When you log in to an account with 2FA turned on, you enter your password as usual. Then the website asks you to prove it’s really you by providing a second piece of evidence — something only you have access to.

This second step is usually one of the following:

• A one-time code sent to your phone by text message
• A one-time code generated by an app on your phone
• A tap or confirmation on your phone through a notification
• A physical security key you plug into your computer

Without that second step, a scammer who has your password is locked out.

📱 Text Message Codes (SMS)

How it works: After entering your password, the website sends a 6-digit code to your phone number by text. You type the code into the website to finish logging in.

Pros: The easiest option. No apps to install. Works on any phone that receives texts — including flip phones.

Cons: It’s the weakest form of 2FA. In rare cases, scammers can trick your phone company into transferring your number to their phone (called “SIM swapping”). However, text message 2FA is still far safer than no 2FA at all.

Best for: Anyone just getting started with 2FA. If this is the only option a website offers, always turn it on.

🔐 Authenticator Apps

How it works: You install a free app on your smartphone. When you set up 2FA on a website, you scan a QR code with the app. From then on, the app generates a new 6-digit code every 30 seconds. When logging in, you open the app and type in the current code.

Pros: More secure than text messages. Codes are generated on your device and can’t be intercepted. Works even without cell service.

Cons: Requires a smartphone. You need to have your phone nearby when logging in.

Trusted authenticator apps:

• Google Authenticator — free, simple, available on iPhone and Android
• Microsoft Authenticator — free, includes cloud backup of your codes
• Authy — free, works on multiple devices, good for beginners

🔑 Security Keys

How it works: A security key is a small physical device — about the size of a thumb drive — that you plug into your computer or tap against your phone when logging in. It’s the strongest form of 2FA available.

Pros: Nearly impossible to hack remotely. Can’t be phished. Simple to use once set up.

Cons: Costs money (usually $25–$50). You need to keep track of the physical key. Not supported by every website.

Best for: Protecting your most important accounts — especially email and banking — if you want the highest level of security.

Start with the accounts that would cause the most damage if hacked:

• Email — This is the most important one. If a scammer gets into your email, they can reset passwords on almost every other account you have.
• Banking and financial accounts — Your bank, credit cards, and investment accounts.
• Social media — Facebook, Instagram, and any other platforms you use.
• Shopping accounts — Amazon, Walmart, and any site that stores your credit card.
• Healthcare portals — Your doctor, insurance, and Medicare accounts contain sensitive personal data.

The steps are slightly different on every website, but the general process is the same:

• Step 1: Log in to your account and go to Settings or Security settings.
• Step 2: Look for “Two-Factor Authentication,” “Two-Step Verification,” or “Login Verification.”
• Step 3: Choose your method — text message is the easiest place to start.
• Step 4: Follow the on-screen instructions. You’ll usually verify your phone number or scan a QR code.
• Step 5: Save any backup codes the website gives you. Write them down and store them in a safe place. These let you get back in if you lose your phone.

Important: When a website gives you backup or recovery codes, write them down on paper and keep them somewhere safe — like with your important documents. If you lose your phone, these codes are your way back in.