large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

How to enable 2FA

If you have an online service account that involves your personal or financial information, you need to apply two-factor authentication to it. This guide will show you how to use an authenticator app on your phone to add security to your accounts.

That includes social media like Facebook, TikTok and Twitter, email services like Gmail and ProtonMail, online storage and office suites, and financial services. Your bank almost certainly already applies 2FA, using its own mobile as a token, which secures most financial transactions using your card.

You should also add two-factor authentication to services such as PayPal, Stripe and Wise, and any online retailers that don’t trigger your bank’s card confirmation system when you shop with them. It’s a good idea to add 2FA to widely targeted online services such as Amazon anyway.

If you have any services that use SMS messages to authenticate you, these should also be switched to app-based 2FA, as mobile phone numbers should never be used as a proxy for identity. They’re vulnerable to SMS interception attacks, specific kinds of phishing, and you can lose access to your number if it’s disconnected and reallocated due to non-payment of bills or other disputes with your mobile provider.

We’re going to use your mobile phone as an authentication device, using an authenticator app. In this tutorial, we’re going to use Google Authenticator, as it’s available for both Android and iOS and provides a consistent interface. I’ll discuss alternatives, including the integrated authenticator in iOS 15 and above, after this setup guide.

Kaspersky Password Manager

Kaspersky Password Manager

Your digital activities made simple

Keep your passwords and documents in a secure private vault – and access them with one click from all your devices.

  • kaspersky
  • £10.49 per year
Buy now

You’ll need

  • A computer
  • An Android or iOS smartphone

The Short Version

  1. Install Google Authenticator
  2. Get started
  3. Optional: Import accounts
  4. Add your first account
  5. Select your service (example: Dropbox)
  6. Confirm that you want to continue
  7. Confirm your identity
  8. Select your 2FA method
  9. Scan the QR code
  10. First authentication
  11. Optional: Add a backup mobile number
  12. Save backup codes
  13. Enable 2FA
  14. You’re done!
  1. Step
    1

    Install Google Authenticator

    Search the Google Play Store or iOS App Store for Google Authenticator and tap Install. Once installed, open the app.Google Play Store entry for Google Authenticator

  2. Step
    2

    Get started

    Flick through the introductory information if you’re interested, then tap Get Started.Google authenticator initial setup screen

  3. Step
    3

    Optional: Import accounts

    If you’re transferring Google Authenticator accounts from your previous phone, select Import existing accounts, then follow the on-screen instructions to bring up a transfer QR code on your old phone and scan it on your new one. Your one-time code collection should appear. Note that, unlike some rivals, Google Authenticator doesn’t allow you to backup your codes, so this is the only way to get them off your phone.Import passwords from a previous Authenticator install

  4. Step
    4

    Add your first account

    You can add accounts to Authenticator using either a setup key or a QR code. I always recommend scanning a QR code if available – and it almost always is – as this reduces the risk of error. To add an account to the authenticator, tap Scan a QR code. You’ll then be prompted to give Authenticator access to the camera. Tap Allow.Google Authenticator prompts you to set up your first account

  5. Step
    5

    Select your service

    In your web browser, go to a service you’d like to add 2FA to. In this example, I’m using Dropbox, where you’ll find the relevant security settings at https://www.dropbox.com/account/security – you’ll generally find multi-factor authentication options in a service’s security settings. It’s usually a link or clickable button, but Dropbox uses a toggle switch, which prompts you to set up 2FA if you haven’t previously registered an authenticator.Dropbox security page

  6. Step
    6

    Confirm that you want to continue

    You’ll often see a prompt explaining what 2FA is at this point. In Dropbox’s case, it’s an alert box when you can Learn more or Get started. Click get started.Droptbox briefly explains 2FA before you begin the setup process

  7. Step
    7

    Confirm your identity

    Because this is a high-security operation that could be taken advantage of by someone who’d gained unauthorised access to your account, you’ll almost always have to re-enter your password to set up 2FA for a service, even if you’re already logged in. Do so.Enter your password to continue

  8. Step
    8

    Select your 2FA method

    Various sites support a range of different method. Always avoid text message security codes if you can, although these are the default as they’re the most widely accessible option. Here, I’ll select Use a mobile app and click next.Select your 2FA method

  9. Step
    9

    Scan the QR code

    Finally, we’re presented with the QR code we prepared to scan back in step 4. Line it up with your phone camera and an Account added screen displaying a code will appear on your phone. Tap add account on the phone, then click Next on the 2FA window in your browserScan this QR code on your 2FA app

  10. Step
    10

    First authentication

    On your phone, you’ll be looking at the main Google Authenticator screen. This lists every associated site or service, with 2FA codes that are replaced every second. To enable 2FA on Dropbox, we just need to type the code into the 2FA prompt on-screen in our browser. Although most Authenticator apps separate these into two sets of three numbers, you should just enter a six-digit code when asked for one.Dropbox requests a 2FA code

