Protect.Computer
TUTORIAL

How to Set Up Two-Factor Authentication (Step by Step)

· 7 min read · Got hacked
How to Set Up Two-Factor Authentication (Step by Step)

If phishing is a thief trying to pick your lock, then two-factor authentication is a deadbolt plus a security camera system. Even if a thief steals your key, they still can’t get in without being noticed.

Two-factor authentication (usually abbreviated as 2FA) is one of the single most effective ways to protect your accounts. It’s especially important for your email account, because if someone gains access to your email, they can reset the password for every other account you have.

Here’s how it works: To log in, you need two things—your password (something you know) and a second factor (something only you have). This second factor is usually a code on your phone that changes every 30 seconds, or a notification that gets sent to your phone asking you to approve the login.

If a hacker steals your password, they still can’t log in without your phone. You’d immediately see them trying and could block them.

Let’s walk through setting up two-factor authentication on the accounts that matter most.

What You’ll Need

Before you start, gather these items:

  1. Your phone (iPhone or Android)
  2. An authenticator app installed on your phone (we recommend Google Authenticator, Microsoft Authenticator, or Authy)
  3. Access to your email and social media accounts
  4. 15-30 minutes of quiet time

Get your authenticator app now if you don’t have one:

  • Google Authenticator: Free, available on iPhone App Store and Google Play
  • Microsoft Authenticator: Free, available on iPhone App Store and Google Play
  • Authy: Free, available on iPhone App Store and Google Play

Method 1: Authenticator App (Most Secure)

We recommend using an authenticator app over SMS text messages. Here’s why: Text messages can be intercepted, and some phone companies can be tricked into transferring your number to a hacker. Authenticator apps work without needing any network connection.

Setting Up Google Authenticator

This is the most commonly used authenticator app, so let’s walk through it:

1
Open Google Authenticator on your phone. You should see a mostly blank screen with a “+” button at the bottom.
2
Go to your Gmail account. In a web browser, go to myaccount.google.com and click “Security” in the left menu.
3
Scroll down to “How you sign in to Google” and click “2-Step Verification.” Google might ask you to verify your current password first.
4
Follow Google’s setup process. When it asks which phone you want to use, select your current phone.
5
When Google asks “What kind of second step do you want to use?”, select “Authenticator app.” Do NOT select “Text message (SMS)” if you want maximum security.
6
Google will show you a QR code (a square barcode-like image). Open Google Authenticator and tap the “+” button, then tap “Scan QR code.”
7
Point your phone’s camera at the QR code on your computer screen. Google Authenticator will automatically read it and add your Gmail account.
8
Google Authenticator will now display a 6-digit code that changes every 30 seconds. Type this code into Google’s setup page to verify it worked.
9
Google will give you backup codes. These are critical. Write them down, take a screenshot, or save them to your password manager. If you lose your phone, these codes are the only way to get back into your account. Seriously—do not skip this step.
10
You’re done! The next time you log into Gmail from a new device, you’ll need to enter your password AND a code from Google Authenticator.
Save your backup codes somewhere safe (like your password manager). Without them, if you lose your phone, you can’t access your Gmail account. Don’t store them in a public place or take screenshots you leave on your computer.

Setting Up Other Accounts with Authenticator

Once you have Google Authenticator set up, the process is similar for other accounts. Here’s how to do it for Apple ID, Facebook, and other services:

1
Go to that service’s security settings. We’ll show you where for each below.
2
Look for “Two-Factor Authentication” or “Two-Step Verification” settings.
3
Select the option to use an authenticator app.
4
The service will show you a QR code. Open Google Authenticator, tap “+”, tap “Scan QR code,” and point your phone at the code.
5
Google Authenticator will display a 6-digit code. Type this code into the website to complete setup.
6
Save the backup codes the service provides.

Setting Up 2FA on Specific Services

Apple ID (iPhone/Mac Users)

1
On your iPhone: Settings > [Your Name] > Password & Security > Two-Factor Authentication
2
Tap “Turn On Two-Factor Authentication”
3
For extra security beyond Apple’s default, set up an authenticator app: appleid.apple.com > Account Settings > Security > Edit > Set up authentication key
4
Apple will give you options. Choose “Use an authenticator app” and scan the QR code with Google Authenticator.

