is the vault that holds all your other passwords. Bitwarden, 1Password, LastPass, and Dashlane all support authenticator app 2FA.
The Backup Code Problem
Every service gives you backup codes when you set up 2FA. Most people either do not save them, or save them in a place they will never find again.
Here is what I do: I print backup codes on paper and keep them in a fireproof safe. Old school? Yes. Unhackable remotely? Also yes.
What If I Lose My Phone?
- Authy cloud backup: Install Authy on a new phone, log in, codes are restored.
- Backup codes: Use the printed codes you saved.
- Hardware key backup: Buy two YubiKeys, register both. Keep one in a safe place.
The 20 minutes you spend today setting up 2FA will save you from the nightmare of losing access to your accounts — or having someone else access them for you. Your passwords are the lock on your front door. 2FA is the deadbolt. Install the deadbolt.