Why 2FA is the single biggest defense

Passwords get leaked, phished, and guessed. Two-factor authentication (2FA, sometimes called 2-step verification or MFA) adds a second check at login — a one-time code or a physical key. Even if an attacker has your kid’s password, they can’t log in without the second factor.

The hierarchy of 2FA methods

  1. Hardware security key (FIDO2, e.g., YubiKey) — strongest. Phishing-resistant. ~$30 per key.
  2. Authenticator app (TOTP, e.g., Google Authenticator, Authy, 1Password) — excellent. Free. Works offline.
  3. Push notification to a trusted device — good. Phishing-resistant if the device itself is secure.
  4. SMS code — last resort. Vulnerable to SIM-swap attacks. Better than nothing but upgrade to app-based when offered.
  5. Email code — weakest (if email is also compromised).

Which accounts to turn on first

  • Email (Gmail, Outlook, iCloud) — the master key. If email has 2FA, most other accounts can be recovered.
  • Apple ID / Google account / Microsoft account — tied to all your devices.
  • Banking and financial.
  • Password manager master account.
  • Social media (Instagram, Snap, TikTok, Discord).
  • Gaming (Roblox, Epic, Steam).
  • Amazon, Netflix, Disney+ (surprisingly common targets).

Setup walkthrough (typical flow)

  1. Go to account security settings on the service.
  2. Enable two-step / two-factor verification.
  3. Choose authenticator app; scan the QR code in your authenticator.
  4. Enter the code shown in the app to confirm.
  5. Save the backup / recovery codes in your password manager. If you lose your phone, these codes get you back in.
  6. Test by signing out and back in.

The recovery-code problem

The #1 failure mode of 2FA: losing access to the authenticator with no backup codes. Ways to prevent:

  • Save backup codes in your password manager.
  • Use an authenticator with cloud backup (Authy, 1Password, Bitwarden).
  • Register a second 2FA method on each account (e.g., both an authenticator app and a hardware key).

Teaching kids

2FA is a lifelong habit. Set it up together the first time so the kid understands what it is. Consider: their Roblox account is probably more valuable to them than their email — start there.