Cybersecurity Guides

If someone steals your password today, they can probably log in to your account. Multi-factor authentication (MFA) is the one setting that stops them from getting in, even with the right password. It's free. It takes about two minutes per account. And it's the single biggest security upgrade most people can make.

What It Actually Does

When you log in to an account with MFA turned on, the site asks for two things:

1. Your password (something you know).
2. A code from your phone, a tap on an app, or a fingerprint (something you have or are).

A scammer who buys your password on the dark web gets stopped at step two. They don't have your phone. They can't finish the login. Your account stays yours.

The Three Ways It Usually Works

1. App-based codes (recommended). You scan a QR code once, and from then on your phone generates a new 6-digit code every 30 seconds. Works without internet. The scammer would need your physical phone to get the code.

2. A physical security key. A small USB or NFC device (like a YubiKey) that you tap to prove it's you. The strongest option, especially for banking or work accounts.

3. A text message with a code. Weaker than the other two because scammers can sometimes intercept texts, but much, much better than no MFA at all. If SMS is the only option a site offers, turn it on anyway.

What to Use

If you're on iPhone or Mac:

• Apple Passwords (built into iOS 18 and macOS Sequoia). It can store passwords AND generate MFA codes in one place. When you log in, it autofills both. This is the easiest option if you're already in Apple's world.

If you're on Android, Windows, or want to use the same tool across devices:

• 1Password or Bitwarden. Both do the same thing: store passwords and MFA codes in one encrypted vault, autofill on login. 1Password is polished and costs a few dollars a month. Bitwarden is free and open-source.

If you want something dedicated just for MFA codes:

• Authy (easy, includes encrypted cloud backup).
• Google Authenticator or Microsoft Authenticator (free, reliable, no extra account needed).

Avoid storing MFA codes in the same browser that saves your passwords. If someone gets into your browser, you don't want both halves sitting together.

How to Turn It On

The menu name varies, but the setting is almost always two clicks deep. Search the settings for "two-factor", "2FA", "MFA", or "security".

1. Open the account you want to secure (email, bank, social media).
2. Go to Settings → Security (or Privacy & Security).
3. Look for Two-Factor Authentication, 2-Step Verification, or Login Verification.
4. Choose "Authenticator App" if it's offered. Otherwise pick "Text Message".
5. Scan the QR code with your chosen app, or enter your phone number for SMS.
6. Enter the first code the app or text gives you. Done.

Don't Skip the Backup Codes

When you turn on MFA, the site will usually give you 8 to 10 one-time backup codes. Save these. They're your way back in if you lose your phone.

• Store them in your password manager under a note attached to that account.
• Print a copy and keep it in a safe place at home.
• Do not take a screenshot and leave it in your photo roll.
• Do not email them to yourself. If your email gets compromised, the codes go with it.

After you use a backup code, most sites will invalidate it. Generate a fresh set if you're running low.

Which Accounts to Secure First

If you only have time for a few, start here. In order:

1. Your main email. This is the master key to everything else. Password resets for your bank, your social media, and your accounts all go here.
2. Your bank and any credit card websites.
3. Government accounts. CRA My Account (Canada), My Service Canada Account, your provincial health portal.
4. Password manager. If you use one.
5. Cloud storage (iCloud, Google Drive, Dropbox). Photos of your ID, tax documents, and passport copies often live here.
6. Social media. Facebook, Instagram, LinkedIn, X. Scammers take over accounts and message your family asking for money.

If You Get Locked Out

• Try your backup codes first.
• If those don't work, use the "Can't access your device?" or "Lost access" link on the login page. It usually triggers an identity check (driver's licence photo, security questions, or a recovery email).
• For CRA, call 1-800-959-8281 and ask them to reset your account. They can verify you another way.
• For a bank, walk into a branch with two pieces of ID.

Common Worries

"What if my phone dies or gets stolen?" That's what backup codes are for. Store them somewhere separate from your phone.

"Do I have to do this every single time I log in?" No. Most sites let you check "trust this device" so MFA only kicks in when you log in from a new browser or location. That's safe. The bad guys are logging in from somewhere else.

"What if I'm not good with phones?" A family member can help you set it up once. After that, it's the same two-step login every time. It doesn't get harder. It gets easier once you're used to it.

Going Deeper

• If you want a full guided walkthrough with screenshots, our free course Simple Strategies to Be Secure Online sets up passwords, a password manager, and MFA together in about 20 minutes.
• Want help picking between Apple Passwords, 1Password, and Bitwarden? Ask Dave, our free cybersecurity helper, what fits your devices and comfort level.

One More Thing

MFA is not optional anymore. Every month, our blog covers a scam where the only thing saving the victim was MFA being on, or the only thing that sunk them was MFA being off. Pick two accounts right now. Turn it on. Come back tomorrow and do two more. In a week you'll be done, and you will have taken the single biggest step toward staying safe online.