Family Tech Tips

🇬🇧 English

🇩🇪 Deutsch
🇧🇷 Português

🇬🇧 English

🇩🇪 Deutsch
🇧🇷 Português

Appearance

Two-Factor Authentication: Add a Second Lock to Your Accounts

TL;DR: Two-factor authentication (2FA) means that even if someone steals your password, they still can't get into your account. It takes about 30 seconds to set up and is one of the most effective things you can do to protect yourself online. Turn it on for your email and password manager first.

What Is Two-Factor Authentication?

A password is something you know. Two-factor authentication adds a second check — something you have — before letting you in.

Think of it like a bank safe deposit box. The bank has one key and you have another. Neither key works alone — you both need to be present. Even if someone steals your key, they can't open the box without the bank's key too.

With 2FA turned on, logging in requires:

  1. Your password (something you know)
  2. A second confirmation — usually a code from your phone (something you have)

So even if a hacker steals your password in a data breach, they're stuck. They don't have your phone.

Why This Matters So Much

Passwords get stolen all the time — not because you did anything wrong, but because websites get hacked. When that happens, your email and password end up in lists that criminals buy and try on other sites automatically.

🔍 Most people's email addresses have appeared in at least one breach. You can check in seconds at Have I Been Pwned, or read our guide on what information about you is already out there. Whether you've checked or not, acting as if your password has already leaked — and using 2FA — is the right habit.

2FA breaks that chain entirely. The stolen password is useless on its own.

Your email account in particular is the master key to everything else online. If someone gets into your email, they can use "forgot my password" to reset every other account they want. Protecting your email with 2FA is the single most impactful thing most people can do.

💡 If you only do one thing after reading this page, turn on 2FA for your email account. Everything else flows from there.

The Types of 2FA (From Weakest to Strongest)

Not all 2FA is equal. Here's how the common methods compare:

📱 SMS Text Message — Convenient but Weakest

When you log in, a 6-digit code is sent to your phone via text message.

Pros:

  • Already works with your existing phone number — nothing to install
  • Widely supported

Cons:

  • SIM-swapping attacks: a criminal can call your phone provider, pretend to be you, and get your number transferred to their phone — receiving your codes
  • Doesn't work if you have no signal or are travelling without your home SIM
  • Codes sent by text can be intercepted on poorly secured networks

Verdict: Far better than nothing, but if a site offers a better option, use it instead.

An authenticator app on your phone generates a new 6-digit code every 30 seconds — entirely offline, with no text message needed. The code is calculated mathematically from a secret shared when you set it up.

Pros:

  • Not vulnerable to SIM swapping
  • Works offline — no signal needed
  • Supported by almost every major site and service
  • Free to use

Cons:

  • Requires installing an app
  • If you lose your phone without a backup, recovery takes some effort

Verdict: This is the sweet spot — strong security, easy to use daily, and free.

🔐 Passkeys — The Future (and Already Here)

A passkey replaces your password and 2FA in one step. Your device (phone or laptop) stores a secret key that's unique to you, and you confirm with your face or fingerprint. There's nothing to type, nothing to steal, and nothing to leak in a breach.

Pros:

  • The most secure option available
  • No codes to type — just your face or fingerprint
  • Impossible to phish (you can't be tricked into entering it on a fake site)
  • Already supported by Google, Apple, Microsoft, Amazon, PayPal, GitHub, and more

Cons:

  • Relatively new — not supported everywhere yet
  • Requires a device that supports biometrics (most modern phones and laptops do)

Verdict: Use passkeys wherever available — they're the best of all worlds. Both Apple Keychain and 1Password already support them.

🗝️ Hardware Security Key — For High-Value Accounts

A physical USB or NFC key (like a YubiKey) that you plug in or tap to confirm a login.

Pros:

  • Essentially impossible to attack remotely
  • Phishing-resistant by design

Cons:

  • Costs money (~€25–€50)
  • Overkill for most everyday users
  • You need a backup key in case you lose it

Verdict: Not necessary for most people — passkeys and authenticator apps cover everyday needs well.

These apps generate the secure codes for your accounts. Install one on your phone and it handles everything.

If you use 1Password, it can store your authenticator codes alongside your passwords — so when you log into a site, it fills in both the password and the 2FA code automatically. This is the most seamless experience.

The same applies to Bitwarden Premium (requires a paid plan, ~€10/year).

If you're already using one of these, you may not need a separate app at all.

📲 Aegis (Android) — Best Standalone App

Free, open source, and stores your codes securely with encryption. You can export a backup so you don't lose everything if you change phones.

Best for: Android users who want a dedicated, trustworthy app.

📲 Raivo (iPhone/iPad) — Best for iOS

A clean, free, open-source authenticator for Apple devices. Syncs to iCloud for backup, so switching phones is painless.

Best for: iPhone and iPad users who want a standalone app.

📲 Google Authenticator

Free and widely supported. Easy to set up, but historically lacked backup options (this has improved). Works fine if you're already in the Google ecosystem.

Best for: Anyone already using Google heavily who wants the simplest setup.

⚠️ Avoid: Authy

Authy was once recommended, but has recently announced it is shutting down. If you currently use it, migrate to one of the alternatives above.

Where to Turn It On First

Don't try to do everything at once. Start with these accounts — they're the most important:

PriorityAccountWhy
🔴 FirstYour email (Gmail, Outlook, iCloud)It's the master key to every other account
🔴 FirstYour password manager (1Password, Bitwarden)It protects all your other passwords
🟠 SoonYour Apple ID / Google AccountControls your phone and linked purchases
🟠 SoonYour bank and financial accountsDirect access to money
🟡 When you canSocial media (Facebook, Instagram)Prevents impersonation and account theft
🟡 When you canShopping accounts (Amazon, etc.)Saved payment details at risk

"What if I Lose My Phone?"

This is the most common worry — and it's a fair one. Here's how to prepare:

  • Back up your authenticator codes. Both Aegis and Raivo support encrypted backups. Do this when you set them up.
  • Save your recovery codes. When you turn on 2FA for a site, it usually offers a set of one-time backup codes. Save these somewhere safe — your password manager is a good place.
  • If you use 1Password as your authenticator, your codes are backed up as part of your 1Password account — nothing extra needed.
  • If you lose your phone anyway, most services have an account recovery process, which is why keeping your email secure (with 2FA) is so important — it's often the recovery route.

How to Turn It On

Every site is slightly different, but the pattern is almost always the same:

  1. Go to your account Settings (or Security Settings).
  2. Look for Two-Factor Authentication, 2-Step Verification, or Login Security.
  3. Choose Authenticator app (preferred over SMS if given the choice).
  4. Open your authenticator app, tap the + button, and scan the QR code shown on screen.
  5. Type in the 6-digit code to confirm it's working.
  6. Save any backup codes you're given — store them in your password manager.

Done.

Next Steps

Once your email and password manager are protected, you're already in a much better position than most people online. From there, work down the priority list at your own pace.

👉 See also: Password Managers: Stop Trying to Remember Everything