How to Set Up Two-Factor Authentication (2FA) on Every Account

If I could force everyone to do one single thing for their security, it would be enabling two-factor authentication on every account. I have hardware YubiKeys on my keychain, authenticator apps on my phone, and 2FA on literally every service that supports it. Even when my credentials have appeared in breach databases, 2FA stopped attackers cold every time.

This guide walks you through setting up 2FA on every major platform, explains which types are actually secure (hint: not SMS), and gives you my priority list for which accounts to lock down first.

Types of Two-Factor Authentication

Before we get into the setup steps, you need to understand the four main types of 2FA available in 2026, listed from least to most secure:

SMS-Based 2FA

When you log in, the service sends a text message with a one-time code to your phone number. You enter the code to complete the login.

Security level: Basic. SMS codes can be intercepted through SIM-swapping attacks, where attackers convince your mobile carrier to transfer your number to their SIM card. They are also vulnerable to SS7 network exploits. That said, SMS 2FA is still significantly better than no 2FA at all.

Authenticator App (TOTP)

An authenticator app generates time-based one-time passwords (TOTP) that change every 30 seconds. You scan a QR code during setup to link the account, and the app generates codes offline without needing cell service.

Security level: Strong. Authenticator apps cannot be intercepted through SIM swapping or network exploits. The codes are generated locally on your device. Popular options include Google Authenticator, Microsoft Authenticator, Authy, and password managers with built-in TOTP like NordPass.

Our recommendation: NordPass includes a built-in TOTP authenticator alongside its password management features, meaning your passwords and 2FA codes are stored together and synced across all your devices. This is particularly convenient because you do not need to open a separate app to get your codes.

Get NordPass with Built-in Authenticator

Hardware Security Keys

Physical devices like YubiKey or Google Titan that you plug into a USB port or tap against your phone using NFC. They use the FIDO2/WebAuthn protocol for cryptographic verification.

Security level: Highest for traditional 2FA. Hardware keys are completely immune to phishing because they verify the legitimate domain of the website before responding. An attacker’s fake login page cannot trigger the key. They require physical possession, making remote attacks impossible.

Passkeys

The newest authentication method, passkeys replace both your password and 2FA with a single cryptographic credential stored on your device and protected by biometrics (fingerprint or face scan). Supported by Google, Apple, and Microsoft.

Security level: Highest overall. Passkeys combine the security of hardware keys with the convenience of biometric authentication. They are phishing-resistant by design and eliminate the need to remember or type passwords. As of 2026, passkey support is widespread but not yet universal.

Priority List: Which Accounts to Secure First

Not all accounts are equally critical. Here is the order in which you should enable 2FA:

Tier 1: Secure Immediately

1. Primary email accounts - Your email is the master key. Password resets for nearly every other account go through email. If someone compromises your email, they can take over everything.
2. Password manager - If you use a password manager, it holds the keys to all your accounts. Securing it with 2FA is essential.
3. Banking and financial accounts - Online banking, investment platforms, payment apps like PayPal and Venmo.
4. Cryptocurrency exchanges and wallets - Crypto transactions are irreversible. A compromised exchange account means permanent loss.

Tier 2: Secure This Week

5. Social media accounts - Facebook, Instagram, Twitter/X, LinkedIn, TikTok. These accounts can be used for impersonation and social engineering.
6. Cloud storage - Google Drive, Dropbox, iCloud, OneDrive. These often contain sensitive documents and photos.
7. Work accounts - Company email, Slack, project management tools, VPN access.
8. Apple ID or Google Account - These are tied to your phone, app purchases, and backup data.

Tier 3: Secure When Possible

9. Shopping accounts - Amazon, eBay, and other retailers with saved payment methods.
10. Gaming accounts - Steam, PlayStation Network, Xbox Live, Nintendo. These often have significant monetary value.
11. Messaging apps - WhatsApp, Signal, Telegram.
12. Domain registrars and hosting - If you own websites or domains.
13. Everything else - If a service offers 2FA, enable it.

Using a strong, unique password for each account is also essential. 2FA and strong passwords work together to create layered security.

Step-by-Step 2FA Setup for Major Platforms

Google Account (Gmail, YouTube, Google Drive)

Google accounts are high-value targets because they often contain years of email history, documents, photos, and are linked to Android devices.

1. Go to myaccount.google.com/security
2. Click 2-Step Verification under the “How you sign in to Google” section
3. Click Get Started and enter your password
4. Google will prompt you to set up a Google prompt (push notification to your phone) as the default method
5. Click Show more options to choose an authenticator app or hardware key instead
6. For authenticator app: Click “Authenticator app,” scan the QR code with NordPass or your preferred TOTP app, and enter the verification code
7. For hardware key: Click “Security key,” insert your key, and follow the prompts
8. Save your backup codes - Google generates 10 one-time backup codes. Download or print them and store them securely
9. Click Turn On to activate 2FA

Passkey option: Google fully supports passkeys. Under Security settings, look for “Passkeys and security keys” to set up a passkey using your device’s biometrics.

Apple ID (iCloud, App Store, Mac)

Your Apple ID controls access to iCloud, Find My, the App Store, Apple Pay, and all your Apple devices.

