Complete Guide to Two-Factor Authentication (2FA)
Your password, no matter how secure, can end up leaked in a data breach. What happens then? If you only use a password, the attacker has direct access. If you use two-factor authentication (2FA), they need something more. This guide explains everything you need to know.
What is two-factor authentication?
Two-factor authentication (2FA, from the English Two-Factor Authentication) is a security method that requires two elements to verify your identity:
- Something you know — Your password
- Something you have — Your phone, a physical key, or an app
Only when both factors are verified do you get access. If an attacker has your password but doesn't have your phone, they can't get in.
2FA methods: from least to most secure
1. SMS (least secure)
They send you a code by text message to your mobile.
Advantage: Easy to set up, you don't need any app.
Problem: SMS can be intercepted through SIM swapping (an attacker convinces your operator to transfer your number to another SIM).
2. Authentication app (recommended)
An app generates temporary 6-digit codes that change every 30 seconds.
Popular apps:
- Google Authenticator
- Microsoft Authenticator
- Authy (allows cloud backup)
Advantage: It doesn't depend on your phone operator. Codes are generated locally.
3. Physical security key (most secure)
A USB device that you must physically connect to authenticate.
Examples: YubiKey, Google Titan
Advantage: Immune to phishing — the device verifies that you are on the real site. It is the most secure method that exists.
Disadvantage: It costs between €25-60 and you need to carry it with you.
How to enable 2FA on the most common services
Gmail / Google
- Go to myaccount.google.com/security
- Look for "2-Step Verification"
- Choose your method (app recommended)
- Scan the QR code with your app
Microsoft / Outlook
- Go to account.microsoft.com/security
- Select "Two-step verification"
- Follow the instructions
- Settings → Security → Two-factor authentication
- Choose "Authentication app"
- Scan the QR
- Settings → Account → Two-step verification
- Set up a 6-digit PIN
Banks
Most Spanish banks already implement mandatory 2FA for sensitive operations. Check the security settings of your online banking.
Recovery codes: don't lose them
When enabling 2FA, most services will give you recovery codes. They are your plan B if you lose access to your second factor (for example, if you lose your phone).
Tip: Save these codes in a safe place — not on the same phone where you have the authentication app. Options:
- In a password manager
- Printed in a safe place
- On an encrypted USB
Common mistakes with 2FA
- Enabling only SMS — Better than nothing, but vulnerable to SIM swapping
- Not saving recovery codes — If you lose your phone, you lose access
- Enabling 2FA only on email — Enable it on all services that allow it
- Thinking 2FA makes a good password unnecessary — They are complementary, not substitutes
Is 2FA infallible?
No. No system is 100% secure. But 2FA makes an attack enormously more difficult. An attacker no longer only needs your password (which they can obtain from a leak), they also need your physical device.
According to Google, enabling 2FA blocks 100% of automated bots, 99% of mass phishing attacks, and 90% of targeted attacks.
The first step is to know if your passwords are already leaked. Check for free with SecuryBlack and enable 2FA where it's most urgent.