Social media. Less critical than the above, but a hijacked Facebook or WhatsApp account can be used to scam your contacts.
Amazon and other shopping accounts. These often have your payment details saved. An account takeover could result in fraudulent orders or worse.
Apple ID or Google account. These accounts hold your photos, contacts, and app purchases. Losing access ,or having someone else gain it could be extremely disruptive.
Online banking. Most UK banks now apply their own form of two-factor authentication automatically, but it is worth checking your security settings to be sure.
Your main email account. Email is the master key — password resets for almost everything else go there. This is the one account that should always have 2FA.
By At Ease Online · Updated May 2026 · 7 minute read
Two-Factor Authentication Explained
A password alone is no longer enough to keep your accounts safe. Two-factor authentication adds a second check. So even if someone gets hold of your password, they still cannot get in without you knowing.
The three main types.
When you log in to an account, you normally enter a username and password. That is one factor - something you know. Two-factor authentication (often called 2FA or two-step verification) adds a second check on top of that - something you have, usually your phone.
Text message (SMS) code
When you log in, the service sends a six-digit code to your mobile number. You enter that code to complete the sign-in. This is the most widely used method and is straightforward to set up. It is a significant improvement over no 2FA at all, though it is worth knowing that a determined attacker could theoretically intercept an SMS - which is why some accounts recommend an app instead.
Which accounts should have it.
You do not necessarily need to enable 2FA on every account you have, but the following are genuinely important:
Authenticator app
Apps like Google Authenticator or Microsoft Authenticator generate a fresh six-digit code every 30 seconds directly on your phone, without needing a mobile signal. Once set up, they work even if you are abroad or without mobile coverage. They are slightly more involved to configure but offer stronger protection and are worth considering for email and financial accounts.
What is two-factor authentication?
The idea is simple: even if a fraudster somehow obtains your password - through a data breach, a scam email, or by guessing it. They would also need access to your phone to complete the login. Most criminals do not have your phone, so the attempt fails and you stay protected.
A useful comparison: Think of it like a bank card. To use it, you need both the card itself and the PIN. Having one without the other gets you nowhere. Two-factor authentication works the same way for your online accounts.
Email code
Some services send a code to your email address instead of your phone. This is better than nothing but less ideal - if someone has already gained access to your email account, this method would not stop them.
How to set it up.
The exact steps vary by service, but the process follows the same pattern almost everywhere.
On Gmail (Google account)
1
Sign in to your Google account at myaccount.google.com and click Security in the left-hand menu.
2
Under the "How you sign in to Google" section, select 2-Step Verification and click Get started.
3
Follow the prompts to add your phone number. Google will send a test code to confirm it works.
4
Once confirmed, 2-Step Verification will be turned on. The next time you sign in on a new device, you will be asked for a code after your password.
On an Apple ID (iPhone or iPad)
1
Go to Settings, tap your name at the top, then select Sign-In & Security.
2
Tap Two-Factor Authentication and follow the steps to turn it on.
3
Apple will send verification codes to your trusted phone number or to other Apple devices you are signed in to.
On other services
For most websites and apps, go to Settings → Security (or Account → Privacy) and look for an option labelled Two-factor authentication, Two-step verification, or 2FA. If you cannot find it, searching the service name plus "how to turn on 2FA" will usually bring up a clear guide.
What happens if you get locked out?
The most common worry people have about 2FA is: what if I lose my phone or change my number? This is a fair concern, and it is why backup options matter.
Always save your backup codes. When you set up 2FA on most services, you will be offered a set of one-time backup codes. Write these down on paper and keep them somewhere safe — not on your phone. These codes will get you back into your account if you ever cannot receive the usual code.
It is also worth making sure your account has an up-to-date recovery email address or phone number. If you change your mobile number, update your accounts before you lose access to the old one.
For Gmail specifically, Google offers a number of account recovery options and will work through a verification process if you are locked out. Apple has a similar account recovery process. Neither is instant, but both are manageable if your account details are current.
A word on the codes themselves.
A few things worth knowing about how these codes work:
Codes are for you only. The code arrives because you are trying to log in. If you receive one you did not request, it means someone else is attempting to access your account - change your password.
Never share a code with anyone. A genuine bank, company, or service will never call and ask you to read out a code you have just received. If someone does, it is a scam — hang up immediately.
They expire quickly. SMS and authenticator codes are only valid for a short window — usually 30 seconds to a few minutes. Nobody can reuse an old code.
One Final Note
You can't always have someone beside you to check whether something is safe. But once the right things are set up properly, you can log in and get on with your day knowing your accounts are protected.
That's where we come in.
At Ease Online
We're worth knowing about
Sources
National Cyber Security Centre (NCSC) — guidance on two-factor authentication and account security; Google — 2-Step Verification support documentation; Apple — Apple ID two-factor authentication support; Action Fraud — account takeover fraud guidance; Which? — online security and 2FA guidance for consumers.
This guide is for general information. If you believe your account has been accessed without your permission, contact the service provider directly and report it to Action Fraud on 0300 123 2040. or visit reportfraud.police.uk.