1. On iPhone/iPad: Go to Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication
2. On Mac: Go to System Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication
3. Tap Turn On Two-Factor Authentication
4. Enter your trusted phone number (this is used for SMS fallback)
5. Enter the verification code sent to that number
6. Apple’s 2FA uses push notifications to trusted devices as the primary method, with SMS as a fallback

Important: Apple’s 2FA is somewhat unique because it sends verification codes directly to your trusted Apple devices rather than requiring a separate authenticator app. Once enabled, any new sign-in triggers a notification on your existing Apple devices showing the location of the sign-in attempt.

Microsoft Account (Outlook, OneDrive, Xbox)

Microsoft accounts are tied to Windows PCs, Outlook email, OneDrive storage, Xbox, and Microsoft 365.

1. Go to account.microsoft.com/security
2. Click Advanced security options
3. Under “Additional security,” click Turn on next to Two-step verification
4. Choose your method:
   • Microsoft Authenticator app (recommended by Microsoft)
   • Other authenticator app (scan QR code with NordPass or your preferred app)
   • Hardware security key
5. Follow the prompts to complete setup
6. Save the recovery code provided

Passkey option: Microsoft supports passkeys through Windows Hello. Go to Security settings and look for “Passkey” to set up passwordless authentication.

Social Media Platforms

Facebook and Instagram (Meta)

1. Open the Facebook app or go to facebook.com/settings
2. Go to Accounts Center > Password and security > Two-factor authentication
3. Select your account (this applies to both Facebook and Instagram)
4. Choose your method: authentication app, SMS, or hardware key
5. For authenticator app: scan the QR code and enter the verification code
6. Save the recovery codes provided

Twitter/X

1. Go to Settings and Privacy > Security and account access > Security > Two-factor authentication
2. Choose: Text message (requires Twitter Blue for free accounts), Authentication app, or Security key
3. For authenticator app: scan the QR code and enter the code
4. Save the backup code

LinkedIn

1. Go to Settings & Privacy > Sign in & security > Two-step verification
2. Click Turn on
3. Choose authenticator app or phone number
4. Complete the verification process

Banking and Financial Accounts

Most banks and financial institutions now offer 2FA, though the available methods vary. Here is the general process:

1. Log in to your bank’s website or app
2. Navigate to Security Settings or Account Settings
3. Look for Two-Factor Authentication, Multi-Factor Authentication, or Additional Verification
4. Most banks offer SMS-based 2FA, some support authenticator apps
5. Enable the strongest method available
6. Some banks also offer biometric authentication through their mobile apps

For cryptocurrency exchanges (Coinbase, Binance, Kraken): Always use an authenticator app, never SMS. Cryptocurrency accounts are prime targets for SIM-swapping attacks because transactions are irreversible.

Cloud Storage and Productivity

Dropbox

1. Go to dropbox.com/account/security
2. Under Two-step verification, click Enable
3. Choose authenticator app or SMS
4. Complete the setup and save backup codes

Slack

1. Go to your profile > Account settings
2. Click Two-Factor Authentication > Set Up Two-Factor Authentication
3. Scan the QR code with your authenticator app
4. Enter the verification code

Using NordPass as Your Authenticator

One of the most convenient approaches to managing 2FA is using a password manager that includes a built-in TOTP authenticator. NordPass does exactly this, storing your passwords and 2FA codes together in one encrypted vault.

Why NordPass for 2FA?

• Everything in one place - Your passwords and 2FA codes live in the same secure vault
• Cross-device sync - Your 2FA codes are available on every device where NordPass is installed, unlike phone-only authenticator apps
• Auto-fill - NordPass can auto-fill both your password and 2FA code, making logins faster
• Backup built in - Since your 2FA secrets are synced to NordPass’s encrypted cloud, losing your phone does not lock you out
• Zero-knowledge encryption - NordPass encrypts everything locally before syncing, so even NordPass staff cannot see your codes

Setting Up TOTP in NordPass

1. Open NordPass and navigate to the entry for the account you want to protect
2. Click Edit and find the Two-Factor Authentication or TOTP field
3. On the website where you are enabling 2FA, choose “Authenticator app” and display the QR code
4. In NordPass, click the QR scan option to scan the code, or manually paste the TOTP secret key
5. NordPass will now generate time-based codes for that account
6. Enter the current code on the website to verify the setup is working
7. Save the entry in NordPass

If you are still choosing a password manager, our guide to the best password managers in 2026 and our 1Password vs Bitwarden comparison can help you decide.

Get NordPass with Built-in 2FA Authenticator

Hardware Security Keys: The Gold Standard

For maximum security on your most critical accounts, hardware security keys are unmatched. Here is what you need to know:

Recommended Hardware Keys

• YubiKey 5 Series ($50-$70) - Supports USB-A, USB-C, NFC, and Lightning. Works with FIDO2, U2F, TOTP, and more.
• Google Titan Security Key ($30-$35) - USB-A/NFC or USB-C/NFC options. Made by Google, works with all FIDO2-compatible services.
• Thetis FIDO2 Key ($25-$30) - Budget-friendly USB-A option with solid FIDO2 support.

