- #security
- #2fa
- #passwords
- #small-business
Two-factor authentication, explained plainly
SMS codes, app codes, and hardware keys, ranked honestly, plus the three accounts to lock down first.

If someone gets your password, they get everything that password protects. That is the whole problem. Passwords leak all the time, through phishing, through reused logins showing up in breach dumps, through a glance over your shoulder at a coffee shop, and a password by itself has no backup plan.
Two-factor authentication is the backup plan. I'm studying for Security+ right now, and the textbook version is 'something you know plus something you have.' The plain version: your password stops working on its own. An attacker also needs a thing you physically hold, like your phone or a small key on your keychain. Steal one, and they still need the other.
Here is how the options actually stack up, and where to turn them on first.
The three kinds, ranked honestly
Third place: SMS codes. The site texts you a six-digit code. This is the weakest version because phone numbers can be stolen. It's called a SIM swap: an attacker convinces your carrier to move your number to their SIM card, and your codes start going to them. It happens to regular people, not just celebrities. That said, SMS still stops the most common attack, which is someone far away trying your leaked password. If SMS is the only option a site offers, turn it on anyway. Weak 2FA beats no 2FA every time.
Second place: app codes. An authenticator app on your phone, like Google Authenticator, Microsoft Authenticator, or Aegis, generates a fresh six-digit code every 30 seconds. No text message involved, so a SIM swap gets the attacker nothing. This is the sweet spot for most people: free, works offline, supported almost everywhere. The tradeoff is setup friction. You scan a QR code once per site, and you have to save the backup codes the site gives you, because losing your phone without them means getting locked out of your own accounts. I keep mine printed on paper in a drawer. Not fancy, but it works.
First place: hardware keys. A small USB or NFC key, YubiKey being the common brand. You tap it to log in. This is the only option on this list that beats phishing outright. A fake login page can trick you into typing a password and even an app code, but the key checks the real site's identity and simply won't authenticate to an imposter. The tradeoffs are real: keys cost money, you should buy two so a lost one doesn't lock you out, and some smaller sites don't support them. For most small business owners, app codes are enough. Buy keys when your accounts become worth targeting specifically.
Turn it on here first
Not every account matters equally. Do these in order:
- Your email. This is the master key. Every other account sends its password resets there. If an attacker owns your email, they own your bank, your Instagram, everything. Email gets 2FA first, no exceptions.
- Your bank. Obvious reasons. Many banks sadly only offer SMS. Turn it on anyway.
- Your domain registrar and hosting. If you own a website, this one is easy to forget and expensive to learn. Whoever controls your registrar account can point your domain anywhere, read your business email, or hold the domain hostage. When I set up a site for a local business, this account gets 2FA before the site even goes live.
- Whatever runs your business day to day. For a nail salon, that is the booking system and Instagram. For a landscaper, maybe the Google Business Profile and the invoicing app. Ask yourself which login going down would cost you customers this week. That one's next.
Everything else you can work through as you have patience. A stolen forum account is annoying. A stolen email account is a disaster.
What 2FA does not fix
I want to be straight about the limits. 2FA doesn't make a weak, reused password fine, and app codes can still be phished by a fake page that relays your code to the real site in real time, so the habit of checking the URL before you type still matters. It also does nothing if the device itself is compromised. It's one lock on the door. It's the best cheap lock available, but it's not the whole house.
The good news: turning it on takes about five minutes per account. Do email tonight. Do the bank tomorrow. That half hour of setup removes the most common way small accounts get taken over.
If you run a local business and want a second set of eyes on this kind of thing, I do a free 24-hour audit. Three real findings, yours to keep either way, whether or not you ever hire me.
community rating
$ ls ./comments
sign in or create an account to rate and comment.
no comments yet, be first.