Two-factor authentication (2FA): your second lock against hackers
Two-factor authentication adds a second step to your login so a stolen password alone cannot get someone into your account. Learn what 2FA is, why authenticator apps beat SMS, and how to turn it on for Facebook, Gmail and other accounts.
Even a strong password can leak. Two-factor authentication (2FA), also called two-step verification, is the safety net: after your password, the account asks for a second proof that it is really you — usually a one-time code.
This means that even if a hacker in another country knows your password, they still cannot log in without that second factor, which is on your phone. 2FA is the single most effective free step you can take to protect your accounts.
This guide explains the types of 2FA, which to choose, and how to enable it — written so that anyone in Nepal can follow along.
What 'two factors' actually means
A 'factor' is a category of proof. Security gets stronger when you combine factors from different categories, so that stealing one is not enough.
The three categories are:
- Something you know — your password or PIN.
- Something you have — your phone, an authenticator app, or a physical security key.
- Something you are — your fingerprint or face.
The types of 2FA, from weakest to strongest
Not all second factors are equal. Here they are roughly from least to most secure:
- SMS codes — a code texted to your phone number. Better than nothing, but can be intercepted or stolen through 'SIM swap' fraud, where a criminal takes over your number.
- Authenticator apps — apps like Google Authenticator, Microsoft Authenticator or Authy generate a fresh 6-digit code every 30 seconds, offline, on your phone. Much safer than SMS and free.
- Push prompts — the app or service sends a 'Yes, it's me / No' notification you tap to approve.
- Security keys and passkeys — a physical USB/NFC key or a phone-stored passkey. The strongest option, highly resistant to phishing.
Why an authenticator app beats SMS
SMS-based 2FA is vulnerable to SIM-swap attacks, where a scammer convinces or tricks a mobile operator into moving your number to their SIM, then receives your codes. It also fails when you have no signal or change your number.
An authenticator app generates codes directly on your device, with no network needed and nothing to intercept. If you only do one upgrade, switch your important accounts from SMS to an authenticator app. Keep SMS as a backup only if no better option exists.
How to turn on 2FA (general steps)
The exact menu names differ by service, but the process is almost always the same:
- Open the account's Settings, then look for 'Security', 'Password and security', or 'Login'.
- Find 'Two-factor authentication' or 'Two-step verification' and tap to turn it on.
- Choose your method — pick 'Authenticator app' if available.
- Scan the QR code shown with your authenticator app, then type the 6-digit code back to confirm.
- Save your backup/recovery codes (explained below).
Turning on 2FA for the accounts that matter most
Start with the accounts that can unlock everything else, in this order: your main email (Gmail), then Facebook, then any banking or wallet apps, then social media.
For Gmail: go to your Google Account, Security, and turn on '2-Step Verification'. For Facebook: Settings & privacy, Settings, Accounts Center, Password and security, Two-factor authentication. Both let you choose an authenticator app.
Nepali wallets and banks: eSewa, Khalti and most bank apps already use an MPIN plus an OTP. Keep your MPIN private, never share any OTP with anyone (no real staff will ever ask for it), and lock your phone with a PIN or fingerprint so the apps are protected.
Save your backup codes — do not get locked out
When you enable 2FA, the service gives you a set of one-time 'backup' or 'recovery' codes. These let you get in if you lose your phone. This step is critical: people who skip it sometimes lose access to their own accounts.
Write the backup codes on paper and store them somewhere safe, or save them in your password manager. Also add a recovery phone number and recovery email to each account. If you change phones, move your authenticator app first (many apps let you transfer or back up your codes) before wiping the old device.
Key takeaways
- ✓2FA adds a second proof after your password, so a stolen password alone cannot get in.
- ✓Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are safer than SMS codes.
- ✓SMS 2FA can be defeated by SIM-swap fraud — use it only as a backup.
- ✓Enable 2FA first on your email, then Facebook, then banking and wallets.
- ✓Always save your backup/recovery codes and set a recovery email and phone, or you risk locking yourself out.
- ✓Never share any OTP or MPIN — legitimate eSewa, Khalti or bank staff will never ask for it.
Two-Factor Authentication (2FA) — FAQ
Is two-factor authentication free?+
Yes. Turning on 2FA and using an authenticator app are completely free on Gmail, Facebook, and almost every major service. The only cost is a few minutes to set it up.
What happens if I lose my phone with the authenticator app?+
You use your saved backup codes, or your recovery email/phone, to get in and re-set up 2FA on a new device. This is exactly why saving backup codes when you enable 2FA is so important. Some apps (like Authy or Microsoft Authenticator) also let you restore from a cloud backup.
Is SMS 2FA still worth using?+
Yes, if it is the only option an account offers — SMS 2FA is far better than no 2FA. But prefer an authenticator app where available, because SMS can be intercepted or stolen via SIM-swap fraud.
Will 2FA stop me being hacked completely?+
It dramatically reduces the risk, but no single step is perfect. Combine 2FA with unique strong passwords and caution against phishing links (which can trick you into entering both your password and code) for the best protection.
Sources & data note
These guides explain widely-accepted SEO, AEO and GEO practice as documented by Google Search Central, schema.org and current industry research. Search and AI systems evolve continually — treat specific thresholds (e.g. Core Web Vitals targets) as current guidance and verify against the latest official documentation. Examples are tailored to Nepal's market.