user@s3-3:~/s3-3/tools/how-to-set-up-two-factor-authentication $ cat index.md
S3-3 Tech Guides & Tools
~/tools/how-to-set-up-two-factor-authentication
Privacy & Security · Jun 2026

How to Set Up Two-Factor Authentication (The Right Way)

7 min read · S3-3 Tech

Two-factor authentication (2FA) means that logging in requires two things: your password, and a second proof that you're you. Even if someone steals your password, they can't get in without that second factor. It's one of the highest-impact security steps you can take, and it takes about five minutes per account to set up.

Why SMS Codes Are Not Enough

Most people's first experience with 2FA is a six-digit code texted to their phone. That's genuinely better than no second factor, but it has a known weakness: SIM swapping. An attacker can call your carrier, convince them to transfer your phone number to a new SIM, and then receive all your SMS codes. It's happened to people with strong passwords and no other security gaps.

Authenticator apps are immune to SIM swapping because the codes are generated on your device using a shared secret stored locally — no SMS, no carrier involved.

How TOTP Authenticator Apps Work

When you enable 2FA on a site, it shows you a QR code. Scanning that code plants a shared secret in your authenticator app. From then on, both the site and your app run the same algorithm (TOTP — Time-based One-Time Password) on that secret and the current time, generating identical 6-digit codes that expire every 30 seconds. No network connection needed on your end.

Which Authenticator App to Use

Aegis (Android) — Best free option

getaegis.app is open source, free, and stores your codes in an encrypted local vault that you can back up anywhere. It supports encrypted exports, so you won't lose everything if you lose your phone. Highly recommended for Android users who want control over their data.

Ente Auth (iOS & Android) — Best for cross-device sync

ente.io/auth is open source and offers end-to-end encrypted cloud sync across devices. Free tier includes unlimited codes and sync. A good choice if you use both an iPhone and an Android tablet, or want your codes accessible on multiple devices.

Apple's built-in (iOS 17+)

The Passwords app on iOS 17+ and macOS 14+ stores TOTP codes natively. If you're already using iCloud Keychain for passwords, this is the lowest-friction option — no extra app needed. Find it under Settings → Passwords on iPhone, or the Passwords app on Mac.

Google Authenticator — Avoid if you can

Google Authenticator is widely used but its history of losing codes when you got a new phone made it a poor choice. It now offers cloud backup, but there are better-audited alternatives. If you're starting fresh, use Aegis or Ente Auth instead.

Setting Up 2FA: Step-by-Step

The process is nearly identical across services. Here's how it works on most major sites:

  1. Go to your account's security settings. Look for "Two-factor authentication," "Two-step verification," or "Login security." On Google: myaccount.google.com → Security. On GitHub: Settings → Password and authentication.
  2. Choose "Authenticator app" (not SMS, if you have a choice).
  3. Scan the QR code with your authenticator app. Open the app, tap the + button, and point your camera at the QR code. The entry appears immediately.
  4. Enter the 6-digit code shown in the app to confirm the setup worked.
  5. Save your backup codes. Every service gives you a set of one-time backup codes when you enable 2FA. Store these somewhere safe — printed and in a drawer, or in a password manager as a secure note. They're your emergency access if you lose your phone.
Critical step: Save the backup codes before closing the setup screen. This is the one step people skip, and it's the one that leaves them locked out permanently when their phone breaks.

Which Accounts to Protect First

Not every account needs 2FA, but these do:

  • Email — Your email is the master key. Anyone who controls your inbox can reset the password on every other account.
  • Banking and financial accounts — Obvious reasons.
  • Your password manager — If you use Bitwarden or similar, enable 2FA on that account specifically.
  • Domain registrar and hosting accounts — Losing control of a domain can be catastrophic and hard to reverse.
  • Apple ID / Google account — These control your phone, your contacts, and your ability to log into countless other services.

What to Do If You Lose Your Phone

This is why backup codes matter. Most services also offer these recovery options:

  • Use a backup code (saved during setup)
  • Use a backup phone number (if you added one)
  • Contact the service's account recovery — a slow process that may require identity verification

If you use Aegis with encrypted backups, you can restore your entire vault to a new phone in minutes. If you used Google Authenticator without backup — you're at the mercy of account recovery for every single service.

Passkeys: What's Coming Next

Passkeys are a newer standard that replaces both the password and the second factor with a single cryptographic key stored on your device. Major platforms (Apple, Google, Microsoft) have rolled them out for their own services, and adoption is accelerating. When a site offers a passkey option, it's worth using — it's more convenient and more phishing-resistant than a password + TOTP combination.

For now, TOTP with an authenticator app is the practical sweet spot: widely supported, free, and vastly better than a password alone.