How to Set Up Two-Factor Authentication on Every Account That Matters

If your email, banking, and social media accounts all use the same password, and none of them have two-factor authentication enabled, you are one leaked database away from losing access to all three simultaneously.

Data breaches happen constantly. Your password may already be in a database that criminals are using to try logging into every major platform. The credential stuffing attack does not target you specifically. It just tries your email and password combination everywhere until something works.

Two-factor authentication (2FA) breaks that process. Even with your password, the attacker cannot get in without the second factor. The setup takes 10 minutes. This guide covers what it is, which method to use, and exactly how to enable it on the accounts that matter most to South African users.

What two-factor authentication actually is

A password is something you know. Two-factor authentication adds a second requirement, something you have or something you are. In practice, this means either a one-time code generated by an app on your phone, a code sent by SMS, or a physical hardware key.

When you log in to a 2FA-protected account, you enter your password as usual. Then the site asks for a second code. If an attacker has stolen your password but does not have access to your phone or your authenticator app, they are stopped.

It is not a perfect system. Nothing is. But it eliminates the most common attacks: credential stuffing, database breaches, and password guessing.

The difference between SMS OTP, authenticator apps, and hardware keys

SMS OTP is the most common form of 2FA in South Africa. Your bank sends a code to your phone number and you enter it to confirm a transaction. It is better than no 2FA at all, but it has a significant weakness: SIM swap fraud. An attacker who has swapped your SIM can receive those codes.

Authenticator apps generate codes independently on your device. They do not use your phone number. They are not vulnerable to SIM swap attacks. An attacker who has swapped your SIM still cannot get the code because the code is generated by an app on your physical handset, not sent via SMS.

Hardware keys, such as a YubiKey, are physical devices you plug in or tap to your phone to authenticate. They are the most secure option. They are also the most expensive and least convenient. For most South African individuals and SME owners, an authenticator app is the right balance.

Which authenticator apps work well in South Africa

Three apps are reliable, widely available on Android and iOS, and work well on South African data connections.

Google Authenticator is simple, fast, and free. It generates six-digit codes that rotate every 30 seconds. The recent versions include Google account backup, so if you change phones you can recover your codes. Download it from the Google Play Store or Apple App Store.

Microsoft Authenticator is similarly free and works well. It supports push notifications for Microsoft accounts, which means you approve logins with a single tap rather than typing a code. It also supports non-Microsoft accounts using the standard TOTP method. Good choice if your business uses Microsoft 365.

Authy offers multi-device support and encrypted cloud backup, which makes it easier to recover if you lose your phone. Slightly more setup involved, but more resilient for users who change phones frequently.

Any of these will work for the accounts covered below. Pick one and stick with it.

Step-by-step: enabling 2FA on the accounts that matter

Gmail (Google account)

Go to myaccount.google.com and sign in.
Select Security from the left menu.
Under "How you sign in to Google," select 2-Step Verification.
Click Get started. Google will walk you through the process.
Choose "Authenticator app" as your second factor. Scan the QR code with your authenticator app.
Enter the six-digit code to confirm it is working.
Save your backup codes in a safe place (printed, not a screenshot on the same phone).

Outlook (Microsoft account)

Go to account.microsoft.com and sign in.
Select Security, then Advanced security options.
Under Two-step verification, click Set up two-step verification.
Follow the prompts. Choose the authenticator app option and scan the QR code.
Enter the generated code to confirm.

FNB online banking

FNB uses in-app authorisation via the FNB app rather than a separate authenticator. To activate:

Download the FNB app if you have not already.
Log in and navigate to Security settings.
Enable the in-app notification feature, which allows you to approve transactions directly in the app rather than via SMS OTP.
Register your device. FNB will walk you through the process when you first log in on a new device.

This is significantly more secure than SMS OTP for FNB transactions.

Capitec app

Capitec uses its own app-based authentication. The Capitec app acts as its own authenticator. When you transact online or change account settings, you receive a push notification in the app that you approve.

To set this up, simply download the official Capitec Banking app from the Play Store or App Store, register with your ID number and card, and complete the biometric or PIN setup. All significant transactions will then require in-app approval.

Open WhatsApp and tap the three-dot menu (Android) or Settings (iPhone).
Go to Account, then Two-step verification.
Tap Enable. Create a six-digit PIN.
Add a recovery email. This is the email you use if you forget the PIN.
Confirm and save.

This prevents anyone from taking over your WhatsApp account even if they intercept your registration SMS code.

Instagram

Open Instagram and go to your profile.
Tap the three lines (hamburger menu) and select Settings and privacy.
Tap Accounts Centre, then Password and security.
Select Two-factor authentication and choose your account.
Select Authentication app and scan the QR code with your authenticator app.
Enter the code to confirm.

Facebook

Go to Settings and Privacy, then Settings.
Select Security and Login.
Under Two-Factor Authentication, tap Edit.
Choose Authentication app and scan the QR code with your authenticator app.
Enter the code to confirm.

What to do with backup codes

Every service that offers 2FA also provides backup codes. These are one-time-use codes you can enter if your phone is lost or your authenticator app is unavailable.

Do not screenshot them and keep them on your phone. If your phone is stolen, both the authenticator app and the backup codes are compromised.

Print them out and store them somewhere secure, like a locked drawer at home or a fireproof safe. If you are setting this up for a business, store them in a sealed envelope in a physically secure location.

Common mistakes that defeat the purpose of 2FA

Using SMS OTP as your 2FA while also being vulnerable to SIM swap. If your phone number is your only second factor, SIM swap fraud bypasses your 2FA entirely. Use an authenticator app for important accounts.

Setting up 2FA but storing the backup codes in the same place as the password. That is not two factors, that is one set of credentials stored in one place.

Using the same email address as your recovery option on every account. If that email is compromised, it becomes the key to resetting everything else.

Setting up 2FA and then turning it off because it is inconvenient. The inconvenience is measured in seconds. The consequences of not having it can be measured in rand and months of recovery time.

Enable 2FA on your most important accounts today. Start with email and banking. Work down the list. It takes less time than reading this article.

For tools to help secure your accounts further, visit /cyber-toolkit/secure-accounts/index.html. If you want to train your team on account security practices, our cyber awareness training is at /services/cyber-awareness-training/.

Reach us at [email protected].

Sources: - NIST: NIST Special Publication 800-63B-4: Digital Identity Guidelines (Published: August 2025) - Capitec Fraud Centre Guidance on In-App Authentication and Transaction Security (Accessed: 2026)