Privacy Tools #2FA#authentication#security

How to Set Up Two-Factor Authentication (2FA)

Complete guide to 2FA: TOTP vs SMS vs hardware keys, best authenticator apps, and step-by-step setup on major services.

7 min read

Two-factor authentication (2FA) is the single most impactful security improvement most people can make today. Stolen passwords are a fact of life — data breaches expose billions of credentials every year. Without 2FA, a leaked password is all an attacker needs. With 2FA, they also need a physical device or hardware key that only you possess. This guide covers every major 2FA method, compares the top authenticator apps, and walks you through setup on the services that matter most.

Why 2FA Matters (and Why SMS Isn’t Enough)

The concept behind 2FA is simple: combine something you know (password) with something you have (a code, a device, a key). Even if an attacker phishes your password or buys it from a breach dump, they still cannot log in without that second factor.

Not all 2FA is equal, though. Here’s how the main methods stack up:

MethodStrengthPhishable?Notes
SMS one-time codesWeakYesSIM-swap attacks make this dangerous
Email OTPWeakYesOnly as secure as your email account
TOTP app (e.g., Aegis)StrongPartiallyCodes expire in 30s; still vulnerable to real-time phishing
Hardware key (FIDO2/WebAuthn)Very strongNoGold standard; browser verifies domain
PasskeysVery strongNoHardware-backed, increasingly supported

SMS 2FA is still far better than nothing, but SIM-swapping — where attackers convince your carrier to transfer your number to their SIM — is a well-documented attack used to hijack accounts. Avoid SMS 2FA whenever a better option exists.

TOTP (Time-based One-Time Passwords) generates a new 6-digit code every 30 seconds using a shared secret. Apps like Aegis, Authy, or Google Authenticator read a QR code when you set up an account and generate these codes offline. Because the codes change constantly, a stolen code is useless within seconds.

Hardware security keys using FIDO2/WebAuthn go even further. The browser cryptographically verifies the domain before signing in, making phishing structurally impossible. The key must be physically present.

TOTP Authenticator Apps Compared

Google Authenticator

Google’s official app is the most widely recognized, but it has serious drawbacks: no encrypted backup, no cloud sync (a liability if you lose your phone), and the app has historically lacked export options. It’s functional but not recommended when better alternatives exist.

Authy

Authy adds encrypted cloud backup and multi-device sync, which makes account recovery easier after a phone loss. The tradeoff is that your TOTP seeds are stored on Authy’s servers, which is a centralization risk. The desktop app is a plus for some workflows. Authy is a reasonable choice if you want convenience and trust the company.

Aegis is a free, open-source Android authenticator that stores everything locally in an encrypted vault protected by a password, PIN, or biometrics. You control your own backups — export an encrypted .aegis_backup file to any location you choose. There is no cloud dependency. It supports TOTP and HOTP, has a clean UI, and is actively maintained. For privacy-conscious users on Android, Aegis is the clear winner.

Raivo OTP (iOS)

For iPhone users, Raivo OTP is the open-source equivalent of Aegis. It stores codes locally, supports iCloud backup (encrypted), and has a clean interface.

Hardware Keys: YubiKey and Others

YubiKey by Yubico is the most popular FIDO2 hardware key. Plug it into USB, tap it, and you’re authenticated — no codes to type. The YubiKey 5 series supports FIDO2, U2F, TOTP, and PIV. Google Titan Keys and open-source Nitrokey are alternatives. Hardware keys are ideal for high-value accounts like email, password managers, and work logins.

How to Set Up 2FA: Step-by-Step

Step 1: Install an Authenticator App

Download Aegis Authenticator from F-Droid or the Play Store (Android), or Raivo OTP from the App Store (iOS). On first launch, set a strong vault password — this protects all your TOTP secrets.

Step 2: Enable 2FA on Your Google Account

  1. Go to myaccount.google.com → Security → 2-Step Verification
  2. Click Get started and verify your password
  3. Choose Authenticator app from the options
  4. Google displays a QR code — open Aegis, tap the + button, choose Scan QR code
  5. Scan the code; Aegis adds the entry and shows a 6-digit TOTP code
  6. Enter the current code into Google to confirm setup
  7. Save your backup codes in a password manager or encrypted file

Step 3: Enable 2FA on GitHub

  1. Navigate to Settings → Password and authentication → Two-factor authentication
  2. Click Enable two-factor authentication
  3. Select Authenticator app, scan the QR code with Aegis
  4. Enter the confirmation code, then download backup codes
  5. Optionally add a security key under the same settings page for strongest protection

Step 4: Enable 2FA on Your Password Manager

Your password manager is the crown jewel — protect it with a hardware key if possible. In Bitwarden: go to Account Settings → Security → Two-step Login, select the TOTP or YubiKey option, and follow the prompts. Never lock yourself out: save backup codes in a physically secure location before finishing setup.

Step 5: Work Through Your Other Accounts

Prioritize in this order:

  1. Email (Google, ProtonMail, Outlook)
  2. Password manager
  3. Banking and financial accounts
  4. Social media (Twitter/X, Facebook, Instagram)
  5. Cloud storage (Dropbox, iCloud)
  6. Domain registrars and hosting

Most services list 2FA settings under Account → Security or Account → Privacy. The website 2fa.directory catalogs which services support which 2FA methods — use it to audit your accounts systematically.

Backup and Recovery Planning

Losing access to your 2FA device without a backup plan means getting locked out of your accounts. Build a recovery strategy before you need it:

  • Save backup codes for every service in your password manager or printed and stored in a safe location
  • Export your Aegis vault regularly — the encrypted backup file can be stored on an external drive or in a secure cloud location
  • Register two hardware keys on critical accounts when the service allows it, keeping a backup key in a safe place
  • Document your 2FA setup — which app/key is used for which account — somewhere recoverable

Common Mistakes to Avoid

Using SMS for critical accounts. Upgrade to TOTP or hardware keys wherever possible, especially for email and banking.

Not saving backup codes. Every service provides backup codes during 2FA setup. Treat them like a physical key to your house.

Using the same device for password and 2FA. If your phone has both your password manager and your TOTP app, a compromised phone defeats the purpose. A hardware key as the second factor on critical accounts sidesteps this.

Disabling 2FA because it’s inconvenient. The few seconds it takes to approve a login are trivial compared to recovering from an account takeover.

Final Recommendations

For most users, the practical setup is: Aegis (Android) or Raivo (iOS) for TOTP codes, with a YubiKey on email and your password manager. Save backup codes in Bitwarden. Export your Aegis vault monthly to an encrypted backup.

If you do nothing else this week, enable 2FA on your email and password manager. Those two accounts are the keys to your entire digital life. Protect them accordingly.

#hardware keys #TOTP #security #authentication #2FA

// related articles

privacy-tools Passkeys vs Passwords: The Future of Login in 2026 7 min read privacy-tools Aegis Authenticator for Android: Complete Setup Guide 7 min read privacy-tools Set Up Bitwarden: The Free Password Manager That Actually Works 10 min read