A strong password is the lock on your front door. Two-factor authentication is the deadbolt.
Even with a password manager and unique passwords for every account, one leaked credential is all it takes. Phishing, data breaches, keyloggers on a public machine. If someone gets your password and that’s the only thing protecting your account, they’re in.
Two-factor authentication (2FA) adds a second step. After entering your password, you prove you have something physical: your phone, a hardware key, or a code from an app. Without that second factor, the password alone is useless.
I use 2FA on every account that supports it. It takes five extra seconds to log in and makes your accounts significantly harder to break into.
How It Works
When you log in with 2FA enabled:
- You enter your username and password (something you know)
- The service asks for a second factor (something you have)
- You provide it from your app, hardware key, or passkey
- You’re in
An attacker would need both your password and physical access to your device. That’s a much harder target.
Types of 2FA (Ranked by Security)
Passkeys (best)
Passkeys replace both your password and your second factor in one step. They are tied to your device and your biometrics (fingerprint or face). They cannot be phished because they cryptographically verify the website’s domain before completing the login. If a site supports passkeys, use them.
Hardware keys (excellent)
Physical USB devices like YubiKey. You plug one in or tap it when prompted. Like passkeys, they verify the actual website domain so they cannot be phished. I keep multiple keys across different connector types (USB-A, USB-C) to cover every device I own.
TOTP apps (great)
Time-based one-time passwords. An app on your phone generates a six-digit code that changes every 30 seconds. You scan a QR code once during setup and the app handles the rest. No internet connection needed on the phone to generate codes.
SMS codes (last resort)
A text message with a code sent to your phone number. This works, but it is the weakest option. SIM swapping attacks can redirect your texts to someone else’s phone. Use this only if no other option is available.
How I Actually Set This Up
Over time I landed on a setup where different types of accounts use different apps. The reason is simple: if one app or service is compromised, only that category of accounts is at risk. Everything else stays protected.
Personal accounts (finance, banking, personal email, anything privacy-related)
I use ProtonPass. It handles both passwords and TOTP codes in one place. I chose it for the same reason I use Proton Mail and Proton VPN: the entire ecosystem is privacy-focused and end-to-end encrypted.
Work accounts (Outlook, VPN, AWS, corporate systems)
I use Microsoft Authenticator and Duo Mobile depending on what the system requires. Most Microsoft 365 and corporate tools integrate directly with Microsoft Authenticator. Duo is common in enterprise environments.
Browser accounts on devices that are not synced
I use Google Authenticator as a fallback for accounts tied to browsers or devices that do not sync with my other apps.
Phone SMS
Only when it is the only option a service offers. I treat it as a placeholder until the service adds something better.
Hardware level
For anything that supports it, I use YubiKey. I keep a mix of USB-A and USB-C keys so that any device I work on is covered. Keeping multiple keys also means losing one does not lock me out.
Why Separate Apps for Separate Account Types?
The idea is to limit blast radius. If one authenticator app is compromised through malware, a lost phone, or a breach, only the accounts in that app are at risk. Your other categories remain untouched. Mixing everything into one app is convenient until it is not.
Setting Up 2FA (General Steps)
Most services follow the same pattern:
- Go to your account security settings
- Look for “Two-factor authentication” or “2-step verification”
- Choose your method (passkey, hardware key, or TOTP app)
- If using a TOTP app: scan the QR code with your authenticator app
- Enter the six-digit code to confirm it works
- Save the recovery codes somewhere safe
Recovery Codes Matter
When you enable 2FA, most services give you a set of one-time recovery codes. These let you back into your account if you lose your phone or hardware key.
I keep a minimum of 10 recovery codes per account. Store them in your password manager. Print a copy and put it somewhere safe. Do not skip this step. If you lose your second factor and have no recovery codes, you may permanently lose access to that account.
What to Enable 2FA On First
Start with the accounts that control everything else:
- Email (if someone owns your email, they can reset every other password)
- Password manager (protects everything inside it)
- Banking and financial accounts
- Cloud storage (Google Drive, iCloud, Dropbox)
- Work accounts (anything with access to company systems)
- Social media (often targeted for identity theft)
My Recommendations
If you are just getting started and want to know what to actually use, here is my short list:
Start with ProtonPass. It handles both your passwords and TOTP codes in one encrypted, privacy-focused app. It works on every platform and keeps your personal accounts out of the advertising ecosystem entirely.
Add a YubiKey when possible. For anything that supports hardware keys, a physical key is the strongest protection you can add. Buy at least two so you always have a backup. Keep one on your keychain and one somewhere safe.
Save at least 10 recovery codes per account. Store them in ProtonPass and print a physical copy for anything critical.
ProtonPass plus a YubiKey covers the vast majority of people in the vast majority of situations. Everything else in this post is about going deeper from that baseline.