2FA: the account lifesaver

Two-factor authentication adds a second check after the password. If a password is stolen through phishing or a breach, the attacker still needs the second factor. Use it on bank, email, Apple ID, Google account, Facebook, and WhatsApp. Email comes first because it resets many other accounts. The NCSC shows how even a minor-looking service can become dangerous when passwords and verification steps are stolen together.

SMS codes help, but they can be bypassed through SIM swap. Someone may move your number to another SIM or eSIM, then receive your codes. The Italian Postal Police warns about this risk when a phone suddenly cannot make or receive calls. If a service only offers SMS, use it. For important accounts, prefer an authenticator app or hardware key.

Google Authenticator and Microsoft Authenticator generate codes on your phone without relying on SMS. They are a good choice for email, social, cloud, and work services. FIDO2 hardware keys such as YubiKey or Solo Key are stronger because they resist phishing better: a fake domain cannot easily get the key to approve login. Keep a backup key if you use hardware keys.

Recovery codes are your emergency exit if you lose the phone or key. Print them or write them on paper and store them safely. Do not keep them only on the same phone. Never give 2FA or recovery codes over the phone. The FBI warns that fake financial support callers try to get MFA or OTP codes.