Account Protection
Two-Factor Authentication Guide
Two-factor authentication adds another proof of identity beyond the password. It is not a replacement for strong passwords, but it reduces the risk of account takeover when a password becomes exposed.
What 2FA does
A password is something you know. A second factor can be something you have, such as an authenticator app or hardware security key. If attackers only have the password, they may still be blocked.
Not all second factors are equal. SMS is better than nothing, but authenticator apps and security keys are usually stronger against SIM-swap and interception attacks.
- Use an authenticator app when possible.
- Use hardware security keys for critical accounts.
- Avoid SMS for high-value accounts when better options exist.
Where to enable it first
Prioritize accounts that can reset other accounts or control money and infrastructure. Email is first. Then password manager, bank, cloud storage, domain registrar, hosting provider, social media, and business SaaS tools.
For teams, require 2FA for administrators and anyone with billing, customer data, or deployment access.
Recovery codes
Recovery codes are a backup method when your phone is lost or damaged. Store them offline in a safe location. Do not leave them in the same email inbox protected by the account they recover.
Print them, store them in a secure offline location, or keep them in a protected emergency document.
- Generate recovery codes.
- Store them offline.
- Update them after use.
Phishing-resistant options
Hardware security keys are stronger because they can verify the real website domain during login. This helps protect against fake login pages that steal one-time codes.
For ordinary users, an authenticator app is already a major improvement. For administrators, security keys are worth serious consideration.