Passwords are fundamentally broken as a sole defence. Not because strong passwords don't exist — they do — but because even a strong password can be exposed through a data breach, phished by a convincing email, or guessed through automated attacks. When a password is the only thing between an attacker and your account, the attacker only has to win once.
Two-factor authentication (2FA) changes that equation fundamentally.
What two-factor authentication actually is
Authentication factors fall into three categories: something you know (a password), something you have (a phone or hardware key), and something you are (a fingerprint or face scan). Single-factor authentication means you only prove one of these. Two-factor means you prove two.
In practice, 2FA usually works like this: you enter your password as usual, and then you're asked for a second piece of verification — a code sent to your phone, a code generated by an app, or a push notification you approve. Even if someone has your password, they can't get in without also having access to your second factor.
Types of 2FA — not all are equal
SMS codes (text messages)
The most common form. A six-digit code is sent to your phone number. It's significantly better than no 2FA at all. However, it has a known weakness: SIM swapping, where an attacker convinces your carrier to transfer your number to a new SIM. For most people and most accounts, SMS 2FA is adequate. For high-value accounts, use something stronger.
Authenticator apps
Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes locally on your device. These codes are not sent over any network, making them immune to SMS interception. This is the recommended standard for most business accounts. Two minutes to set up. More secure than SMS.
Hardware security keys
Physical devices (like a YubiKey) that you plug in or tap to authenticate. The most secure form of 2FA — essentially impossible to phish. Recommended for your highest-sensitivity accounts: primary email, domain registrar, hosting, bank. Costs around $50–$100 for a key.
Google's own research found that adding 2FA to an account blocks the overwhelming majority of automated account takeover attacks. Most account compromises target accounts without it. This is the single most impactful security change most businesses can make today.
Where to enable 2FA — prioritised
- Your primary email account — your email is the master key. Password resets for almost everything else go through it. If this account is compromised, everything is.
- Your domain registrar — losing control of your domain is catastrophic. GoDaddy, Namecheap, Cloudflare — all support 2FA.
- Your hosting account — access to hosting gives an attacker access to your website and potentially your customer data.
- Your Google Workspace or Microsoft 365 — if your business runs on either, they're critical infrastructure.
- Your banking and payment accounts — Stripe, your business bank, any financial service.
- Your social media accounts — especially LinkedIn, where business email compromise often starts.
How to set it up
- Go to the security settings of the account you want to protect
- Look for "Two-factor authentication," "Two-step verification," or "Login verification"
- Choose your method (authenticator app recommended)
- If using an app: download Google Authenticator or Authy, scan the QR code shown on screen
- Enter the code displayed in the app to confirm it's working
- Save your backup codes somewhere secure
That's it. Five minutes. Do this for your top three accounts today.
When you set up 2FA, most services give you a set of backup codes for use if you lose access to your second factor. Save these in your password manager or store them somewhere physically secure. Losing your second factor without backup codes can mean permanent lockout.
Want a security walkthrough for your business accounts? Book a free call. We'll review your setup and tell you where the most important gaps are — including which accounts need 2FA right now.
Book a free call →