How to protect your accounts: a second step at sign-in
The most important thing you can do, in a few minutes
A password alone is no longer enough. Passwords can be stolen from the websites where you use them, guessed, or tricked out of you through deceptive messages. The good news: the solution is not an even more complicated password, but one more step at sign-in. That way, even if someone learns your password, they still cannot get into your account without you. You set it up once and it protects you for a long time.
What it means, in simple words
- A second step at sign-in (you will see it written as “two-step authentication” or “2FA”): besides your password, you prove one more time that it is you — with a short code, a tap on your phone or your fingerprint. It is like a second lock on your door.
- A code received by SMS: better than nothing, but not the safest (there are ways someone can steal it from you). Use it only if you have no other option.
- A code app (for example Google Authenticator or Microsoft Authenticator): you install it on your phone and it shows you a 6-digit code that changes often. It is safer than SMS.
- Passkey (“sign in with your fingerprint or face”): the safest and, in fact, the simplest. Instead of a password, you sign in with your fingerprint, your face or your phone’s code. There is nothing to type and no way to accidentally give it to someone.
From best to weakest
passkey (fingerprint/face) → code app → code by SMS → nothing.
Don’t overthink it: the most important jump is from “nothing” to “any second step”. If you do one single thing today, turn it on for your email address.
How to turn it on — step by step
It is roughly the same everywhere. Go to Settings → Security and look for “Two-step authentication” (or “Two-step verification”).
- Start with your email address.
- Continue with your bank, Facebook and accounts that involve money.
- When asked how you want it, choose “authenticator app”. The app asks you to photograph a small square of dots on the screen (it is called a “QR code”) — that’s all.
- You will be shown some backup codes. Write them on paper or save them — they rescue you if you lose your phone.
A few shortcuts, if you want to go straight there:
- Gmail / Google: go to your Google account page → Security → “2-Step Verification”.
- Facebook: Settings → Password and security → “Two-factor authentication”.
- Your bank’s app: it is usually on from the start; just check that it is not set to plain SMS.
What a passkey is and how to use it
A passkey replaces your password with something you already have: your fingerprint, your face or your phone’s code. At sign-in, your phone or laptop asks you to confirm yourself — and that’s it. Nothing to remember, nothing to type, nothing to steal. It is saved securely in your account and appears on your other devices too. More and more websites offer it. When you see “create a passkey”, accept: it is both safer and more convenient.
What to avoid
- Don’t keep only the code by SMS on your important accounts, if you can use a code app or a passkey.
- Don’t end up without your backup codes — write them down beforehand.
- Never tell the code to anyone who calls or writes to you. No real bank or institution asks for it. (If this has happened to you, see the playbook about scam calls.)
Get started in 5 steps
- Turn on the "second step" on your email first — your email address can reset all your other accounts, so it matters most.
- Then on your bank, Facebook and anywhere you keep money or important things.
- When asked how, choose a code app instead of the SMS message, if you can.
- Write the backup codes on paper when they are shown to you — they help if you lose your phone.
- Wherever you see the passkey option ("sign in with your fingerprint or face"), use it — it is the simplest and safest.
Sources
Last reviewed: . Spotted something outdated? Tell us.