Multi-Factor Authentication: The Complete Setup Guide for 2025
App-based TOTP, hardware keys, passkeys, SMS (and why to avoid it). The complete MFA setup guide for individuals and teams.
What MFA actually protects against
Microsoft's security team analysed account takeover data and found that enabling multi-factor authentication blocks 99.9% of automated account attacks. That number needs context: it means attacks that use credential stuffing (stolen passwords tried automatically), brute force, and password spray. It doesn't protect against targeted attacks that intercept your second factor in real time — but it eliminates the vast majority of attacks that are actually happening at scale.
The MFA options, ranked by security
- FIDO2 hardware keys (YubiKey, Google Titan): Phishing-resistant. The gold standard. See our hardware keys guide for details.
- Passkey (device-bound FIDO2): Increasingly supported. Tied to your device's secure enclave. Phishing-resistant. Requires iOS 16+, Android 9+, or Windows Hello.
- TOTP authenticator apps (Authy, Google Authenticator, Bitwarden Authenticator): 6-digit codes that rotate every 30 seconds. Immune to SIM swapping. Vulnerable to real-time phishing but blocks automated attacks.
- Push notifications (Duo, Microsoft Authenticator): Convenient. Vulnerable to MFA fatigue — attackers spam approval requests hoping you'll accidentally tap accept. Enable "number matching" if available.
- SMS/voice codes: Better than nothing. Vulnerable to SIM swapping and SS7 attacks. Use only when no better option is available.
Step-by-step: setting up TOTP on your most important accounts
- Download Authy or Google Authenticator on your phone
- Go to your account's security settings — look for "Two-factor authentication" or "2-step verification"
- Choose "Authenticator app" (not SMS)
- Scan the QR code with your authenticator app
- Enter the 6-digit code to confirm setup
- Save your backup codes in a secure location (printed copy in a safe, or in your password manager under a separate entry)
Which accounts to prioritise
In this order:
- Your primary email — it's the recovery method for everything else. If this falls, everything falls.
- Your password manager — this is the keys to the kingdom
- Banking and investment accounts
- Work accounts with admin privileges
- Social media accounts used for "Login with..." flows (Google, Apple, Facebook)
- Cloud storage (Google Drive, iCloud, Dropbox)
Recovery codes: don't skip this step
Every MFA setup generates recovery codes. These are single-use backup codes that let you access your account if you lose your phone or hardware key. Print them and store them physically, or keep them in your password manager in a separate entry. Not having recovery codes when you need them means permanent account lockout with no recovery path.