Two factor authentication setup, without getting locked out

Here's the whole thing up front: a good two factor authentication setup is an authenticator app for the codes, not SMS, plus your backup codes saved somewhere safe before you walk away from the screen. That second half is the bit everyone skips, and it's the bit that bites. People turn on 2FA, feel safer, then lose or smash the phone six months later and discover the spare key was on the phone too. Now they're locked out of their own email, arguing with a support bot for a week. Two-factor is genuinely the single best thing you can do to stop your accounts getting taken over. It just has a trapdoor, and this is how you set it up so you never fall through it.

Why two-factor is worth the five minutes

A password alone is one wall, and walls fall over. Yours might be in a leak from some site you forgot you signed up to, or guessable, or reused across ten logins so one breach opens the lot. Two-factor adds a second wall the attacker can't climb from the other side of the world: even with your password, they need the code on your phone. That's the whole idea, and it works. The catch is that the same second factor that locks attackers out can lock you out if you don't plan for losing it. So we set it up to be both strong and recoverable, not one or the other.

Use an authenticator app, not SMS

If you take one position from this piece, take this one: text-message codes are the weakest form of 2FA, and you should move off them wherever you can. They feel convenient because the code just arrives, but there are three real problems.

First, SIM-swap fraud. A scammer rings your telco, spins a story, and gets your number ported to a SIM in their hand. From that second, every SMS code goes to them. It's not exotic, it happens to ordinary people, and the target is usually the email or the bank. Second, SMS can be intercepted in transit. Third, and very Australian: no signal, no code. Plenty of the country runs on patchy mobile coverage, and if you're somewhere with one bar and the bank texts a code that never lands, you're locked out by geography.

An authenticator app fixes all three. It generates a fresh six-digit code every thirty seconds, on the phone, using a secret that was set once when you scanned the QR code. No SIM, no signal, no carrier in the loop to be tricked. It works on a plane and it works in a paddock. Any of the common ones do the same job; the brand matters far less than the fact that you've moved off SMS. Use SMS only for accounts that stubbornly offer nothing else, and switch them the day they catch up.

The lockout trap, and the codes that save you

This is the part the setup wizards rush past and the part that matters most. When you turn on 2FA, the service shows you a list of backup codes, usually eight or ten one-time strings. They look like clutter. They are the spare key to your house. Each one logs you in once if you don't have your phone, and they are the difference between a five-minute fix and a week of account-recovery hell when the phone goes missing.

The mistake nearly everyone makes is to either ignore them, or screenshot them straight onto the same phone that's running the authenticator. Think that through: the day you lose that phone, you lose the code generator and the spare key, in one drop on the pavement. That's not a backup. That's both keys in the same lost wallet.

Here's where to actually put them, in order of how I'd do it:

If you notice that's the same logic as a proper data backup, you're paying attention. A second copy, kept somewhere the disaster can't reach. It's the exact thinking behind the plain-English backup primer, applied to your logins instead of your files. Same principle, same payoff: the spare copy is worthless until the day it's the only thing that saves you.

The order to turn it on

Don't try to do every account in one sitting and burn out at three. Work down from most damaging to least, and you'll have the important ones covered in twenty minutes.

  1. Your primary email, first, no exceptions. Email is the master key. Whoever owns your inbox can hit "forgot password" on nearly everything else and reset their way in. Most people leave email till last; it should be the first thing you lock. Save those backup codes for real.
  2. Your password manager. If it holds every other login, it earns a second wall straight after email.
  3. Banking and anything with money. Bank, super, PayPal, the lot. If a login can move a dollar, it gets 2FA.
  4. Anything that runs your business or your life. Your domain registrar, your website host, your socials, your accounting. For a small operator, losing the domain or the host can be as bad as losing the bank.
  5. Everything else, over time. Shopping, forums, the rest. Lower stakes, do them as you log in over the next few weeks.

For each one: turn on 2FA, choose the authenticator-app option, scan the QR code, and then save the backup codes before you click done. That last step is the one that turns a setup into a safe setup.

Plan for a new phone before you need one

Phones get lost, stolen, dropped in the dam, and upgraded. Decide now how your codes survive that, because the worst time to work it out is while you're standing in a phone shop locked out of your email.

