Even a strong, unique password can be stolen — through phishing, a data breach, or someone watching over your shoulder. Two-factor authentication adds a second step to your login so that a password alone isn't enough to get in.

You've already used it, even if you didn't know it had a name. When your bank texts you a code to confirm it's really you — that's two-factor authentication.

How it works

The idea is that logging in requires something you know (your password) and something you have (your phone). Even if someone steals your password, they can't log in without also having access to your phone. That combination is much harder to beat than a password alone.

The most common forms are text message codes, email codes, and authenticator apps. Text message codes are the most familiar — not the strongest, but far better than nothing. Authenticator apps like Google Authenticator or Microsoft Authenticator generate a fresh six-digit code every 30 seconds and are a step up in security.

Where to turn it on

Start with your email account. Go into Settings, find the Security or Sign-In section, and look for "Two-Step Verification" or "Two-Factor Authentication." Turn it on and follow the steps. Then do the same for your bank and any other accounts that matter.

Most major sites support it now. If you don't see the option in settings, a quick search for "[site name] two-factor authentication" will usually point you in the right direction.

One thing to keep in mind

When you set up two-factor authentication, you'll often be given backup codes. Save these somewhere — a printed copy in a safe place, or your password manager. If you lose access to your phone, these are how you get back in to your account. Don't skip this step.