Skip to content

Set up two-step sign-in on everything

Two-step sign-in (also called 2FA or two-factor authentication) means a stolen password isn't enough to take over your account. It is the single highest-value security upgrade you can make, and most accounts still don't have it. Here's the sane way to roll it out.

The order that matters

Don't try to do everything at once. Protect accounts in this order:

  1. Your main email. Whoever controls your email can reset every other password you have. This one is worth doing today.
  2. Money — banking, PayPal, crypto exchanges, anything that can spend.
  3. Identity anchors — Google/Apple accounts, password manager, phone provider (SIM-swap protection).
  4. Everything with your life in it — photos, messages, socials, cloud storage.
  5. The long tail, five minutes at a time.

Which method to pick

Not all second steps are equal:

  • Best: passkeys or an authenticator app (or a hardware key). Codes generated on your device, immune to SIM swapping.
  • Okay: codes by SMS or email. Massively better than nothing — but a determined attacker can steal a phone number. Upgrade when the service allows it.

Don't lock yourself out

When you enable two-step sign-in, the service shows you recovery codes. Save them somewhere that survives losing your phone — printed in a drawer beats a note on the phone you just lost.

The part nobody does: keeping track

The hard part isn't one account — it's knowing where you're covered, where you're not, and where you settled for SMS three years ago. SecBird tracks two-step sign-in across all your accounts, walks you through enabling it service by service, and scores stronger methods higher — so your score reflects reality, not good intentions.