Two-Factor Authentication Setup Guide
A practical guide to enabling and configuring two-factor authentication across your accounts, with recommendations for the most secure methods.
Last updated Apr 7, 2026Current
Continue your mission
A practical guide to enabling and configuring two-factor authentication across your accounts, with recommendations for the most secure methods.
A password alone is a single point of failure. If an attacker obtains it through phishing, a data breach, or brute force, they have full access to your account. Two-factor authentication (2FA) adds a second layer: even with your password, the attacker needs something else to log in.
Microsoft reports that MFA blocks over 99.9% of automated account compromise attacks. Enabling 2FA is one of the highest-impact security actions any individual or organization can take.
SMS codes send a one-time code to your phone via text message. This is better than no 2FA but is the weakest method. Attackers can intercept SMS through SIM swapping (convincing your carrier to transfer your number to their SIM card), SS7 network vulnerabilities, or malware on your phone.
Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) generate time-based one-time passwords (TOTP) that change every 30 seconds. The app and the server share a secret seed during setup. They independently generate the same code based on the current time. This method is significantly more secure than SMS because codes are generated locally and not transmitted.
Hardware security keys (YubiKey, Google Titan, Feitian) are physical devices that plug into USB or communicate via NFC. They use the FIDO2/WebAuthn protocol, which is resistant to phishing because the key verifies the domain of the site before responding. Even if you enter your password on a phishing page, the key will not authenticate because the domain does not match.
Push notifications (Duo, Microsoft Authenticator push) send an approval prompt to your phone. You tap "Approve" to complete login. This is convenient but vulnerable to MFA fatigue attacks, where an attacker with your password repeatedly triggers push notifications until you accidentally approve one. Newer implementations show a number matching challenge to mitigate this.
Passkeys are the newest approach, replacing passwords entirely with FIDO2 credentials stored in your device's secure enclave or a password manager. They are phishing-resistant by design and do not require memorizing or typing anything.
Priority accounts to protect first: Email (your email is the recovery mechanism for everything else), financial accounts, cloud services, domain registrars, and social media.
Step-by-step for TOTP authenticator apps:
Step-by-step for hardware keys:
Use hardware keys for your most critical accounts. Use authenticator apps for everything else. Avoid SMS where possible, but use it if no other option is available, because SMS 2FA is still vastly better than no 2FA.
Always save recovery codes. If you lose your 2FA device, recovery codes are your emergency access method. Store them in your password manager or print them and secure them physically.
Do not use the same TOTP app on the same device as your password manager. If that device is compromised, the attacker has both factors. Use a separate device for TOTP generation if your threat model warrants it.
For organizations: Enforce 2FA at the identity provider level (Okta, Azure AD, Google Workspace). Make it mandatory, not optional. Provide hardware keys to high-value targets (executives, IT admins, finance). Disable SMS as an option if possible. Implement number matching for push notifications.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.