If you’re still relying on just a password to protect your accounts, you’re living dangerously. Passwords get leaked in data breaches constantly. People reuse them across sites. They’re often guessable. Two-factor authentication (2FA) is the single most effective step you can take to protect yourself online, and it doesn’t have to be a hassle.

What Two-Factor Authentication Actually Is

Two-factor authentication means you need two different things to log in: something you know (your password) and something you have (usually your phone). Even if someone steals your password, they can’t get into your account without that second factor.

It’s like a door that needs both a key and a PIN code. Having one without the other isn’t enough.

The Different Types of 2FA

Not all 2FA is created equal. Here’s a rundown from least to most secure:

SMS Codes

A text message with a six-digit code sent to your phone number. This is the most common form of 2FA and it’s significantly better than nothing. But it has known weaknesses. SIM-swapping attacks, where someone convinces your phone carrier to transfer your number to their SIM card, can intercept these codes. It’s happened to real people and it’s resulted in real losses.

Use SMS-based 2FA if it’s your only option, but upgrade to something better when you can.

Authenticator Apps

Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes that rotate every 30 seconds. These are stored on your device, not transmitted over the network, which eliminates the SIM-swapping vulnerability.

Setting up is straightforward: the service shows you a QR code, you scan it with the app, and from then on the app generates codes for that service.

My recommendation: Authy is the most user-friendly option because it supports encrypted cloud backups. If you lose your phone with Google Authenticator, recovering access to your accounts can be painful. With Authy, you can restore to a new device.

Hardware Security Keys

Physical devices like YubiKeys that you plug into your computer or tap against your phone. They’re the most secure form of 2FA because they’re immune to phishing. Even if you accidentally type your password into a fake login page, the security key won’t authenticate with the wrong site.

The downside is cost (around $40-$80 AUD per key) and the need to carry a physical object. You should always have at least two keys: a primary and a backup stored somewhere safe.

Passkeys

Passkeys are the newest option and they’re worth understanding. They replace both your password and your second factor with a single cryptographic credential stored on your device. You authenticate with your fingerprint, face, or device PIN.

Major services including Google, Apple, Microsoft, and GitHub now support passkeys. They’re more secure than passwords plus 2FA, and they’re easier to use. The main limitation in 2026 is that not every service supports them yet.

How to Set It Up

Start With Your Email

Your email account is the master key to your digital life. Password resets for almost every other service go through email. If someone gets into your email, they can reset passwords and access everything else.

Set up 2FA on your email first. If you use Gmail, go to Google Account settings, then Security, then 2-Step Verification. If you use Outlook, go to the Microsoft account security page.

Then Your Financial Accounts

Banks, investment platforms, superannuation accounts. Anything connected to money should have 2FA enabled immediately. Most Australian banks support it through their own apps, but check whether you can also add authenticator-based 2FA.

Then Everything Else

Social media, cloud storage, shopping accounts, work tools. Enable 2FA on everything that offers it. Yes, it adds a few seconds to the login process. That’s a tiny price for meaningful security.

Save Your Recovery Codes

When you set up 2FA, most services give you a set of backup or recovery codes. These are one-time-use codes that let you log in if you lose access to your second factor. They’re critically important.

Print them out and store them somewhere secure. A locked drawer, a safe, or a safety deposit box. Don’t store them digitally on the device you’re using for 2FA, because if you lose that device, you’ve lost both.

What If I Lose My Phone?

This is the most common worry, and it’s manageable if you prepare:

1. Use Authy with cloud backup rather than Google Authenticator
2. Save recovery codes for every service
3. Have a backup hardware key if you use security keys
4. Add a trusted phone number as a fallback where services allow it

If you do lose your phone without preparation, most services have an account recovery process. It’ll be slow and annoying, but not impossible.

Making 2FA Less Annoying

A few tips to reduce friction:

• Most services let you mark trusted devices so you don’t need 2FA every single login
• Password managers like 1Password and Bitwarden can store and auto-fill 2FA codes
• Passkeys eliminate the need for codes entirely on supported services

The goal is to find a balance between security and convenience that you’ll actually stick with. Perfect security that you disable because it’s too annoying is worse than good security that you keep enabled.

Enable 2FA today. Start with your email account. It’ll take ten minutes and it’s the best security decision you’ll make this year.