How to Set Up a Hardware Key

1. Purchase at least two keys (a primary and a backup)
2. Go to the security settings of the account you want to protect
3. Select “Security key” or “Hardware key” as your 2FA method
4. When prompted, insert the key into your USB port (or tap it for NFC)
5. Press the button on the key to register it
6. Register your backup key as well
7. Store the backup key in a secure location (safe, safety deposit box)

Which Accounts Support Hardware Keys?

Google, Microsoft, Apple, Facebook, Twitter/X, GitHub, Dropbox, Coinbase, Binance, and many other major services support hardware security keys. The list grows constantly as FIDO2 adoption increases.

Setting Up 2FA on a VPN Account

If you use a VPN service to protect your internet traffic, make sure your VPN account itself is protected with 2FA. A compromised VPN account could expose your browsing activity.

Both NordVPN and Surfshark support two-factor authentication on their accounts:

NordVPN 2FA Setup:

1. Log in at my.nordaccount.com
2. Go to Account Settings > Multi-factor authentication
3. Choose authenticator app or hardware key
4. Complete the verification

If you are still choosing a VPN, our best VPN services guide compares the top options, and our NordVPN vs ExpressVPN comparison covers the two most popular choices in detail.

Get NordVPN with 2FA Support

Backup and Recovery: Do Not Skip This

The biggest fear with 2FA is getting locked out of your own accounts. Here is how to prevent that:

Save Backup Codes

Every service that offers 2FA provides one-time backup codes during setup. These codes work even if you lose your phone or hardware key.

• Print them and store them in a physical safe or safety deposit box
• Save them in your password manager (like NordPass) in the notes field of the relevant account entry
• Never store them in an unencrypted text file on your computer or in plain text email

Register Multiple 2FA Methods

Most services let you register more than one 2FA method. Take advantage of this:

• Register both an authenticator app and a hardware key
• Add a backup phone number for SMS fallback
• Set up multiple hardware keys (primary and backup)

Use a Password Manager That Syncs 2FA

If you use NordPass or another password manager with built-in TOTP, your 2FA codes are automatically backed up and synced across devices. Losing your phone does not mean losing access because you can retrieve codes from the password manager on another device.

Get NordPass - Passwords and 2FA in One Vault

Recovery Account Settings

• Make sure your recovery email and phone number are up to date on all accounts
• For Google accounts, set up a recovery email that is separate from your primary email
• For Apple ID, keep your trusted devices list current

Common 2FA Mistakes to Avoid

Using SMS when authenticator apps are available. Always choose the strongest method a service offers. SMS should be your last resort.

Not saving backup codes. This is the number one reason people get locked out. Save your backup codes before you need them.

Using the same phone for everything. If your phone is your only 2FA device and it gets lost, stolen, or broken, you lose access to all your accounts unless you have backup codes.

Falling for 2FA phishing. Sophisticated phishing attacks now include real-time 2FA code interception. Always verify you are on the legitimate website before entering any codes. Hardware keys and passkeys are immune to this type of attack.

Not enabling 2FA on your password manager. Your password manager is arguably the most critical account to protect with 2FA. If it is compromised, all your stored passwords are exposed.

Disabling 2FA because it is inconvenient. The minor inconvenience of entering a code is trivial compared to the devastation of a compromised account. Most services remember trusted devices so you do not need to enter codes every single time.

The Future: Passkeys Are Replacing 2FA

Passkeys represent the evolution of authentication. Instead of a password plus a second factor, passkeys use public-key cryptography to create a single, phishing-proof credential.

How Passkeys Work

1. When you create a passkey for a site, your device generates a unique cryptographic key pair
2. The private key stays on your device, protected by your biometrics (fingerprint or face)
3. The public key is stored on the website’s server
4. When you log in, your device proves it has the private key without ever transmitting it
5. You authenticate with a quick fingerprint or face scan

Where Passkeys Are Available

As of 2026, passkeys are supported by Google, Apple, Microsoft, Amazon, GitHub, PayPal, eBay, Best Buy, and hundreds of other services. Apple’s iCloud Keychain, Google Password Manager, and password managers like NordPass support passkey storage and sync.

Should You Switch to Passkeys?

Yes, wherever possible. Passkeys are more secure than any traditional 2FA method and more convenient too. However, not all services support passkeys yet, so you will still need traditional 2FA for many accounts. The best approach is to use passkeys where available and authenticator-app 2FA everywhere else.

Additional Security Layers

Two-factor authentication works best as part of a comprehensive security strategy. Consider these additional measures:

• Use a VPN to encrypt your internet connection, especially on public Wi-Fi
• Install a reputable antivirus solution to prevent malware that could steal your 2FA codes
• Learn to recognize phishing attempts that try to intercept your 2FA codes in real time
• Secure your home network to prevent local attacks
• Use encrypted email for sensitive communications

Related Guides

• Best Password Managers in 2026
• How to Create Strong Passwords
• 1Password vs Bitwarden 2026
• Best VPN Services in 2026
• NordVPN Review 2026
• How to Protect Yourself from Phishing
• How to Secure Your Home Network

Last updated: March 2026.