How to set up two-factor authentication (2FA)

Summary

You will turn on two-factor authentication (2FA) for an account using a time-based one-time password (TOTP) from an authenticator app, store recovery or backup codes safely, and confirm that the next login requires the second factor. This guide focuses on the steps that apply to most services (GitHub, Google, AWS, etc.) and how to avoid lockout and fix common issues like wrong time or lost device.

Prerequisites

• An account on the service where you want to enable 2FA (e.g. GitHub, Google, cloud provider).
• A smartphone or other device to run an authenticator app (e.g. Google Authenticator, Authy, Microsoft Authenticator).
• Optional: a second device or backup method so you can still log in if the primary device is lost.
• Ability to access the account’s security or login settings (you may need to log in with password first).

Steps

Step 1: Prepare a backup before enabling 2FA

Before turning 2FA on:

• Install an authenticator app on your phone (or a second device) if you have not already.
• Know where you will store recovery codes: password manager, encrypted backup, or secure note. Do not rely only on the device that runs the app.
• If the service offers backup methods (e.g. backup codes, SMS, security key), note which you will use as fallback.

Enabling 2FA without a backup increases the risk of lockout if you lose the device or the app data.

Step 2: Enable 2FA in account settings

1. Log in to the service and open Settings (or Account / Security / Login and security).
2. Find the 2FA section (often named “Two-factor authentication”, “2FA”, “Authenticator app”, or “Security keys”).
3. Start the 2FA setup and choose Authenticator app or TOTP (not only SMS, which is weaker). Some services also offer security keys (FIDO); you can add those in addition.
4. The service will show a QR code and usually a manual entry key (long string). Keep this page open for the next step.

Step 3: Register the account in your authenticator app

1. Open your authenticator app and add a new account (e.g. “Scan QR code” or “Enter key manually”).
2. Scan the QR code from the service’s 2FA page, or type the manual key if you cannot scan.
3. The app will show a 6-digit code that changes every 30 seconds.
4. Enter that code in the service’s 2FA setup page and submit. If it accepts, the app is linked.

If the code is rejected, check that your phone’s date and time are set to automatic (see Troubleshooting).

Step 4: Save recovery or backup codes

Most services show a set of one-time recovery or backup codes after you enable 2FA.

• Copy or download the codes as instructed (often 8–10 codes).
• Store them in a password manager, encrypted file, or secure location you can access without the authenticator app.
• Do not store them only on the same device as the app. Treat them like passwords: keep them secret and safe.

If you skip this step and lose access to the app, you may have to use the service’s account recovery process (e.g. email or support), which can be slow or require identity checks.

Step 5: Verify 2FA on next login

1. Log out of the service (or use a private/incognito window).
2. Log in again with your username and password.
3. You should be prompted for the 2FA code (authenticator app or recovery code). Enter a current code from the app.
4. Confirm you reach the normal account screen. 2FA is now active.

Verification

• 2FA required: After logging out and logging in, the service asks for an authenticator or recovery code before completing login.
• Authenticator works: A code from the app is accepted within a few seconds of entering it.
• Recovery codes stored: You have the recovery codes saved in a place you can access without the phone (e.g. password manager); you have not shared them.

Troubleshooting

“Invalid code” or “Code expired”
TOTP codes depend on the device’s clock. If the code is correct but rejected, enable automatic date and time on the phone (Settings → Date & time). On some networks or after travel, sync can be off by a minute; wait for the next 30-second window or try again after time has synced.

Locked out (no app, no recovery codes)
Use the service’s account recovery flow (e.g. “Lost your 2FA device?” or “Use recovery code”). If you saved recovery codes, use one of them to log in, then add the account to a new authenticator or regenerate recovery codes. If you have no codes, follow the service’s recovery steps (often email verification or support); this can take time.

New phone or reinstalled app
If you did not migrate the authenticator data, you must use a recovery code to log in once, then in account settings you can turn 2FA off and back on to get a new QR code for the new app, or add a new backup method. Some apps (e.g. Authy) support cloud backup; restore from that if you had it enabled.

QR code won’t scan
Use the “Can’t scan? Enter key manually” option and type the secret key into the app. Ensure there are no extra spaces; the key is usually all uppercase letters and numbers.

Next steps

• If you see access or permission errors after enabling 2FA: Access denied: how to fix permission errors.
• Before going live: Accounts and access checklist before going live.
• When someone leaves the team: How to revoke access when someone leaves.