How I Set Up 2FA on Every Account in One Afternoon

Updated on June 19, 2026

It started with a friend's email getting hijacked. One Tuesday morning she woke up to find her Gmail had been used to send phishing links to everyone she knew — her clients, her family, her old professors. The password she'd been using for six years, "Sophie2018!" (yes, she told me), had turned up in a credential dump from some forgotten forum breach. Two-factor authentication would have stopped it cold. She didn't have it enabled.

I sat with that story for a week before I finally did what I'd been putting off: I blocked out an entire Saturday afternoon and went through every account I owned. Not just the obvious ones — email and bank — but the weird edges. The cooking forum I signed up for in 2019. The newsletter platform I trialed and abandoned. The cloud storage service from a startup that I was pretty sure had already gone under.

Here's exactly what I did, what surprised me, and the specific traps I fell into so you don't have to.

Step One: The Account Audit (This Part Takes Longer Than You Think)

Before I could secure anything, I needed to know what I actually had. I opened a plain text file and started listing accounts. My method: search my email inbox for the phrases "welcome to," "verify your email," and "confirm your account." Sorting by sender gave me a rough map of my digital life going back about eight years.

The count surprised me. I got to sixty-three before I stopped adding services I recognized as dormant. Of those, about forty had some kind of login I genuinely used or cared about. That's the realistic scope of a modern person's account surface. Not three accounts. Forty.

I made three columns: the service name, whether I still used it, and whether it even supported 2FA. That last column was the depressing one. A handful of smaller services — a hobby forum, a regional utility's billing portal, an older SaaS tool from a small company — had no 2FA support at all. Nothing I could do there except use a strong unique password (more on that later) and accept the risk.

Picking an Authenticator App (And Why I Almost Made the Wrong Choice)

My first instinct was to use Google Authenticator because I'd heard the name before. I almost did it. Then I read about its backup situation — or rather, the historical lack of one. For years, if you lost your phone, you lost every code stored there, with no way to recover them unless you'd screenshotted the QR codes during setup (which essentially defeats the purpose of keeping them safe).

Google did eventually add cloud backup, but I'd already read enough to make me nervous about single-vendor lock-in. I ended up going with Aegis Authenticator on Android — open source, encrypted local backup, and you can export the vault as an encrypted file that goes into your regular backup routine. For anyone on iOS, Raivo or the built-in Apple Passwords app (added in iOS 18) are solid choices.

The important thing: whatever app you pick, do a test restore before you rely on it. Export your vault, pretend your phone is gone, and confirm you can actually get back in. I did this on day two. It worked. But I was glad I checked.

The Enrollment Process — Account by Account

I worked through my priority list in order: email first, then password manager, then financial accounts, then work tools, then everything else.

Email was the most important. If someone has your email, they can reset almost anything else. My Gmail 2FA setup took about four minutes. The surprising part was finding that Google's "2-Step Verification" settings page lists every backup method you've ever added — old phone numbers, backup codes from years ago, recovery email addresses. I found a phone number in there that I'd had in 2017. I deleted it immediately.

The password manager enrollment felt almost paradoxical — using one security tool to protect another — but it's exactly right. If your password manager gets compromised, everything else falls. Bitwarden let me set up TOTP (Time-based One-Time Password, the standard behind those six-digit codes that refresh every thirty seconds) plus an emergency contact feature. Setting both up took about ten minutes and required printing a recovery sheet, which I sealed in an envelope and put in a physical folder. Old fashioned, but reliable.

Banks were weirdly inconsistent. One of my accounts — a credit union I've used since college — only offered SMS-based 2FA. That's better than nothing, but SMS has real weaknesses: SIM-swapping attacks, where someone calls your carrier and convinces them to transfer your number to a new SIM, can intercept those codes. I enabled it anyway because it raises the bar significantly over just a password, but I noted it as a weaker link.

My main bank offered a proper authenticator app option buried three menus deep in "Security Settings" under "Advanced." I almost missed it.

Backup Codes: The Part Most People Skip

Every service that supports TOTP also offers backup codes — a set of one-time-use codes you download during setup, typically eight to ten of them, that let you get in if you lose your authenticator. Most people generate these, think "I'll save them somewhere later," and then lose them.

My system: I saved each service's backup codes as a text file named after the service, put them all in a folder called "2FA Backups," then encrypted that folder using VeraCrypt with a passphrase I have memorized. The encrypted volume lives in my cloud storage and also on a USB drive I keep at home. The passphrase lives only in my head and in my password manager.

This is probably more elaborate than most people need. At minimum: print them, write the service name on the paper, and put them somewhere physically safe. A fireproof box is good. Your sock drawer is not.

The Gotchas I Actually Hit

A few things caught me off guard that I wasn't expecting going in.

The clock problem. TOTP codes are time-synchronized — your phone's clock and the server's clock need to roughly agree. One older device I tested with had its automatic time sync turned off and the clock was four minutes off. The codes it generated were consistently rejected. Turning on automatic time sync fixed it instantly, but it took me twenty minutes to figure out that's what was happening.

App-specific passwords. When I enabled 2FA on my email, a few older desktop apps I used stopped working. Gmail — and others — handle this by generating "app-specific passwords," one-time passwords for applications that can't use the normal 2FA flow. Setting these up for my mail client and calendar app added another fifteen minutes I hadn't budgeted for.

The service that locks you out on setup. One streaming service I use managed to lock me into a state where it wanted a 2FA code before I'd finished enrolling one. I had to use a backup code I'd literally generated thirty seconds before. It worked, but it was a reminder to save backup codes before clicking the final confirmation button, not after.

Recovery email addresses are 2FA too. Several services, especially Google, treat your recovery email as a fallback authentication method. If your recovery email is a throwaway you no longer control, that's a liability. I updated three of them.

Where I Ended Up

Four hours, start to finish — the audit ran long. Of my forty active accounts, thirty-one now have TOTP-based 2FA, five have SMS-only 2FA (better than nothing, weaker than TOTP), and four have no 2FA available. Those four I've noted and I'll reassess if anything better becomes available or if I decide the accounts are worth abandoning.

The thing that surprised me most wasn't the technical work, which was genuinely straightforward. It was discovering how much of my account hygiene had decayed silently. Old phone numbers. Recovery emails I no longer checked. Backup codes that had been generated and forgotten. None of that is visible until you go looking.

The afternoon cost me a Saturday and a bit of friction. What it bought me is real: even if someone has my password — through a breach, through phishing, through whatever — they can't get in without a device that's physically in my hand. For most realistic attack scenarios, that's enough. It's not a perfect system. But it's a dramatically better one than what I had last Saturday morning, and it was never more than an afternoon away.

Start with email. Do that one today if you do nothing else. Everything else can follow at your own pace. But do start.