Skip to main content
BuySecureVPN
Security Guide

How to Set Up Two-Factor Authentication on Every Account (2026)

Step-by-step instructions for enabling 2FA on Gmail, Microsoft, Apple, GitHub, AWS, Slack, and more. Includes backup code management.

Sarah Chen — Lead Security Editor
Sarah Chen·CISSPCompTIA Security+·Lead Security Editor
Updated
Password manager and 2FASave
Sarah Chen — Lead Security Editor
Sarah ChenCISSPCompTIA Security+

Lead Security Editor · San Francisco, CA

Updated Editorial policy
Editor's picks

Our Recommended VPNs

Chosen after real-world testing across speed, privacy, and streaming. Each ranking is independent — we buy every VPN at retail and test it ourselves.

EDITOR'S PICK
NordVPN logo
Best Overall
NordVPN
4.8/ 5

Fastest speeds, audited no-logs, 6000+ servers

Audited no-logs policyThreat Protection blocks malware10 devices per account30-day money-back guarantee
Save 74%
was $12.99/mo
$3.39/mo
Get NordVPN
30-day money-back guarantee
Read full NordVPN review
Surfshark logo
Best for Unlimited Devices
Surfshark
4.6/ 5

Unlimited devices, CleanWeb blocker, 100+ countries

Unlimited simultaneous devicesCleanWeb ad & malware blockerRAM-only server network30-day money-back guarantee
Save 87%
was $15.45/mo
$1.99/mo
Get Surfshark
30-day money-back guarantee
Read full Surfshark review
Proton VPN logo
Best for Privacy
Proton VPN
4.5/ 5

Swiss privacy laws, open-source, free tier

Swiss jurisdiction (no data laws)Open-source and auditedSecure Core multi-hopFree tier available forever
50% off
was $9.99/mo
$4.99/mo
Get Proton VPN
30-day money-back guarantee
Read full Proton VPN review
FastestVPN logo
Best Budget
FastestVPN
4.2/ 5

Lifetime plans, 10 devices, ad blocker

Lifetime deal available10 devices per accountBuilt-in ad blockerNo-logs policy
Save 89%
was $10/mo
$1.11/mo
Get FastestVPN
30-day money-back guarantee
Read full FastestVPN review

We earn a commission when you click “Get” buttons, at no extra cost to you. Read our affiliate disclosure

4 min read

Before You Start

Before enabling 2FA on your accounts, you'll need:

  1. An authenticator app installed on your phone. We recommend Authy (multi-device backup) or Google Authenticator (simple, free).
  2. A secure place to store backup codes — your password manager is ideal.
  3. 10-15 minutes to complete the most critical accounts.

Important: Always save your backup/recovery codes. If you lose your phone and don't have backup codes, you may be permanently locked out of your accounts.

Priority Order

Set up 2FA in this order — email first, because email is the recovery method for almost everything else:

  1. Email (Gmail, Outlook)
  2. Password Manager
  3. Cloud Storage (Google Drive, iCloud, Dropbox)
  4. Work Tools (Slack, GitHub, AWS)
  5. Financial Accounts
  6. Social Media

Gmail / Google Account

  1. Go to myaccount.google.com/security
  2. Under "How you sign in to Google," click 2-Step Verification
  3. Click Get Started
  4. Choose Authenticator app
  5. Scan the QR code with your authenticator app
  6. Enter the 6-digit code to verify
  7. Save the backup codes — Google gives you 10 one-time codes

Tip: Google also supports passkeys and security keys. After setting up your authenticator app, consider adding a passkey as your primary method and keeping the app as backup.

Microsoft / Outlook

  1. Go to account.microsoft.com/security
  2. Click Advanced security options
  3. Under "Additional security," click Turn on next to Two-step verification
  4. Follow the prompts to add the Microsoft Authenticator app
  5. Scan the QR code and verify with a test code
  6. Save the recovery code provided

Tip: Microsoft Authenticator supports passwordless sign-in for Microsoft accounts — you approve a push notification instead of typing a password.

