Two-Factor Authentication — Worth the Two Seconds

2FA adds a second step beyond your password — usually a six-digit code that changes every 30 seconds. It's the single highest-impact security upgrade after a password manager.

What 2FA actually blocks

Even if an attacker has your correct password — from a database breach, a phishing email, or a guess — they still can't log in without the second factor. That single fact stops the overwhelming majority of personal account hacks.

SMS codes are the weakest form

Texting you a code is better than no second factor, but SMS is vulnerable to "SIM swap" attacks — an attacker convinces your carrier to move your number to their phone, then intercepts your codes. Use SMS only when nothing better is offered. Don't use SMS for high-value accounts (email, banking, primary social) if you can choose.

Better: TOTP authenticator apps

A TOTP app generates the code on your phone, with no SMS involved. Each site you enable 2FA on adds an entry; the codes refresh every 30 seconds. Our recommendations:

• Aegis (Android) — open source, encrypted local storage, supports backup/import.
• Raivo OTP (iOS) — open source, iCloud sync optional.
• Bitwarden — with a $10/year premium plan, your password manager itself can store and fill in TOTP codes.
• Google Authenticator / Microsoft Authenticator — fine, just less open. Authenticator apps are interchangeable; don't get locked in.

Best: hardware security keys

A YubiKey or similar hardware key plugged into your USB port. Phishing-resistant: even if you type your password into a fake login page, the key won't authenticate to a fake URL. Worth it for journalists, executives, sysadmins, and the unusually paranoid.

Where to enable 2FA first

1. Your primary email. Most important — whoever controls your email controls password resets for everything else.
2. Banking and brokerage accounts.
3. Your password manager itself.
4. Social media (Facebook, Instagram, X) — less for security, more for not getting locked out by a hijacker.
5. Anything you'd hate to lose.

Save your backup codes

When you enable 2FA, the site shows you a list of one-time backup codes. Print them or save them in your password manager. If you lose your phone, these are how you get back in. Skip this step and a lost phone means a long support call.

how to stop spam