2FA Setup Guides

Discord requires two-factor authentication (2FA) for server moderators and protects your account against takeover. This guide walks through enabling 2FA with any TOTP authenticator app — including 2FAA's free web authenticator.

Read the Discord 2FA guide →

Enabling 2FA on Epic Games protects your Fortnite account, V-Bucks, and skins — and unlocks the Boogie Down emote as a reward. This works for Fortnite, Rocket League, Fall Guys, and every Epic Games title (they all share one Epic account).

Read the Epic Games / Fortnite 2FA guide →

Roblox accounts are a common target for scams because of Robux and rare items. Turning on 2-step verification with an authenticator app makes account takeover almost impossible without your phone or 2FAA browser.

Read the Roblox 2FA guide →

Spotify rolled out two-factor authentication for everyone in 2024. With 2FA on, even if someone gets your password, they can't sign in to your Spotify account without a fresh code from your authenticator.

Read the Spotify 2FA guide →

PayPal handles real money — your bank account, credit cards, and balance. Enabling 2FA with an authenticator app is one of the highest-impact security changes you can make. SMS-only 2FA is vulnerable to SIM swap attacks; an authenticator app is not.

Read the PayPal 2FA guide →

Twitch requires 2FA before you can broadcast, run a Twitch Affiliate/Partner account, or use certain chat features. 2FA also blocks the most common Twitch account takeovers.

Read the Twitch 2FA guide →

Slack 2FA is set per account — once enabled, it protects every workspace you sign in to. Workspace admins can also enforce 2FA for everyone in their workspace.

Read the Slack 2FA guide →

Instagram account takeovers are common — attackers target creators, businesses, and verified accounts. Authenticator-app 2FA blocks every password-only attack, even if your password leaks.

Read the Instagram 2FA guide →

GitHub mandated 2FA for all users who contribute to popular repositories starting in 2024. Even if you're not required, 2FA protects your private repos, SSH keys, and personal access tokens.

Read the GitHub 2FA guide →

Amazon stores your credit cards, addresses, and Prime subscription. Two-step verification with an authenticator app blocks anyone who steals or guesses your password from placing orders or changing payment methods.

Read the Amazon 2FA guide →

Your Google account is the master key to Gmail, YouTube, Drive, Photos, and every site where you sign in with Google. 2-Step Verification with an authenticator app stops password-only attacks cold — and unlike SMS, TOTP codes can't be intercepted by SIM swapping.

Read the Google Account 2FA guide →

Hijacked Facebook accounts get used for scams, ad fraud, and locking out the real owner. Authenticator-app 2FA blocks anyone with just your password — and it's the method Meta itself recommends over SMS.

Read the Facebook 2FA guide →

Since March 2023, X only offers SMS-based 2FA to Premium subscribers — but authenticator-app 2FA is free for everyone, and it's the more secure option anyway. Setup takes about two minutes.

Read the X (Twitter) 2FA guide →

SIM-swap attacks against crypto accounts are the most financially damaging form of 2FA bypass — attackers port your phone number, receive your SMS codes, and drain the account. Moving Coinbase from SMS to an authenticator app closes that door completely.

Read the Coinbase 2FA guide →

Binance requires 2FA for withdrawals, API key creation, and security changes. The authenticator-app method protects you even if your password and email are compromised — and unlike SMS, it works regardless of phone signal or SIM-swap attacks.

Read the Binance 2FA guide →

One Microsoft account signs you into Outlook, Xbox, OneDrive, Teams, and Windows itself. Two-step verification with a TOTP app means a leaked password alone can't take any of it — and you don't have to install Microsoft Authenticator if you'd rather not.

Read the Microsoft Account 2FA guide →

A compromised AWS account doesn't just leak data — it runs up real money. AWS now requires MFA for root users on management accounts, and a 'virtual MFA device' is just standard TOTP: any authenticator app works, including 2FAA.

Read the AWS 2FA guide →

Whoever controls your Cloudflare account controls your DNS — which means your email routing, your TLS, and effectively your whole domain. 2FA here protects every site you run, not just one account.

Read the Cloudflare 2FA guide →

Steam accounts hold game libraries, inventories, and wallet funds that resell for real money, which makes them a constant phishing target. Steam's 2FA — Steam Guard — works differently from every other platform on this list: codes come only from the official Steam Mobile app.

Read the Steam 2FA guide →