IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What is two-factor authentication and do I need it?

Straight answer

Two-factor authentication adds a second proof of identity beyond your password, usually a code from an app on your phone, so a stolen password alone cannot get in. Yes, you need it, at least on the accounts that control your business: your host, your database, your domain, your email. It is free and it stops the most common takeovers.

Information current as at 5 July 2026

Passwords leak. They get guessed, reused, phished, or spilled in someone else's breach, and once a password is out, a password is all it takes. Two-factor authentication breaks that, by demanding a second proof that a thief almost never has. It is one of the highest-value, lowest-effort security steps available, and it costs nothing. Here is what it is and where you genuinely need it.

Plain English
Two-factor authentication
Requiring a second proof of identity, beyond a password, to log in. Often shortened to 2FA.
Authenticator app
A phone app that generates short-lived login codes, more secure than codes by text.
Recovery codes
One-time backup codes that let you in if you lose your second factor.
Account takeover
When someone gains control of your account, usually via a stolen or guessed password.

What it is and why a password is not enough

Authentication is the act of proving you are who you say you are. A password is one factor, something you know. The trouble is that knowledge can be stolen: passwords get phished, guessed, reused across sites, and exposed in other companies' breaches, and a password on its own is a single point of failure. Two-factor authentication adds a second, different kind of proof, usually something you have, like a code generated by an app on your phone. Now a thief needs both your password and your physical device, which is a far higher bar. The whole point is that the two factors are independent, so compromising one does not hand over the other.

The kinds of second factor, and which to prefer

There are a few common second factors, and they are not equal. A code sent by text message is the weakest, because phone numbers can be hijacked, though it is still far better than nothing. A code from an authenticator app on your phone is stronger and widely available, generating a new short-lived code every thirty seconds without needing a signal. A physical security key is stronger still, a small device you tap, resistant even to sophisticated phishing. For most people running a small app, an authenticator app is the sweet spot: free, strong, and easy. The one rule is to prefer an app over text where you have the choice, and to reserve text for services that offer nothing better.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Where you genuinely need it

You do not need it on everything equally; you need it most on the accounts that, if taken over, would let someone dismantle or hijack your business. These are your keystone accounts: the host that runs your app, the database that holds your data, the registrar that controls your domain, your email (which can reset everything else), your payment processor, and your code repository. If any of these fall, the damage cascades, because control of your email or domain can be used to seize the rest. Turn on two-factor authentication on every one of these first. Then extend it to any account holding customer data or money. The effort is a few minutes each; the protection is against the most common way businesses get hijacked.

Setting it up without locking yourself out

The one real risk with two-factor authentication is locking yourself out if you lose your phone, and it is entirely avoidable. When you switch it on, the service offers recovery codes, one-time backup codes that get you in if your second factor is unavailable. Save these somewhere safe and offline, such as a password manager or a written note in a secure place, not in the same phone that holds the authenticator. Consider registering a second factor as backup where the service allows. With recovery codes stored, two-factor authentication has no real downside: you get the strong protection and keep a way back in. Should you also offer it to your own customers on their logins, the same logic applies, and it is a genuine trust signal that you take their security seriously.

Common questions

Questions, answered

Do I really need two-factor authentication if I use strong passwords?
Yes. Even a strong, unique password can be phished or exposed in another company's breach, and then it is enough on its own to get in. Two-factor authentication means a stolen password is not enough, because the thief also needs your device. It closes the most common route to account takeover, which passwords alone cannot.
Is a text-message code good enough?
It is much better than nothing, but it is the weakest form, because phone numbers can be hijacked. Prefer a code from an authenticator app where the service offers it, which is free, stronger, and works without a signal. Use text-message codes only for services that provide no better option, rather than as your default choice.
What happens if I lose my phone?
This is why you save the recovery codes the service gives you when you enable two-factor authentication. Stored safely and offline, they let you back in without your phone. Registering a second device as backup helps too. With recovery codes kept somewhere secure, losing your phone is an inconvenience, not a lockout, and never a reason to skip it.
Which accounts should have it turned on first?
The keystone accounts that run your business: your host, your database, your domain registrar, your email, your payment processor, and your code repository. These cascade if taken over, so protect them first. Then extend it to anything holding customer data or money. Your email especially, since it can reset your other accounts, deserves it immediately.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.