What Is Two-Factor Authentication?
Two-factor authentication — also called 2FA or two-step verification — adds a second check to your login beyond just your password. Even if a criminal has your password, they cannot access your account without this second step.
Why Your Password Alone Is Not Enough
Passwords can be stolen in ways you cannot always prevent:
- A website you use suffers a data breach and your password is leaked
- You are tricked by a phishing email into entering your password on a fake site
- A criminal uses software to guess common passwords automatically
- Someone looks over your shoulder
Once a criminal has your password, without 2FA they are in immediately. With 2FA, they are stopped — because the second factor is delivered to your phone in real time.
How 2FA Works
With 2FA active, logging in requires two things:
- Something you know — your password
- Something you have — a code sent to your phone, or generated by an app
Even if a criminal knows your password, they cannot log in without the second factor.
Types of 2FA
Text message (SMS) codes
The most common type. A code is sent to your mobile number when you log in. Simple and effective for most situations, though not the strongest option (SIM-swap fraud can bypass it in rare cases).
Authenticator apps
A free app (Microsoft Authenticator, Google Authenticator, or Authy) generates a new 6-digit code every 30 seconds. More secure than SMS as it is not linked to your phone number.
Email codes
A code sent to your email address. Only as secure as your email account itself.
Physical security keys
A small USB device that confirms your identity. The most secure option; mainly used in high-security business contexts.
For most people, an authenticator app offers the best balance of security and convenience.
Which Accounts to Protect First
Enable 2FA on these accounts as a priority:
- Your email — criminals use compromised email accounts to reset passwords on everything else
- Online banking — most UK banks now require 2FA by default
- Social media — Facebook, Instagram, and X/Twitter accounts are frequent targets
- Your Apple ID or Google account — these control access to your phone and all connected services
Get your free personalised cybersecurity plan
Answer a few quick questions and we'll build a step-by-step plan tailored to your situation — no jargon, no credit card required.
Start for free →How to Set Up 2FA — Step by Step
The process is similar across most services:
- Go to your account's Security or Privacy settings
- Find "Two-factor authentication" or "Two-step verification"
- Choose your preferred method (authenticator app is recommended)
- Follow the on-screen steps — most services show a QR code you scan with the authenticator app
- Save any backup codes the service provides — store them somewhere safe (printed or in a password manager)
Most major services — Google, Facebook, Apple, Microsoft, and UK banks — have step-by-step 2FA guides on their support pages.
Related guides
What Is Phishing?
Phishing is how most passwords get stolen — 2FA stops criminals using them.
How to Create a Strong Password
A strong password combined with 2FA makes your accounts very hard to breach.
How to Check If You've Been Hacked
If you think someone has accessed your accounts, check with this guide.
Frequently asked questions
What is two-factor authentication in simple terms?
It is a second lock on your account. Even if a criminal has your password, they need a code that only you can receive — usually delivered to your phone or generated by an app — to get in.
Is 2FA really necessary?
Yes. The NCSC considers it one of the most important steps any individual or business can take. Accounts protected by 2FA are far less likely to be accessed even when passwords are stolen.
What is the best type of 2FA?
An authenticator app (Microsoft Authenticator, Authy, or Google Authenticator) is the best option for most people — more secure than SMS codes and works without a phone signal.