Two honest approaches. One: use an authenticator that syncs or exports, so your codes back themselves up and restore onto a new phone when you sign in. Convenient, and fine for most people, with the trade-off that your codes now live in someone's cloud, so that account itself wants a very strong password and 2FA of its own. Two: use a local-only authenticator and lean on your backup codes plus re-adding each account by hand on the new phone. More private, more control, more manual. There's no single right answer; pick the one that fits how you live, and own the trade-off either way. What you don't get to do is have neither, run a local app with the codes nowhere else, and just hope the phone lasts forever.

A quick word on passkeys

You'll see "passkeys" offered more and more, and they're the better long-term answer where they exist. A passkey replaces the password outright with a cryptographic key tied to your device, and it can't be phished the way a typed-in code can, because there's nothing for a fake site to capture. They're still rolling out, so realistically you'll run both for a while. The move is simple: turn a passkey on wherever it's offered, keep your authenticator app for everything that doesn't support them yet, and save the backup codes regardless. Whatever the method, the recovery half is the bit people underdo. Don't.

What a setup that won't lock you out looks like

It's not complicated, it's just done properly. Codes from an app, never SMS where you can avoid it. The accounts that matter covered first, email at the very top. And for every one of them, the backup codes saved somewhere the lost phone can't take with it, in your password manager or printed in a drawer. Set up like that, losing your phone stops being a catastrophe and becomes an errand: grab a backup code, log in on the new phone, re-add the accounts, done. That's the whole game, the second wall that keeps the bad guys out and a spare key so it never keeps you out.

Two-factor is one piece of not losing your stuff. The bigger picture, protecting the data and the systems themselves, is set out in our cornerstone plain-English small business backup primer. The same instinct that makes you save a backup code is the one that makes you keep a backup that ransomware can't touch.

Two factor authentication setup: common questions

What is the best two factor authentication setup?
An authenticator app for the codes, plus the backup codes saved somewhere safe before you finish. The app generates the six-digit code on your phone with no signal and no SIM needed, which is more secure and more reliable than SMS. The backup codes are the spare key for the day the phone is lost, stolen or wiped. Skip either half and the setup is either weak or a lockout waiting to happen.
Is SMS two factor authentication safe enough?
It's better than nothing, but it's the weakest form and worth moving off. SMS codes can be intercepted, and SIM-swap fraud, where a scammer convinces your carrier to port your number to their SIM, hands them every code sent to it. On top of that, no signal means no code, which is a real problem in regional Australia. Use SMS only where an account offers no app option, and switch the moment it does.
What are backup codes and where should I keep them?
Backup codes are one-time recovery codes a service gives you when you turn on 2FA, so you can get in if you lose your phone. Save them in your password manager, or print them and keep the page somewhere safe like a drawer or a safe. Don't store them only in a note on the same phone that runs the authenticator: lose that phone and you lose the code and the spare key in one go. They're the single thing that stops 2FA becoming a lockout.
What happens if I lose the phone with my authenticator app?
If you saved your backup codes, you log in with one and re-add the account on a new phone. That's the whole point of them. If you didn't, you're into each service's account recovery, which can mean days of waiting, ID checks and sometimes losing the account for good. The fix is to never get there: save the backup codes when you set 2FA up, and use an authenticator that syncs or can be exported so a new phone restores your codes.
Which accounts should I turn two factor authentication on for first?
Your primary email first, every time, because it's the master key. Whoever controls your email can reset the password on almost everything else through forgot-password links. After email, do your password manager, then banking and any account tied to money, then anything that runs your business. Work down from most damaging if lost to least. Email is non-negotiable and it's the one most people leave until last.
Are passkeys better than two factor authentication?
Passkeys are the better long-term answer where they're offered, because they replace the password entirely and can't be phished the way a typed code can. They're still rolling out, so most people will run both for a while. The practical move is to enable a passkey wherever a service supports it, keep an authenticator app for everything that doesn't, and save the backup codes either way. Backup and recovery is the part everyone underdoes, whichever method you use.

Not sure your 2FA would survive losing your phone, or staring at a screen full of backup codes wondering what to do with them? That's worth sorting before you find out the hard way. Tell us what you're trying to protect and we'll help you set it up so it's locked down and you can still get in: no jargon, no scare tactics.