  11. Step
    11

    Optional: Add a backup mobile number

    At this point, Dropbox prompts you to add a backup phone number if one isn’t currently associated with your account. This is generally a good idea so you’ll be able to easily recover access to your account if you lose your authenticator. If you’re worried about your mobile number being compromised, however, stick to backup codes. Enter your mobile number and click Next.You're prompted to add a mobile number

  12. Step
    12

    Save backup codes

    Dropbox gives you a set of backup passcodes here, which is fairly common. Other services may require you to generate them separately from their security interface. Either way, these are incredibly useful, as you can use them to log in if you don’t have access to your Authenticator app. Copy or screenshot them and put the file somewhere safe – preferably encrypted. Click Next.Dropbox backup passwords (redacted)

  13. Step
    13

    Enable 2FA

    You’re almost there. Dropbox shows a final prompt asking if you’re really sure you want to enable two-factor authentication. Click Next to confirm that you are.Final prompt to enable 2FA on Dropbox

  14. Step
    14

    You’re done!

    The next time you log into this site from a new browser, you’ll be prompted to provide a 2FA code as well as your password. Your security page now shows all your 2FA settings and allows you to access your recovery codes if you need to generate more. You can also disable 2FA here if you need to. Back on the phone, click the plus sign icon at the bottom right whenever you need to to add another 2FA entry to Google Authenticator.Google Authenticator displays a 2FA code for Dropbox

For another example, see my guide to securing your Amazon account with two-factor authentication using Aegis Authenticator.

Kaspersky Password Manager

Kaspersky Password Manager

Your digital activities made simple

Keep your passwords and documents in a secure private vault – and access them with one click from all your devices.

  • kaspersky
  • £10.49 per year
Buy now

FAQs

What does TOTP stand for?

The 2FA codes your authenticator generates are officially called Time-based One Time Passwords. A unique six-digit code based on the current time, these are regenerated every 30 seconds – so they’re useless if stolen – and must be typed into a box on the site that has asked you for it.

Do 2FA apps need an internet connection?

No, no connectivity required. You just need to make sure your device’s clock is accurate.

Does iOS have integrated two-factor authentication?

Yes it does, as of the June 2021 release of iOS 15 and iPadOS 15. It’s built into the iCloud Keychain, and you’ll find it by going to Settings > Passwords. Then add a new password or edit an old one. Go to Account options and select Set Up Verification Code… – you’ll then be prompted to Enter Setup Key or Scan QR Code, just as in the tutorial above. Users of older iOS versions will have to use a a third-party authenticator.

Do I have to use a smartphone?

While a smartphone is an obvious choice for an authenticator, as you’ll have it wherever you are, Authy and Bitwarden both offer web and desktop interfaces. Bitwarden Authenticator is only available on paid-for accounts. Hardware dongles such as Yubikey devices are also an option.

Can any authenticators sync across multiple devices?

Yes. This is a specialist feature, popular among businesses that need to share secure logins among staff, but also adds peace of mind if you’re prone to losing or breaking your phone. I recommend Authy and BitWarden, which can both be easily configured to work across multiple devices, which can also be removed via a web interface if lost.

Google Authenticator has limited multi-device support, but requires to you to scan the authentication code on every device you wish to use or use the account transfer QR code to add a duplicate device, so I don’t recommend it for this purpose.

Do I have to use Google Authenticator for 2FA on Google services?

No, you can use any authenticator. On a related, but separate note, you can also use any Android or iOS device for passwordless sign-ins to Google services.

Do I have to use Microsoft Authenticator for 2FA on Microsoft services?

No. Microsoft strongly encourages you to use its own Microsoft Authenticator platform – you’ll encounter prompts to do so when interacting with it for everything from Azure and Office 365 to Minecraft. While Microsoft Authenticator is a great tool, with an easy-to-use number-matching challenge for passwordless access to Microsoft services and increasingly capable password management features. However, if you’d rather avoid having multiple authenticators on your phone, say “No thanks” when prompted to get Microsoft Authenticator and do to the Additional security options page on your Microsoft account to set up a different authenticator app.

Are any open-source authenticators available?

Google Authenticator is no longer open-source software, but plenty of rivals are. I use Aegis Authenticator on Android, available via both the open F-Droid store and on the Google Play Store. Bitwarden’s authenticator is also open source, as is FreeOTP, among others. The advantages here are that their code can be publicly audited for security, and that you’ll not be tied into any specific ecosystem.

Can I use my authenticator with Steam?

No. Steam Guard uses an unconventional form of TOTP and doesn’t support third-party hardware or software tokens. 2FA for Valve’s gaming platform and its marketplace are currently only available via the dedicated Steam Guard Mobile Authenticator.

Does 2FA have other names?

Yes. Multi-factor authentication (MFA), 2-step verification or two-step verification (2SV) are the most common alternative terms you’ll encounter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.