Security · practical guide
Two-Factor Authentication
A Practical Guide
Your password is probably not enough. Here's how to add a second layer of protection to your accounts.
At least one person you know has probably had an account stolen before. Maybe their email, Facebook, or Instagram was compromised, or they started posting scam links from Telegram or WhatsApp.
The attack routes vary. For most services, an attacker needs your password – leaked in a breach, guessed, or phished. For services like Telegram and WhatsApp, they need control of your phone number (a SIM swap can do it), or access to a device where you're already logged in.
The solution? Require a second proof of identity before letting anyone in.
What is two-factor authentication?
When you log in with 2FA enabled, the service asks for your password as usual. But then it asks for a second code – one that changes every thirty seconds and only exists on a device you control.
Even if an attacker has your password, they can't get in without also having your phone in their hand. That's a much harder thing to steal, especially remotely.
The "two factors" are:
- Something you know – your password
- Something you have – your phone, generating time-based codes
Both are required.
Why SMS codes aren't ideal
Many services offer to send a code via SMS. While that's better than nothing, it has a serious weakness: SIM swap attacks.
An attacker calls your mobile provider, convinces them to transfer your number to a new SIM, and suddenly your codes are landing on their phone instead of yours. It happens more than you'd think, and in some regions it's surprisingly easy to pull off.
SMS also fails when you're abroad, out of signal, or if your phone is lost. An authenticator app works offline and stays with your device, not your phone number.
Authenticator apps
An authenticator app generates time-based one-time passwords (TOTPs) directly on your phone. The codes refresh every thirty seconds and work even without an internet connection.
When you set up 2FA on a service, it shows you a QR code. You scan it with your authenticator app, and from then on your app generates valid codes for that account.
Here's how some of the main options compare:
| App | Platform | Open Source | Backup | Notes |
|---|---|---|---|---|
| 2FAS | iOS, Android | Yes | Optional encrypted backup to your own iCloud/Google Drive | Browser extension auto-fills codes |
| Aegis | Android only | Yes | Local encrypted export (manual) | Fully offline, no account required |
| Bitwarden Authenticator | iOS, Android | Yes | Syncs with Bitwarden vault (optional) | Great if you already use Bitwarden |
| Ente Auth | iOS, Android, Desktop, Web | Yes | End-to-end encrypted cloud sync | Works across all your devices |
| Google Authenticator | iOS, Android | No | Syncs to Google account | Widely known, easy to set up |
| Microsoft Authenticator | iOS, Android | No | Syncs to Microsoft account | Passwordless sign-in for Microsoft accounts |
Which to choose?
Any of these is vastly better than no 2FA at all.
- 2FAS – open source, cross-platform, browser extension makes logins quick. Backups stay on your own iCloud or Google Drive.
- Aegis – for Android users who want no cloud involvement. You manage your own encrypted backups.
- Bitwarden – slots into your existing vault if you already use Bitwarden.
- Ente Auth – syncs across phone, computer, and web with end-to-end encryption.
- Google Authenticator – works fine if you just want something familiar.
- Microsoft Authenticator – natural fit for Microsoft environments, supports passwordless sign-in.
Setting it up
The process is nearly identical across services. Here's the general pattern:
- Find the security settings. Look for "Security", "Privacy", or "Account" in the app or website settings. The 2FA option is usually called "Two-Step Verification" or "Two-Factor Authentication".
- Choose authenticator app. When prompted for a method, select "Authenticator app" rather than SMS.
- Scan the QR code. The service displays a QR code. Open your authenticator app, tap the add button (usually a "+" icon), and scan it. If you're setting this up on the same phone, look for a "Can't scan?" or "Enter manually" option to get a text code you can copy/paste instead.
- Enter the code to confirm. Your app immediately starts generating six-digit codes. Enter the current one to prove the link works.
- Save your backup codes. This is critical. See the next section.
That's it. Next time you log in, you'll enter your password, then open your authenticator app and type in the current code.
Backup codes: don't skip this
When you enable 2FA, most services give you a set of one-time backup codes. These are your emergency keys. If you lose your phone, they're the only way back into your account.
Write them down on paper and store them somewhere safe, not on the phone you're using for 2FA. A fireproof safe, a locked drawer, wherever you keep important documents.
Some people store them in a password manager. That works too, as long as the password manager itself isn't locked behind the same phone you just lost.
If you skip this step and then lose your phone, you may be permanently locked out. Recovery processes can be frustrating or even impossible without your backup.
What to secure first
Not all accounts are equally important. Start with the ones that could cause the most damage if compromised:
- Email is like a master key. Most password resets go through email. If an attacker controls your inbox, they can reset their way into everything else.
- Messaging apps like Telegram, WhatsApp, and Signal. Group admins are high-value targets for scammers.
- Exchanges and banking. Anywhere money moves. Most exchanges have 2FA built in and some require it.
- Cloud storage (Google Drive, iCloud, Dropbox). Photos, documents, backups.
- Social media. Account takeovers spread scams to your contacts under your name.
Work down the list over a few days if you need to. Each account you secure is one less way for an attacker to get in.
After you enable 2FA
Once 2FA is on, check your active sessions, especially if you're setting it up because you suspect one of your accounts is compromised. Terminate any you don't recognise. In Telegram, go to Settings > Devices to see everywhere you're logged in. Most services have an equivalent: "Active sessions", "Signed-in devices", or "Where you're logged in".
Do this after, not before, otherwise an attacker with your credentials could simply log back in.
Two-factor authentication isn't complicated, and it doesn't take long to set up. The few minutes you spend now could save you a lot of trouble later.
Further reading:
2FAS · Aegis · Bitwarden Authenticator · Ente Auth · Google Authenticator · Microsoft Authenticator