How to Set Up Two-Factor Authentication on Every Important Account

I’ve watched a friend lose access to a 12-year-old Gmail account because she didn’t have 2FA on. She got it back eventually — about 11 weeks later, after a lot of stress. That’s the case where 2FA matters most: not when nothing has gone wrong, but the day someone gets your password.

Here’s the thing. Google’s own security data shows that just having any form of 2FA enabled blocks 100% of automated bot attacks and 99% of bulk phishing attacks. The setup takes 10 minutes per account. There is no good reason to skip it in 2026.

What exactly is two-factor authentication?

2FA means logging in requires two things instead of one: something you know (your password) plus something you have (your phone, a hardware key, or a code from an app). Even if someone steals your password in a data breach, they can’t log in without the second factor.

There are three common types, in order of how secure they are:

• Hardware security keys — physical USB or NFC keys like YubiKey. Most secure, can’t be phished.
• Authenticator apps — Microsoft Authenticator, Google Authenticator, Authy. Generate a fresh 6-digit code every 30 seconds.
• SMS codes — texted to your phone. Convenient, but vulnerable to SIM-swap attacks. Better than nothing, worse than the others.

Which authenticator app should I use?

Three good choices in 2026, and I’ve used all of them:

• Microsoft Authenticator — free, syncs across devices, has cloud backup. My current pick for most people.
• Authy (by Twilio) — also free, cross-device sync was its killer feature for years. Still great.
• Google Authenticator — finally added cloud sync in 2023. Simpler than the other two, no PIN protection on the app itself.

Download whichever from the App Store or Google Play first. The setup steps below assume you have an app installed.

How do I turn on 2FA for my Google account?

Your Google account is the most important one to protect, because your Gmail is probably the reset path for every other account you own.

1. Go to myaccount.google.com/security and sign in.
2. Click “2-Step Verification” under “How you sign in to Google”.
3. Click “Get started” and re-enter your password if prompted.
4. Add your phone number as the first step (Google requires this). Pick “Text message”.
5. Enter the code Google texts you and click Turn On.
6. Add an authenticator app as your primary second factor. Back on the 2-Step Verification page, scroll to “Authenticator app” and click “Set up authenticator”. Scan the QR code with Microsoft Authenticator. Enter the 6-digit code to confirm.
7. Save your backup codes. Click “Backup codes”, generate 10 codes, and store them somewhere safe (password manager or a printed copy in a drawer). These are your lifeline if you lose your phone.

That’s the standard setup. If you want maximum security, also add a hardware key under “Security keys” using your YubiKey.

How do I turn on 2FA for my Microsoft account?

If you use Outlook.com, Xbox, OneDrive, or any Windows 11 sign-in tied to a Microsoft account, do this next.

1. Go to account.microsoft.com/security and sign in.
2. Click “Two-step verification” → “Turn on”.
3. Choose “Use an app” and follow the prompts to set up Microsoft Authenticator (or any TOTP app). Scan the QR code, enter the verification code.
4. Confirm your phone number as a backup method.
5. Download the recovery code at the end. Save it like you saved the Google one.

If you’ve been using Microsoft Authenticator on your phone with the same Microsoft account, you might already have “passwordless” sign-in enabled — that’s even better than 2FA on its own.

How do I turn on 2FA for my Apple ID?

Apple’s setup is the slickest of the bunch because the iPhone or Mac is the authenticator. Go to Settings → [your name] → Sign-In & Security → Two-Factor Authentication on your iPhone (iOS 18 or later), or System Settings → Apple ID → Sign-In & Security on macOS Sequoia 15.

Tap “Turn On Two-Factor Authentication” and follow the prompts. When you sign in on a new device, a 6-digit code appears on your existing iPhone or Mac automatically. No app needed.

How do I add 2FA to my bank?

This is the most frustrating category because every bank does it differently. In the US and Canada in 2026, most major banks still default to SMS-based 2FA, and a depressing number don’t support authenticator apps at all.

Here’s what to do:

1. Log into your bank’s web portal (not the app).
2. Find Security Settings, Sign-In Options, or Multi-Factor Authentication.
3. If they offer an authenticator app option (RBC, TD, Wealthfront, Chase, and Capital One do in Canada/US), use it. Otherwise, use SMS — it’s still better than nothing.
4. Add a backup phone number if the option exists.

For US-based readers: most credit unions still only offer SMS. Push them on it — call customer service and ask for authenticator app support. Enough complaints and they actually add it.

Should I bother with a hardware security key?

A YubiKey or similar hardware key is the strongest possible 2FA. It can’t be phished — even if you click a fake login page, the key won’t release credentials to the wrong domain. The catch is the upfront cost ($30 USD / C$42 for a YubiKey 5C) and the small inconvenience of physically plugging it in.

For most people, I recommend this: get a YubiKey for your most critical three accounts (primary email, password manager, banking). Use authenticator apps for everything else. You can buy them at yubico.com with USD pricing or through Amazon Canada in CAD.

What if I lose my phone?

This is the question that stops most people from setting up 2FA — and it’s a good one. Here’s what to do before you lose the phone:

• Save your backup codes for every account, in a safe place (password manager, sealed envelope, fireproof safe).
• Use an authenticator app with cloud sync (Microsoft Authenticator and Authy both have this) so a new phone restores your codes automatically.
• Add a second 2FA method where possible — phone number plus authenticator app, for instance.
• Enroll a hardware key as an alternate factor on your most important account. If your phone is gone, the key still works.

Frequently Asked Questions

Is SMS 2FA worse than no 2FA?

No — SMS 2FA is still significantly better than just a password, because it blocks 99% of bulk phishing and automated bot attacks. It’s only weak against targeted attacks like SIM-swapping. If your bank only offers SMS, use it. But for accounts that offer authenticator app or hardware keys, use those instead.

Can I use the same authenticator app for multiple accounts?

Yes, one authenticator app holds dozens of accounts. Microsoft Authenticator and Authy both let you add as many as you want. Each account gets its own entry with a rotating 6-digit code. There’s no reason to install multiple authenticator apps.

Do I need to set up 2FA on every account?

Start with the critical four: primary email, password manager, banking, and your phone’s cloud account (Apple ID or Google). After that, add it to anything with payment info, social media, and work accounts. Forums and throwaway accounts are lower priority but doesn’t hurt to enable everywhere.

Does 2FA slow down my logins?

Once you set it up, most accounts let you mark a device as trusted for 30 days or longer. So on your daily laptop you only re-verify once a month. The friction is real but small — about 5 extra seconds when it triggers.

What happens if I lose my hardware key?

If you’ve followed best practice and registered two hardware keys on each critical account (one primary, one backup stored somewhere safe), you just use the backup. If you only had one and it’s lost, fall back to your authenticator app or recovery codes. Order a replacement key and re-register it.

For specifically locking down Gmail after a breach, see my full guide to recovering a hacked Gmail account. If you haven’t picked a password manager yet, the 2026 password manager comparison is the next read. And for shielding your traffic on top of all this, check out the free VPN roundup.

— Mark Thompson, Toronto