Passwords on their own are no longer enough. Phishing emails, leaked password databases and credential-stuffing attacks mean that even a strong, unique password can end up in the wrong hands. The single most effective thing you can do today to protect your online accounts is to switch on two-factor authentication — often shortened to 2FA, or labelled "two-step verification" by some providers.
We see customers from Leith, Bonnyrigg, Musselburgh and Portobello come into our Parkhead workshop every week with hijacked email or social accounts that could have been saved by ten minutes of setup. This Edinburgh-friendly guide walks you through what 2FA is, the different methods available, and exactly how to turn it on for the accounts that matter most.
What Is Two-Factor Authentication?
Two-factor authentication adds a second check to the login process. After you enter your password, the service asks for one more piece of evidence that you are who you say you are — usually a short code from your phone, an approval tap in an app, or a physical security key plugged into a USB port. Even if a criminal has your password, they cannot complete the login without that second factor.
It is a small inconvenience the first time you set it up, but the protection is enormous. The UK's National Cyber Security Centre recommends 2FA on every account that supports it.
The Three Common 2FA Methods
1. SMS or Text Message Codes
The provider texts a six-digit code to your phone whenever you log in. This is the easiest method to set up because everyone has a mobile number, and it is far better than nothing — but it is the weakest of the three. SIM-swap fraud, where an attacker tricks your network into transferring your number to their phone, is a real risk. Use SMS only when nothing else is offered.
2. Authenticator Apps
Apps like Google Authenticator, Microsoft Authenticator, Authy or 1Password generate a fresh six-digit code every 30 seconds, completely offline. Nothing is sent over the phone network, so SIM-swapping cannot defeat them. This is the sweet spot for most home users and small businesses — strong protection, no extra hardware to buy.
3. Hardware Security Keys
A physical USB or NFC key (YubiKey is the best-known brand) is the gold standard. You tap or insert the key during login. Phishing sites cannot trick the key into authenticating, which makes it almost immune to remote attacks. Worth considering for business email, accountancy and any account holding customer data.
How to Set Up 2FA on Your Email Account
Email is the single most important account to protect. If an attacker controls your email, they can reset the password on almost everything else.
For Gmail: Go to your Google Account, open the Security section, and look for 2-Step Verification. Click Get started, follow the prompts to add your phone, then immediately switch to an authenticator app under Authenticator for stronger protection.
For Outlook / Microsoft accounts: Sign in at account.microsoft.com, open Security, choose Advanced security options, and enable Two-step verification. Microsoft will guide you through linking the Microsoft Authenticator app.
For Apple ID: On your iPhone, go to Settings → tap your name → Sign-In & Security → turn on Two-Factor Authentication. Apple uses trusted devices for the second factor, which is convenient and very secure.
How to Set Up 2FA on Your Bank
Most UK banks now require some form of 2FA by default — a card reader, a banking app push notification, or an SMS code. If your bank still relies on a memorable word alone, ring them and ask how to enrol in their app-based or biometric login. Banks in Edinburgh including Royal Bank of Scotland, Bank of Scotland, Lloyds, Nationwide and Starling all offer in-app approval prompts that are far stronger than passwords alone.
How to Set Up 2FA on Social Media
Facebook: Settings & privacy → Settings → Accounts Center → Password and security → Two-factor authentication. Choose authenticator app rather than text message.
Instagram: Profile → menu → Settings and activity → Accounts Center → Password and security → Two-factor authentication.
X (formerly Twitter): Settings and privacy → Security and account access → Security → Two-factor authentication.
LinkedIn: Settings & Privacy → Sign in & security → Two-step verification. Especially important if you handle business contacts or recruitment.
Save Your Backup Codes
Every service that offers 2FA also generates a set of one-time backup codes when you turn it on. Print them, store them in a safe place at home (not on the same device as your authenticator), or save them in a trusted password manager. If you lose your phone, these codes are how you regain access. Skipping this step is the single biggest reason people get locked out of their own accounts after enabling 2FA.
A Word About Phishing
2FA is powerful but not magical. Sophisticated phishing pages can trick you into typing your code straight into the attacker's site. Always check the address bar before approving a login prompt, and never approve a notification you didn't trigger yourself. Our guide to spotting phishing scams walks through the warning signs.
While you're tightening up your security, consider pairing 2FA with a proper password manager — the two together close almost every common attack route. And if you suspect a device has already been compromised, our virus warning signs guide will help you decide whether it needs cleaning before you log into anything sensitive.
Need Help Setting It Up in Edinburgh?
If 2FA setup feels overwhelming — particularly if you have a lot of accounts, or you're worried about getting locked out — we can help. Our remote support service can walk you through every account from the comfort of your own home, and our business IT support covers staff training and centrally-managed 2FA roll-outs for Edinburgh small businesses.
If your computer has already shown signs of compromise, book in for a virus and malware removal first. There is no point setting up 2FA on a device that already has a keylogger watching every keystroke.