Passwords & Two-Factor

TL;DR

• Two habits stop the great majority of personal account compromise: a unique strong password on every account (which only a password manager makes realistic), and a second factor of authentication.
• A password is something you know. A second factor is something you have (a phone, a key) or something you are (a fingerprint, a face). The attacker who steals one of these still needs the others.
• Use an authenticator app, not text-message codes, where you have the choice — texts can be intercepted by SIM-swap attacks.
• Passkeys are the new direction. They replace passwords with something safer that is also easier to use. Adopt them on accounts that offer them.
• The single highest-leverage account in your life is your email. Protect it like a passport. Everything else can be reset from it.

What it is

When you sign in to almost anything online, the system needs to know you are who you claim to be. The traditional way is a password — a secret only you should know. The problem with passwords is well known by now: people reuse them, write them down badly, and pick weak ones. Attackers count on this.

Two-factor authentication (2FA, sometimes called multi-factor or MFA) adds a second proof: something only the real you should have. Most commonly:

• A six-digit code from an authenticator app on your phone (Google Authenticator, Microsoft Authenticator, Authy, Aegis on Android, FreeOTP).
• A code sent by SMS — convenient, but the weakest of the common options because phone numbers can be hijacked.
• A push notification on an app you already trust ("Was this you trying to sign in?").
• A security key — a small physical device that plugs into a USB port or taps on your phone (YubiKey, Google Titan, Nitrokey).
• A passkey — a newer cryptographic credential stored on your phone or computer that replaces the password entirely. You unlock it with your fingerprint or face, and the device proves your identity to the website. No password to steal.

Even an attacker who somehow gets your password cannot sign in without the second factor. That single step blocks the majority of account compromise.

How to pick a strong password

The rules have changed, and the old advice was mostly wrong.

• Long beats complicated. A 16-character passphrase made of four random words is stronger than an 8-character mix of symbols. Attackers run vast password-guessing rigs; length matters more than punctuation.
• Unique per account, always. If one website's database is stolen and your password leaks, every other account where you used the same password is now reachable. This is how most non-targeted account compromise actually happens.
• Don't include personal information an attacker could find or guess: your dog's name, your birth year, your favourite team, your child's name plus year of birth.
• Don't follow predictable patterns. "Spring2025!" was on a password-cracking dictionary before it was on your monitor.
• Don't reuse, even with small variations. MyPassword1 and MyPassword2 are treated as the same password by attackers.

The only realistic way to keep dozens of unique strong passwords is a password manager. See Password Managers Explained for how to choose one.

How to pick a second factor

In order of strength, for ordinary people:

1. Passkey. Where offered, this is the best. No password at all. Phishing-resistant by design.
2. Hardware security key. A small physical device. Phishing-resistant. Best for email and bank accounts. The cost (€25–€60 each, ideally two so you have a backup) is justified by the protection it gives your email and money.
3. Authenticator app. A free app on your phone that generates a fresh six-digit code every 30 seconds. Strong, easy, widely supported.
4. SMS code. Better than nothing. Vulnerable to SIM-swap attacks. Use it only when no other option is offered; move off it as soon as the platform supports better.
5. "Approve this sign-in" push. Convenient, but watch for MFA-fatigue attacks — repeated push prompts you didn't request, hoping you'll tap "approve" out of habit. Never approve a sign-in you didn't trigger.

Set this up — in this order

If you do nothing else this week, do this. From a quiet hour with a coffee.

1. Your main email account first. This is the master key. Set a strong unique password. Turn on the strongest 2FA available. Add a recovery method that is not your phone number alone.
2. Your bank, and any payment account (PayPal, Wise, Revolut, Stripe).
3. The account that holds your password manager itself, with the strongest 2FA you can use.
4. Government and tax accounts.
5. Your social-media accounts, because they are often used to phish your friends and family if compromised.
6. Your phone carrier account, with a port-out PIN if your carrier offers one — to make SIM-swap harder.
7. Major shopping accounts, especially any that store delivery addresses or default payment methods.

Once those are done, the rest of your accounts can be migrated gradually as you log in to them.

What about backup codes?

When you turn on 2FA, the platform almost always offers a set of backup codes — short strings you can use if your phone is lost. Print them. Put them somewhere safe — a drawer, a safe, a folder in the family papers. Do not keep them as a screenshot on your phone or as a note in your email, both of which can be compromised together with the account.

If a platform allows you to register two security keys, register two: one you use every day, one stored at home. Losing your only key locks you out of your account just as effectively as losing your password.

