1. Goal 1
  2. Step B

Set Up Multi-factor Authentication

This is a long one, but it's an important foundation to build for this and later steps.


What is multi-factor authentication?

It's a way of logging in to your online services and other systems where you prove that you're you in multiple ways. You're already used to providing a single factor of authentication: your password. Now you just need to add another!

The three categories of MFA are:

  • Something you know (like a password or PIN)
  • Something you have (like a mobile device or security key)
  • Something you are (like a fingerprint or face scan)

You already have your new password from the last step, so we're just going to add a second factor. We're going to use #2, “something you have,” and that something will be your mobile device. Or more specifically, an app on your mobile device.

You may sometimes see this called MFA, 2FA, or two-factor authentication. When we say multi-factor, we just mean you're using two or more different things to prove your identity.

Why use MFA?

Simply put, to make it just a little harder for bad actors to get into your accounts. In the case that someone finds, intercepts, or guesses your password, the second factor will be another hurdle for them to pass.

If they find your password on your desk, see you typing it in somewhere, or trick you into giving it to them online (it happens!) they still need access to your mobile app to get into your account. And what's better is that the mobile app code changes every 30 seconds. This can make hacking into your accounts a bit of a moving target.

Choosing an authenticator app

The specific type of second factor that we'll be using is called TOTP (or Time-based One-Time Passwords). In short, they are six-digit codes that change every 30 seconds. They work even when you don't have an internet connection, and they're a relatively safe and easy way to add a second factor to give you MFA.

There are many TOTP mobile apps you can choose from, but we're going to use Authy in this guide. If you already have a favorite, feel free to keep using it. As long as your TOTP app is “Google Authenticator compatible,” you should be fine.

Authy has some extra features that I like, so I recommend giving it a look:

  • Encrypted storage
  • Touch and Face ID locking
  • Backup Syncing

These features are optional, but the backup and syncing can be extra helpful when you lose your mobile device.

Already use SMS for your MFA?

SMS or text messages are a very insecure way to receive your second factor code. It has become quite common for bad actors to intercept SMS messages and use this to break into online accounts. It's best to stay away from SMS unless there is no other option.

I highly recommend that you transition to a TOTP / authenticator app and go as far as disabling SMS as an option on your important accounts. If you need a good backup MFA option, you can print any provided backup codes.

Setup Authy as your MFA app

Start by installing Authy on your mobile device. Here are Authy's directions for doing so:

I don't recommend installing Authy on your desktop or laptop unless this is your only option.

After you've installed Authy, launch it and walk through the initial setup process. It'll help you create an Authy account, which just means entering your mobile number and email address. Both will be important if you ever need to recover your Authy account.

From there, you can work through these optional, but recommended, steps:

  • Enable encrypted backups (read more about this below)
  • Enable a PIN and Touch ID or Face ID (for keeping the app and codes safe)
  • Use the multi-device feature to sync another device (if you have a second phone or tablet, this can be helpful)

There's often some confusion around the two different types of passwords / PINs that Authy asks you for. One is the PIN that helps encrypt your codes stored inside the mobile device itself and locks the app when you're not using it. The other is the password or phrase that encrypts your codes before Authy stores them on their servers.

Enable encrypted backups in Authy

While there can be downsides to storing your authentication codes in the cloud, for most folks the pros outweighs the cons.

Authy backups are encrypted and should only be able to be restored by you. You can read more about their backup and encryption processes here.

Authy backups can be very helpful in cases when you lose or damage your mobile device, or simply when you get a new one. As you collect more authentication codes, transferring or attempting to restore them becomes a bigger and bigger task.

If you don't feel that this is right for you, simply leave backups disabled.

If you'd like to proceed, make sure you follow the advice from the previous step to create a strong and unique password. Since this will be used for backup encryption, you should opt for a longer password or phrase, preferably 60+ characters. Then add it to your temporary paper storage.

Index card with example passwords

Index card with example passwords

You'll then use this new unique password for your Authy encrypted backups. Remember, you can use the Bitwarden Password Generator site to make this simple.

Here are Authy's instructions for enabling encrypted backups:

If you prefer an open source TOTP app option, and you won't be using the backup or sync features of Authy, take a look at the Aegis Authenticator for Android or Raivo or Tofu for iOS.

Enable MFA in your email account

Now it's time to put this new power to good use. You're going to enable MFA on your email account and connect it with the Authy app.

Here are Authy's own guides to help you through this step:

Sadly, Apple, Yahoo, and some other providers don't offer MFA compatible with mobile authenticator apps. They only offer SMS/text message MFA. In Apple's case at least, their method of doing this is a little better than just regular SMS MFA. Since it's your only option, though, it's way better than nothing.

Don't fret if you got this far with Authy and can't use it for your email. In upcoming steps, I'm going to recommend that you enable MFA on other important accounts. It's still essential that you go Authy setup.

Could you use some more visuals?

Here are a couple of videos that may help. I did not make these, but they contain some sound advice:

Authy also provides a really thorough help section, including guides for adding MFA to many other apps and services.

Final, but important, note

You've employed a really great method of MFA for your email account. But it isn't foolproof. You'll still need to be careful not to accidentally give a bad actor your password and your mobile code. If they do manage to get both, they can still get into your accounts.

Later on in the security journey, I'll talk more about protecting yourself from phishing, but in short, always make sure you're typing your passwords and authentication codes into the real site that you mean to. When in doubt, use your favorite search engine or a known bookmark to make sure you're in the right place. Don't rely on email links or directly typing URLs if you can help it.

There are even stronger methods of MFA out there. For example, Yubikeys are a physical USB or NFC keys that make it even harder for bad actors to break into your accounts. If used correctly, they can help resist phishing or tricking you into giving up your credentials. Learn more about those here.


You've completed the first goal in the Harder to Hack journey. With a more secure email account, you're just a bit harder to hack! Continue on to secure more parts of your digital world.

Get on the list!

Learn about free training sessions, livestream Q&As, and new guides.

You can unsubscribe at anytime. For more details, review our Privacy Policy.