Two-factor authentication requires a second verification step (like a code from your phone) in addition to your password when logging in. This makes accounts dramatically harder to breach, even if an attacker discovers your password.
You already understand the concept of two-factor authentication: something you know (your password) combined with something you have (a device or key). The practical question is how to actually set it up and what happens when you use it day-to-day. When you enable 2FA on an account, you're registering a second proof of identity that the service can verify. The three main forms are SMS codes (a text message with a one-time code), authenticator apps (an app like Google Authenticator or Authy that generates codes locally on your device), and hardware security keys (a physical USB or NFC device you plug in or tap). They differ substantially in security: SMS codes can be intercepted via SIM-swapping attacks; authenticator apps are much harder to compromise because the code never travels over a network; hardware keys are the most phishing-resistant because they cryptographically verify the website you're logging into.
To set up 2FA, navigate to the security settings of the account you want to protect and look for "Two-Step Verification" or "Two-Factor Authentication." For an authenticator app, the service will display a QR code. Open the app, tap "Add account" or the plus icon, and scan the QR code. The app and the server are now synchronized — they both know a shared secret key and use it to generate the same time-based code every 30 seconds. When you log in, you enter your password as usual, and the site then asks for the current 6-digit code from your app. You open the app, read the code (it changes every 30 seconds, so act promptly), and type it in.
The most important step that many people skip: save your backup codes. Every service that offers 2FA will offer you a set of one-time recovery codes during setup. Download or print these and store them somewhere secure and physically separate from your phone — a document in your password manager, a printed copy in a drawer, or an encrypted note. If your phone is lost, stolen, or destroyed, these codes are your only way back into the account. Without them, account recovery becomes a slow, difficult process of contacting support and proving your identity, and some accounts cannot be recovered at all.
In daily use, 2FA adds only a few seconds to your login experience. Most services offer a "remember this device" option after verifying 2FA, so you only need to enter a code on new or unrecognized devices rather than every single login. Start by enabling 2FA on your highest-value accounts — email first (because email is used to reset every other password), then financial accounts, then everything else. Once set up, it requires almost no ongoing effort while providing the single most effective protection against account takeover that exists for ordinary users.
No topics depend on this one yet.