Two-factor authentication (2FA), also called two-step verification, adds a second check when you log in. Even if someone has your password, they can't get in without also having your phone or a code only you can receive. It's one of the most effective ways to protect your accounts.

How It Works

When you log in with 2FA enabled, you enter your password as normal — then you're asked for a second piece of proof. This might be:

  • A code sent to your mobile phone by text message (SMS)
  • A code from an authenticator app (more secure)
  • A notification to approve on your phone
  • A fingerprint or face scan on a trusted device

Where to Turn It On First

Prioritise these accounts — they protect access to almost everything else:

  1. Your email account — anyone who can access your email can reset passwords for everything else
  2. Online banking — most banks already require this, but check it's active
  3. Your Microsoft account — used for Windows login and Microsoft 365
  4. Your Google account — used for Gmail, Google Pay, and Android
  5. Apple ID — if you use Apple devices

Setting Up 2FA on Your Microsoft Account

  1. Go to account.microsoft.com and sign in.
  2. Click Security > Advanced security options.
  3. Under Two-step verification, click Turn on.
  4. Follow the prompts to add your phone number or set up an authenticator app.

Setting Up 2FA on a Google Account

  1. Go to myaccount.google.com and sign in.
  2. Click Security on the left.
  3. Under How you sign in to Google, click 2-Step Verification and follow the steps.

Authenticator Apps vs Text Messages

Text message codes are better than nothing, but authenticator apps are more secure. Microsoft Authenticator and Google Authenticator are both free and straightforward to set up. The app generates a new code every 30 seconds that only works for that moment — much harder to intercept than a text.

Save your backup codes. When you enable 2FA, most services give you one-time backup codes in case you lose your phone. Write them down and keep them somewhere safe. Don't store them in the same place as your passwords.