Enable Two-Factor Authentication
Loading expected effects…
What it is
Turning on two-factor authentication (2FA) – ideally via an authenticator app such as Aegis, Authy, or a built-in OS authenticator – on the most consequential accounts: email, banking, financial brokerages, password manager, cloud storage, and primary social media. Once enabled, signing in requires both the password and a short code from the second-factor device, structurally blocking account takeover from credential leaks. This is the single highest-leverage security intervention after a password manager, and the only one that protects against the credential breaches that happen to third-party sites you don’t control.
Sources and key statistics
- Enable 2FA on email, banking, brokerage, cloud storage, password manager, and primary social media accounts; prefer an authenticator app over SMS
- Microsoft research (2019) found that 2FA blocks over 99.9% of automated account compromise attempts; the figure has been confirmed in multiple subsequent industry reports
- Google Project Zero (2019) found device-bound second factors prevented 100% of automated bot attacks and 96% of bulk phishing attempts in a multi-year audit of Google account compromises
- The intervention is a one-time setup costing ~30–60 minutes total; ongoing per-login friction is negligible (5 seconds per sign-in, less if using a hardware key or passkey)
- Distinct from password manager setup and learning basic cybersecurity practices: both of those are broader bundles; this is the specific 2FA component, isolated as a fast, high-impact one-time action
Cost
- Upfront cost: $0
- Ongoing cost: $0/month
- Upfront time: 1 hour
- Ongoing time: 0.05 hours/week
Personalise these costs
Override the population estimates with your own. Saved to your profile and used to recalculate Time and Money EROIs.
per
per
How to do it
- Install an authenticator app (Aegis on Android, the built-in Passwords / Settings app on iOS, or 1Password / Bitwarden if you use a password manager that supports TOTP)
- Work through accounts in order of sensitivity: email first (because email controls password resets for everything else), then banking and brokerage, then cloud storage, then social media; allow about 2–3 minutes per account
- Prefer authenticator-app codes over SMS where both are offered – SMS is vulnerable to SIM-swap attacks and is meaningfully less secure than TOTP codes
- Save the backup recovery codes provided during setup somewhere durable (a printed copy in a safe, or stored in your password manager) – losing the second-factor device without backup codes can lock you out permanently
What success looks like
- Every account holding money, identity, or sensitive data prompts for a second factor at sign-in, with backup codes stored somewhere you can reach if your phone is lost
- You no longer worry about a third-party data breach exposing one of your reused passwords because that wouldn’t be enough to access your accounts
- Setup is done once and then runs invisibly – the per-login friction is roughly 5 seconds and the protection is continuous
Common pitfalls
- Enabling 2FA only on the most prominent account (email) and leaving banking, brokerage, and cloud storage exposed – attackers target the weakest link
- Setting up SMS-based 2FA without realising that SIM-swap attacks bypass it; an authenticator app is meaningfully more secure
- Failing to save backup codes; losing the phone without them can permanently lock you out, especially for accounts with no human support channel
Prerequisites
- A smartphone or computer that can run an authenticator app, plus accounts that support 2FA (most major email, banking, social, and cloud-storage providers do)
- A password manager already in use, or unique strong passwords on the accounts you're enabling 2FA on – 2FA only protects accounts that aren't already compromised by a reused password
- Somewhere durable to store recovery codes (printed in a safe, or stored in the password manager) so device loss doesn't lock you out permanently
Expected effects across life areas
| Life area | Value | PBS | ISR | UAR | Confidence | Baseline (population percentile) | EBS |
|---|---|---|---|---|---|---|---|
| Digital Safety | Comprehensive security | 8 | 95% | 75% | high | 35th | … |
| Digital Safety | Usability and convenience | -3 | 95% | 75% | medium | 35th | … |
Detailed Scoring
Scoring uses a logarithmic scale from 0 to 10, where each unit increase represents roughly double the impact. Learn more about ROI calculations.
Digital Safety – Comprehensive security
Anchor: Change in breadth and sophistication of digital security practices
Logarithmic Scale:
- Score 10: Transformative gain in comprehensive digital security
- Score 8: Major gain in comprehensive digital security
- Score 6: Meaningful gain in comprehensive digital security
- Score 4: Modest gain in comprehensive digital security
- Score 2: Slight, barely noticeable gain in comprehensive digital security
- Score -2: Slight, barely noticeable reduction in comprehensive digital security
- Score -4: Modest reduction in comprehensive digital security
- Score -6: Meaningful reduction in comprehensive digital security
- Score -8: Major reduction in comprehensive digital security
- Score -10: Severe damage to comprehensive digital security
Potential Benefit Score (PBS):
8
Intervention Success Rate (ISR):
95%
User Adherence Rate (UAR):
75%
Expected Benefit Score (EBS):
Loading...
Digital Safety – Usability and convenience
Anchor: Change in how seamlessly security measures integrate into daily workflows
Logarithmic Scale:
- Score 10: Transformative gain in convenience of digital security practices
- Score 8: Major gain in convenience of digital security practices
- Score 6: Meaningful gain in convenience of digital security practices
- Score 4: Modest gain in convenience of digital security practices
- Score 2: Slight, barely noticeable gain in convenience of digital security practices
- Score -2: Slight, barely noticeable reduction in convenience of digital security practices
- Score -4: Modest reduction in convenience of digital security practices
- Score -6: Meaningful reduction in convenience of digital security practices
- Score -8: Major reduction in convenience of digital security practices
- Score -10: Severe damage to convenience of digital security practices
Potential Benefit Score (PBS):
-3
Intervention Success Rate (ISR):
95%
User Adherence Rate (UAR):
75%
Expected Benefit Score (EBS):
Loading...