Two-factor authentication (2FA) is the single most impactful security improvement most people can make. According to Microsoft's own data, accounts with 2FA enabled are 99.9% less likely to be compromised through automated attacks.
How 2FA Works
Traditional login requires something you know: your password. 2FA adds a second factor β something you have (your phone) or something you are (fingerprint). Even if an attacker has your password, they can't log in without also having access to your second factor.
Types of 2FA (From Weakest to Strongest)
SMS codes are the most common and the weakest form. A code is texted to your phone. Better than nothing, but SMS can be intercepted through SIM-swapping attacks where criminals convince your carrier to transfer your number to their SIM.
Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) generate time-based codes locally on your phone. Much better than SMS β no network transmission for attackers to intercept.
Hardware security keys (YubiKey) are physical USB devices you plug in to authenticate. The strongest form available to consumers β immune to phishing because they cryptographically verify the website's domain.
Which Accounts Need 2FA First
Prioritise in this order: email (most important β password resets for everything else go here), banking and financial accounts, work email and systems, social media, cloud storage (OneDrive, Google Drive, iCloud).
How to Set Up 2FA on Key Services
Gmail: Go to myaccount.google.com β Security β 2-Step Verification β Get started.
Microsoft/Outlook: Go to account.microsoft.com β Security β Advanced security options.
Commonwealth Bank, ANZ, Westpac, NAB: All Australian major banks now have 2FA enabled by default β ensure it's turned on in your app settings.
Don't Let 2FA Give False Security
2FA is a powerful second layer but not a complete solution. You still need strong, unique passwords β 2FA adds a layer on top, it doesn't substitute for a password. Some forms of 2FA can be bypassed through SIM-swapping or real-time phishing proxies, so stay alert to suspicious login emails even with 2FA enabled.