Two-Factor Authentication, Explained Without Jargon
Here is the simplest explanation of two-factor authentication I have been able to come up with after years of trying. You know how when you visit your bank's drive-through to deposit a check, the teller wants both your debit card AND your PIN? Two pieces of evidence that you are who you say you are. One isn't enough. That's two-factor authentication.
For an online account, the two factors are usually your password and a six-digit code sent to your phone. The password is the thing you know. The code is the thing you currently have access to. A scammer who has somehow gotten your password still can't get in, because they don't also have your phone.
That's the entire concept. The rest is just where the code comes from.
Why this matters more than people think
In my old job we used to estimate that something like 80 percent of consumer account compromises would have been prevented if the victim had two-factor authentication turned on. Eighty percent. That's not a small number.
The reason is that most account compromises don't involve a sophisticated hacker breaking your password. They involve a database leak at some company you used eight years ago, where your email address and the password you used for them ended up on the open internet. The criminals then try that email-and-password combination on every major site. If you reused the password — which most people do for at least some accounts — they get in.
Two-factor authentication breaks that pattern. Even with the right email and password, the attacker doesn't have your phone. They can't get the code. They give up and go on to the next victim.
The three forms of "second factor"
Listed from most common to most secure:
Text-message codes. The site texts a six-digit number to your phone. You type it in. Easy to use. Available everywhere. Slightly weaker than the other options because a determined attacker can sometimes hijack your phone number (a process called "SIM swapping"), but for ordinary risks it is more than adequate.
Authenticator app codes. You install a free app (Google Authenticator, Microsoft Authenticator, Authy) that generates a fresh six-digit code every thirty seconds. The code is generated mathematically on your phone — no text message involved. Stronger than text messages because there's no phone number for an attacker to hijack.
Hardware security keys. A physical USB or NFC device the size of a thumb drive. You tap it on the phone or plug it in. Strongest option, but it's overkill for most people. Mostly used by journalists, executives, and people in jobs with real targeted-attack risks.
For ordinary use, the text-message version is what I recommend. It's available on every major service, it doesn't require installing an app, and it's vastly better than no second factor at all.
How to turn it on for the accounts that matter
The setup is almost identical across every major service. Go to the website (not the app), sign in as normal, find Settings → Security or Account → Security, and look for "Two-Factor Authentication" or "Two-Step Verification." Toggle it on. Choose text-message as your method. Enter your phone number. The site texts you a confirmation code. Enter the code.
The accounts to turn this on for, in priority order:
Your primary email (Gmail, Outlook, Yahoo). The most important account because it can reset passwords on everything else.
Your bank, credit card company, and any other financial accounts.
Your Apple ID or Google Account. The account your phone itself runs on.
Your patient portal (MyChart or whatever your hospital uses).
Amazon and any other account that has your credit card stored.
For everything else — the dozens of smaller accounts you've collected — two-factor authentication is nice to have but not urgent. Don't try to do all of them on a Saturday afternoon. Get the priority accounts done first.
The day this saved a friend of mine
An accountant who works near my office had her email password show up in a database leak from a small accounting forum she'd joined in 2014. Within a week, automated attempts to use that email-and-password combination hit her bank, her brokerage, her credit cards, and her primary email account.
The attempts all failed. She had text-message two-factor authentication on every one of them. She knew it had happened only because she kept getting text messages with verification codes she hadn't requested. She changed the leaked password the same day. Nothing was stolen. Nothing was compromised.
Without two-factor authentication, the attackers would have been inside her bank within an hour of trying. With it, they got nothing. The single most boring security feature in computing did what it was supposed to do.
The thing nobody warns you about
If you change phone numbers, the two-factor codes for every account that uses text messages will go to the old number. This is bad. Before you switch carriers or get a new number, go through your priority accounts and update the phone number on each one.
I keep a small list in my notebook (the same notebook I cover in our password guide) of which accounts have text-message two-factor authentication. Twelve accounts. Takes about an hour to update them all when I change numbers, which is rare, but the alternative is being locked out of my bank.
If you've already changed numbers and lost access to an account, every major service has a recovery process. It usually involves uploading a photo of your driver's license and waiting a few days. Annoying. Doable. The recovery is meant to be slow specifically so attackers can't use it to bypass your security.
What about authenticator apps
If you'd like to step up to authenticator apps eventually, the migration is straightforward. Most major services let you switch from text-message to app-based codes at any time, in the same Settings → Security page where you turned on two-factor in the first place.
I recommend Microsoft Authenticator or Google Authenticator. Both are free, both are simple, both back up your codes to the cloud so you don't lose access if your phone dies. Authy is a fine alternative.
If you stay on text messages forever, that's also fine. You will not be the weakest link on the internet by a wide margin. The weakest link is somebody who hasn't turned on any kind of two-factor at all, and there are many millions of them.
Don't be one of them. Take an afternoon. Get the priority accounts done. It's the single highest-return security activity available to ordinary people.
Written by David Chen. Last verified 19 June 2026.