FK
FK94Security
Accounts8 min read

Two-Factor Authentication: What to Use and What to Avoid

Two-factor authentication adds a second layer of security to your accounts. But not all 2FA methods are equal. Some are barely better than nothing, while others make your accounts nearly impossible to break into.

Accounts

The 2FA methods ranked

From weakest to strongest, here are the main 2FA methods and what they protect against.

SMS codes: Better than nothing, but vulnerable to SIM swapping and interception. Use only as a last resort
Email codes: Slightly better than SMS, but if your email is compromised, so is your 2FA
Authenticator apps (TOTP): Google Authenticator, Authy, or Bitwarden built-in. Good protection for most people
Push notifications: Like the Google Prompt or Microsoft Authenticator push. Convenient and reasonably secure
Hardware security keys: YubiKey, Google Titan. The strongest option. Phishing-resistant by design
Passkeys: The newest option. Combines the convenience of biometrics with the security of hardware keys

Accounts

Which accounts to protect first

Not all accounts need the same level of protection. Focus your strongest 2FA on the accounts that control everything else.

Email (Gmail, Outlook): This is the master key. If someone controls your email, they can reset every other password. Use the strongest 2FA you can here
Cloud storage (Google Drive, iCloud): Contains personal documents, photos, and sometimes credentials
Banking and financial: Banks usually support SMS or app-based 2FA. Use the app if available
Password manager: Enable 2FA on your vault. This protects all your other passwords
Social media: Less critical but still worth enabling, especially if you have a public presence
Crypto exchanges: Must-have. Use authenticator app or hardware key, never SMS

Accounts

Setting up an authenticator app

If you are starting from zero, an authenticator app is the best balance of security and convenience for most people.

Download an authenticator app (Bitwarden authenticator, Google Authenticator, or Authy)
Go to your account's security settings and enable two-factor authentication
Scan the QR code with the authenticator app
Save the backup codes. Print them or write them down. Store them physically, not in your email
Test the setup by logging out and back in
Repeat for each important account

Accounts

Backup codes are critical

The most common 2FA disaster is getting locked out of your own accounts because you lost your phone and did not save backup codes.

Every service that offers 2FA also offers backup codes. These are one-time-use codes that let you in if you lose your device. Save them. Print them. Put them somewhere safe.

Save backup codes when you first enable 2FA
Store them physically (printed, in a safe place) not in your email
If you get a new phone, transfer your authenticator app before wiping the old one
Authy and Bitwarden sync across devices, which reduces the risk of lockout
Consider a hardware key as a backup 2FA method for your most important accounts

Takeaway

The best 2FA is the one you will actually use. Start with an authenticator app on your email and password manager, then expand to other accounts.

Get in touch

EmailRequest Audit