Set up "in case I lose my phone"

Plan for losing the phone, because eventually you will.

• Write down (on paper) which accounts use authenticator app codes and where the backup codes for each are stored.
• Make sure you can recover your email from a recovery email or recovery phone, with neither being only your current phone.
• Tell one trusted person where the backup codes are stored — not what they are, just where.
• Consider using an authenticator app that supports encrypted cloud backup, so that getting a new phone restores your codes without losing access. (Authy, Microsoft Authenticator, Google Authenticator now support this; many people prefer self-hosted alternatives like Aegis for the same reason.)

What NOT to do

• Don't reuse passwords across sites. This is the single most common cause of cascading compromise.
• Don't store passwords in plain text — in a notes app, in an email draft, on a sticky note on the monitor. A password manager is the safe place.
• Don't share your password with family for shared accounts — use the platform's family-sharing feature, or share through the password manager's secure sharing.
• Don't text yourself a backup code or store backup codes in a cloud notes app on the same account they protect.
• Don't dismiss SMS 2FA as useless — it is much better than nothing, and stops most opportunistic attacks. Move to a stronger method when you can; don't refuse 2FA because the only option is SMS.
• Don't approve a push notification you did not start yourself. If the prompts won't stop, change your password immediately — someone has it.
• Don't enter a code anywhere except the page you started signing in on. Codes get phished too. A polite person on the phone asking you to "confirm the code you just received" is almost always an attacker.

Use AI to help you

A few prompts that work well:

Audit your habits:

"I'd like to assess my current password and 2FA setup. I'll describe my habits: [where I store passwords, whether I reuse them, what 2FA I have on my email, bank, social accounts]. Please tell me (a) my biggest risk, in plain language, (b) the three changes that would give me the most protection for the least effort, and (c) the order to do them in."

Choosing a method:

"I am setting up two-factor authentication on [account name]. The options offered to me are [list them]. Which one is the strongest, which is the most convenient, and which strikes the best balance? Explain in plain language; assume I'm not technical."

A reminder: AI cannot see your accounts. The answers it gives you are general — verify the steps with the platform's official help page before changing security settings.

Who to call

This card is preventive, not reactive — there's no one to call when you set things up well. But if something goes wrong while you're configuring 2FA:

Find the latest contacts for your country with AI:

"I'm in [your country] and I want to set up — or recover — strong authentication on my most important accounts. List the official sources I should consult: the national cybersecurity centre's free 2FA guide, the data-protection authority's guidance on authentication best practice, the major platforms' account-recovery pages (Google, Microsoft, Apple, Meta, my bank, my email provider), my phone carrier's account-PIN / port-out-protection page, and a reputable supplier of hardware security keys (YubiKey, Google Titan, Nitrokey) that ships to my country. For each, give the official URL. Cite each source. Flag anything that may be outdated, and note any specific guidance on passkeys in my jurisdiction."

• The platform's account-recovery flow is always the first step. Search for "[platform] account recovery."
• Your phone carrier if you suspect any SIM-related interference during the setup.
• National cybersecurity centres publish free guides on 2FA setup — useful when you want a second opinion. UK NCSC (ncsc.gov.uk), German BSI für Bürger (bsi.bund.de), Swiss BACS (ncsc.admin.ch), CNIL in France, INCIBE in Spain, Office for Cyber and Information Security in many other countries.

When to escalate beyond chat

• You can no longer access your email — go straight to the platform's recovery flow; this can take days. If recovery fails, file a police report (it helps unlock manual review by the platform) and, while you wait, change passwords on every other account that uses that email as recovery.
• You set 2FA up and now you're locked out, no backup codes, no second device — most platforms have a slower "identity verification" recovery flow that involves uploading ID. Be patient and follow it; do not buy services that claim to "unlock" accounts for a fee.
• You suspect someone is performing MFA-fatigue on you — repeated unwanted prompts on your phone — change the password immediately and turn off SMS / push 2FA in favour of an authenticator app or a security key.

Related topics

• Password Managers Explained — how to choose and trust one.
• "I've Been Hacked" — what to do when these defences are bypassed.
• Phishing & Scam Emails — the most common way a strong password is stolen anyway.
• "Your Data Was Leaked" — why unique passwords matter even more when companies you used five years ago leak your old credentials.

Sources & references (internal — not rendered to the live page):

• NIST SP 800-63B — current US password and authentication guidance
• UK NCSC — three random words guidance
• FIDO Alliance — passkeys specification and rollout
• Microsoft / Google security blogs — published statistics on 2FA effectiveness