If this helped, forward it to one person who’d benefit.

Last week we talked about data breaches and what to do when your password gets exposed.

This week, we're covering the single most important thing you can do to protect any online account, and it takes about 5 minutes.

It's called two-factor authentication: or 2FA for short. You may also hear it called multi-factor authentication (MFA). Same idea.

Two-factor authentication means that logging in requires two things instead of just one:

So even if a hacker steals your password, they still can't get in, because they don't have your phone.

That's it. That's the whole concept.

Yes. Overwhelmingly yes.

According to Microsoft, turning on MFA blocks over 99.9% of automated account attacks. The U.S. national security cyber chief has cited figures showing MFA can prevent 80-90% of all cyberattacks. And Microsoft's own data shows that over 99.9% of compromised accounts did not have MFA enabled.

Those aren't small numbers. That's the difference between leaving your front door wide open and installing a deadbolt.

When you turn on 2FA, here's what happens when you log in:

That extra step takes about 10 seconds. And it makes your account exponentially harder to break into.

📲 Authenticator App (Best Option) Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a new 6-digit code every 30 seconds. The code lives on your phone and is never transmitted, which means it can't be intercepted. This is the method most security experts recommend.

📱 SMS Text Message (Good, Not Great) The service texts you a code. It works, and it's better than nothing, but SMS can be intercepted through a technique called SIM-jacking, where a scammer convinces your carrier to transfer your phone number to their device. If you can use an authenticator app instead, do it. If SMS is your only option, it's still far better than no 2FA at all.

🔑 Hardware Security Key (Best for High-Value Accounts) A physical USB key (like a YubiKey) that you plug in or tap against your phone. It's nearly impossible to phish. Most people don't need this level of security for everyday accounts, but it's worth knowing about if you work in finance, IT, or handle sensitive data.

Start with the accounts that matter most:

Most major services support 2FA. Look in your account's Settings → Security section. It's usually called "Two-Step Verification" or "Two-Factor Authentication."

Good question. When you set up 2FA, most services give you backup codes, a set of one-time-use codes you can store somewhere safe (printed out, in a locked drawer, or in a password manager). If your phone is lost or broken, those codes get you back in.

Some authenticator apps also let you back up to the cloud or transfer to a new device. Set this up when you first enable 2FA, not after you've lost your phone.

🔐 2FA = password + your phone: two things instead of one.
📊 Blocks 99.9% of automated account attacks.
📲 Use an authenticator app: it's the best balance of security and convenience.
📱 SMS is okay: but an app is better.
📧 Start with email: it's the key to everything else.
💾 Save your backup codes: you'll need them if you lose your phone.

If there's one thing you do after reading this newsletter today, let it be this: turn on two-factor authentication on your email account.

It takes 5 minutes. It's free. And it stops nearly every common attack dead in its tracks.

You already lock your front door. Lock your digital one too.

Until next time — stay private, stay safe.

— Peter Oram
Chief Cyber Safety Evangelist

P.S.: I’m working on a practical iPhone safety guide for parents.
Reach out if you’re interested in early access.

Join the Community! A Facebook group where you can ask your questions, get tips, and help others.

Want more practical tips like this?
👉 Subscribe or read past issues at newsletter.cybersafety.group

Have a topic you’d like covered?
📬 Email me directly: [email protected]

FOLLOW US ON SOCIAL MEDIA