If there is one thing you do after reading this article, let it be this. Enable two-factor authentication on your email account. Today. Before you finish your next cup of coffee.
Two-factor authentication, usually shortened to 2FA, is the digital deadbolt. Your password is the standard lock. 2FA is the second lock that stops someone even if they have copied your key. A phishing email leaks your password. A data breach dumps it on the dark web. A brute-force tool guesses it. In all three cases, 2FA is what keeps the attacker out.
In South Africa, where phishing made up 52% of cyber threats in 2025 and SIM swap fraud accounts for around 60% of mobile banking fraud, 2FA is not a nice-to-have. It is the single biggest jump in personal security you can make.
This guide is the step-by-step. Pick your platform. Follow the instructions. Move on to the next one.
What you need before you start
You need a smartphone with one of these free authenticator apps installed. Pick one and install it before you continue.
Google Authenticator. Available on Android and iPhone. Simple, reliable, widely supported. This is what we recommend for most people.
Microsoft Authenticator. Available on Android and iPhone. Excellent if your business runs on Microsoft 365 or Outlook. Supports one-tap push approval.
Authy. Available on Android, iPhone, and desktop. The advantage is cloud backup, which means you can recover your codes if you lose your phone. The trade-off is a slightly larger attack surface.
Any of the three works. Pick one, install it, then come back.
Gmail and Google accounts
Your Google account is usually the master key to the rest of your digital life. If someone gets into your Gmail, they can reset the password on almost everything else. Protect it first.
Go to myaccount.google.com and sign in. Click "Security" in the left menu. Under "How you sign in to Google," click "2-Step Verification" and then "Get started." Google will walk you through adding your phone number for SMS as a first step. Once that is done, click "Authenticator app" and select your phone type. Open your authenticator app, tap the plus icon, scan the QR code Google displays, and enter the six-digit code your app generates. Done.
Save your backup codes. Google will offer them. Print them. Store them in a locked drawer, not in a file on the same computer. These are your emergency access if you ever lose your phone.
Microsoft 365 and Outlook
If your business runs on Microsoft 365, this is critical. Business email compromise is the most expensive cyber attack category for South African SMEs, and almost every BEC case starts with a compromised inbox.
Sign in to account.microsoft.com. Go to "Security" then "Advanced security options." Click "Add a new way to sign in or verify" and select "Use an app." Open Microsoft Authenticator on your phone, tap "Add account," then "Work or school account." Scan the QR code. Approve the test notification. 2FA is live.
If you are a Microsoft 365 administrator, you can enforce 2FA for every user in the organisation through the admin centre under "Users" then "Active users" then "Multi-factor authentication." This is one of the highest-impact security steps a business can take.
WhatsApp is everyday infrastructure in South Africa. WhatsApp account hijacking through SIM swap is a real and active fraud category here. WhatsApp's 2FA uses a PIN rather than an authenticator app.
Open WhatsApp. Go to "Settings" then "Account" then "Two-step verification." Tap "Enable" and choose a six-digit PIN you will remember. Add a backup email in case you forget the PIN. Now, anytime WhatsApp is registered on a new device, that PIN is required in addition to the SMS verification code.
For the full mechanics of how this attack works locally, see our WhatsApp account hijacking guide.
FNB, Standard Bank, Absa, Nedbank, and Capitec
South African banks have rolled out their own forms of 2FA. Most combine app-based approval, OTP via SMS, and biometric verification. Open your bank's app, go to "Security settings" or "Profile settings," and enable every verification option available. If the app offers in-app approval instead of SMS OTP, use it. In-app approval is not vulnerable to SIM swap. SMS is.
Facebook and Instagram
Open the Facebook app. Go to "Settings & Privacy" then "Settings" then "Accounts Centre" then "Password and security" then "Two-factor authentication." Select your account. Choose "Authentication app." Scan the QR code with your authenticator app and enter the code. Instagram uses the same Accounts Centre, so enabling it on Facebook covers Instagram too.
Go to "Settings & Privacy" then "Sign in & security" then "Two-step verification." Click "Turn on" and choose "Authenticator app." Scan the QR code and enter the generated code. Save the recovery codes LinkedIn provides.
Why authenticator apps beat SMS
People often ask why we recommend authenticator apps over SMS codes. The answer is SIM swap fraud.
In a SIM swap, a criminal convinces your mobile provider to transfer your phone number to a SIM card they control. Social engineering at the call centre. A bribed employee at the store. Stolen personal information. The method varies, the outcome is the same. Once they have your number, every SMS code your bank or platform sends goes to them, not you.
Authenticator apps generate codes locally, on your physical device. They do not rely on your phone number or your mobile network. Even if you are SIM swapped, the attacker cannot get the codes from your authenticator app because the app lives on the specific device you set it up on.
This is why every cybersecurity professional, including everyone at Ubuntu Guard, recommends authenticator apps over SMS wherever the choice exists.
What to do if you lose your phone
This is the scenario everyone worries about. It is manageable if you prepare.
Backup codes. Most platforms hand over 8 to 10 single-use backup codes when you set up 2FA. Print them. Store them somewhere physical and secure.
Recovery email and phone. Make sure your accounts have a recovery email address and backup phone number registered. These give you alternative verification paths if everything else fails.
Authy cloud backup. If you chose Authy, your codes back up to the cloud and can be restored on a new device. Google Authenticator now also offers cloud sync if you are signed into your Google account inside the app.
Plan ahead. The worst time to figure out recovery is when you are locked out. Spend five minutes now confirming your recovery options on your three most important accounts.
Setting 2FA up for your whole business
If you run a business, do not leave 2FA as optional for your team. Make it mandatory.
For Microsoft 365 tenants, you can enforce 2FA through Security Defaults or Conditional Access policies. For Google Workspace, administrators can require it from the admin console under "Security" then "2-Step verification." For other cloud platforms, check the admin settings for mandatory authentication requirements.
If you want help rolling out 2FA across your business and training the team to use it properly, that is exactly what our cyber awareness training covers. We walk every team member through the setup on every platform they use, show them how backup codes work, and make sure nobody gets locked out.
The five-minute checklist
If you have five minutes, do these three things now.
- Set up 2FA on your primary email account. This is the most important one because email is used to reset the password on everything else.
- Set up 2FA on your online banking app. Use in-app approval rather than SMS where available.
- Save your backup codes somewhere physical and secure.
Everything else can wait. Those three cannot. The next time you have ten minutes, come back and work through the rest.
If you want help
If you would like Ubuntu Guard to roll 2FA out across your business and train your team, contact us at /services/cyber-awareness-training/. Or reach us at [email protected].
Sources
- SABRIC: 2025 Annual Crime Statistics, SIM swap and mobile banking fraud (Published: 2026)
- Intelligent CIO Africa: Phishing share of South African cyber threats (Published: October 2025)
- Microsoft Security: How multi-factor authentication works (Accessed: 2026)
- Google Account Help: Set up 2-Step Verification (Accessed: 2026)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa
ubuntuguard.co.za