Apple ID / iCloud

  1. On iPhone/iPad: Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication
  2. On Mac: System Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication
  3. Follow the prompts — Apple uses your trusted devices as the second factor
  4. Add a trusted phone number as backup

Note: Apple's 2FA sends codes to your trusted Apple devices. This is different from authenticator apps but is still effective.

GitHub

  1. Go to Settings > Password and authentication
  2. Under "Two-factor authentication," click Enable
  3. Choose Set up using an app
  4. Scan the QR code with your authenticator app
  5. Enter the verification code
  6. Download and save your recovery codes
  7. Optional: Add a security key (YubiKey) for phishing-resistant 2FA

Critical for developers: If you lose access to your GitHub 2FA without recovery codes, you may lose access to all your repositories. Store recovery codes securely.

Slack

  1. Click your profile photo > Profile
  2. Click More > Account settings (opens browser)
  3. Under "Two-Factor Authentication," click Expand
  4. Click Set Up Two-Factor Authentication
  5. Enter your Slack password, then scan the QR code

Note: This is per-workspace. If you're in multiple workspaces, enable it on each one.

AWS (Amazon Web Services)

  1. Sign in to the AWS Console
  2. Click your account name > Security credentials
  3. Under "Multi-factor authentication (MFA)," click Assign MFA device
  4. Choose Authenticator app
  5. Scan the QR code and enter two consecutive codes to verify

Critical: For AWS root accounts, also consider a hardware security key. Compromised AWS accounts can result in enormous charges.

Managing Backup Codes

Every service that offers 2FA provides backup codes. Here's how to manage them:

  1. Store in your password manager — Create a secure note for each service's backup codes
  2. Print a physical copy — Store in a safe or secure location at home
  3. Never store in plain text — Don't keep them in an unencrypted file or email draft
  4. Use and replace — When you use a backup code, generate new ones immediately

What About Passkeys?

Passkeys are the future of authentication — they replace both passwords and traditional 2FA with a single cryptographic credential stored on your device. In 2026, passkeys are supported by Google, Apple, Microsoft, GitHub, and many other services.

If a service offers passkeys, use them. They're more secure than passwords + authenticator app and more convenient. Keep your authenticator app as a backup method.

How We Verified

All setup instructions were tested and verified on current app/service versions in April 2026. Screenshots and steps may differ slightly as services update their interfaces. Security recommendations based on NIST SP 800-63B and FIDO Alliance guidelines.

Found this helpful?

Share it with someone who needs it

XFacebookLinkedInRedditPinterestWhatsAppEmail

Continue learning

Related Guides

security

How to Share Passwords Safely: Stop Using Slack and Email (2026)

Secure methods for sharing passwords, API keys, and credentials with teammates. Password manager sharing, Bitwarden Send, and one-time links.

Sarah ChenSarah Chen
security

Device Encryption Guide: Protect Your Data If Your Laptop Is Lost (2026)

How to enable full-disk encryption on Windows, Mac, iOS, and Android. Your data stays secure even if your device is stolen.

Sarah ChenSarah Chen
security

Endpoint Security for Remote Workers: Beyond Antivirus (2026)

Your devices are endpoints in the security chain. Modern endpoint protection goes beyond antivirus — here's what you need in 2026.

Sarah ChenSarah Chen

Was this guide helpful?

What's next

Keep exploring

Best VPN 2026
Our top picks
Password Manager
Secure accounts
Security Checklist
45-item audit

Sources & Citations

  1. 1Google: Verification in 2 steps — support.google.com. https://support.google.com/accounts/answer/185839
  2. 2Microsoft: Set up multi-factor authentication — support.microsoft.com. https://support.microsoft.com/en-us/account-billing/set-up-an-authenticator-app
  3. 3FIDO Alliance: Passkeys — fidoalliance.org. https://fidoalliance.org/passkeys/
  4. 4NIST SP 800-63B: Digital Identity Guidelines — Authentication. https://csrc.nist.gov/publications/detail/sp/800-63b/final
  5. 5CISA: Implementing Strong Authentication. https://www.cisa.gov/mfa