Facebook

1
Go to facebook.com, click your profile picture, then “Settings & privacy” > “Settings”
2
Click “Security and login” on the left
3
Click “Use two-factor authentication” (it might already be partially enabled)
4
Under “Authentication app,” click “Set up” and scan the QR code with Google Authenticator

Microsoft Account (Outlook, Windows)

1
Go to account.microsoft.com and click “Security” on the left
2
Click “Advanced security options”
3
Under “Two-step verification,” click “Turn on two-step verification”
4
When asked for your second verification method, select “Authenticator app” and scan the QR code with Google Authenticator

Amazon

1
Go to amazon.com, click your account name, then “Your Account”
2
Click “Login & security”
3
Under “Two-Step Verification (2SV),” click “Edit”
4
Choose “Authentication app” as your verification method and scan the code

Method 2: SMS (Text Message)

Some people prefer SMS for convenience, though it’s less secure than authenticator apps. If you choose this method:

1
Follow the setup steps above, but when asked for your second verification method, select “Text message (SMS)”
2
Verify your phone number. The service will send you a code via text to confirm.
3
When you log in from a new device, you’ll receive a code via text that you’ll need to enter.

The downside: If someone steals your SIM card or tricks your phone company into transferring your number, they can intercept these texts and access your account. It’s still much better than no 2FA, but authenticator apps are more secure.

What Happens When You Log In

Once 2FA is enabled, here’s what logging in looks like:

1
You go to the website and enter your username and password normally
2
The website asks for your second factor
3
If using an authenticator app: Open Google Authenticator and find the code for that website (it’s a 6-digit number that changes every 30 seconds). Type it into the website.
4
If using SMS: Wait for a text message with a code, then type it into the website
5
You’re logged in!

It sounds like extra work, but you only go through this on new devices. If you log in from the same computer regularly, many services will “remember” your device so you don’t need to enter the code every time.

Tips and Troubleshooting

I Lost My Authenticator App Use your backup codes to log in, then set up a new authenticator app. This is why backup codes are so important.

I Switched to a New Phone Before getting a new phone, set up the authenticator app on both phones if possible. Once you move to the new phone, delete it from the old phone. Or, use backup codes to log into your accounts on the new phone and re-add them to the authenticator app.

I Lost the Codes and Don’t Have My Phone You’ll need to go through your account recovery process. This is different for each service, but you’ll usually need to answer security questions or verify your identity another way. This is why you should keep backup codes somewhere safe.

I Keep Forgetting to Enter the Code Most services will ask for the 2FA code only on new or unrecognized devices. Once your device is recognized, you won’t need it every time. Give it time—it becomes habit.

Start with just your most important account (your email), use it for a few days, then add other accounts. Don’t try to set up 2FA on everything at once.

Which Accounts Should Have 2FA?

Absolutely essential (set up today):

  • Email (Gmail, Outlook, Yahoo, Apple Mail)
  • Bank and financial accounts
  • PayPal and other payment services

Very important (set up soon):

  • Facebook, Twitter, LinkedIn
  • Apple ID or Microsoft Account
  • Amazon and shopping accounts

Nice to have (set up when you have time):

  • Instagram, TikTok, Snapchat
  • Streaming services
  • Any other accounts with financial information

What to Do Next

Now that you have 2FA set up on your important accounts, strengthen them further by creating strong passwords and learning to spot phishing attempts. Together, these defenses make your accounts nearly impossible to hack into.

You’ve just taken one of the most important steps toward online security. This one change protects you more than almost anything else you could do. Great job.

Related reading

Tutorials
How to Choose and Set Up a Password Manager

Learn why you need a password manager, what to look for when choosing one, and step-by-step instructions to get started with the most popular options.

Tools
Best Identity Theft Protection Services (2026)

Compare the best identity theft monitoring and recovery services for individuals and families. Find out what's actually worth paying for and what you can skip.

News
Second FortiClient EMS zero-day in a week actively exploited — emergency hotfix released (CVE-2026-35616)

Fortinet pushed an emergency weekend hotfix for CVE-2026-35616 (CVSS 9.1), a pre-auth API bypass in FortiClient EMS 7.4.5–7.4.6 that allows unauthenticated remote code execution. Active exploitation confirmed since March 31. CISA added it to KEV with an April 9 deadline.

News
Gigabyte Control Center flaw can allow remote file writes when pairing is enabled (CVE-2026-4415)

TWCERT/CC and NVD list CVE-2026-4415 in Gigabyte Control Center: unauthenticated remote file write when pairing is enabled, with potential code execution or privilege escalation.