Turn On Stronger Sign-In — Start With Passkeys

A password on its own is no longer enough. The modern upgrade is the passkey: phishing-proof, nothing to steal, and it can replace both your password and your two-factor code. This guide leads with passkeys, then shows you how to set up traditional 2FA — ranked strongest to weakest — for accounts that don't support passkeys yet.

General security guidance, not advice for any specific account. Provider steps and settings pages were reviewed in June 2026 — always follow the official help pages linked here, which take precedence and may change.

Why a Password Alone Isn't Enough

Four routine attacks defeat passwords every day. A second factor — or better, a passkey — stops most of them dead.

Credential Stuffing

Criminals take passwords leaked from one site and fire them at login pages everywhere using automated tools. If you've reused a password even once, a single old leak can unlock many of your accounts.

Infostealer Malware

Malware on a device silently lifts every saved password and session cookie from the browser in seconds. The password itself is taken straight from your machine — strength and length make no difference.

Phishing & Fake Logins

A convincing email or text lures you to a fake login page that captures your username and password — and even your one-time 2FA code — exactly as you type them. Passkeys are immune to this.

Reused & Guessable Passwords

Most people reuse passwords across accounts, or pick ones that are easy to guess or already in a breach list. One weak link compromises everything connected to it.

Passkeys: The Phishing-Proof Upgrade

If you take one thing from this guide, make it this: where a service offers passkeys, use them. They're the strongest, simplest sign-in available today.

What is a passkey?

A passkey is a pair of cryptographic keys created on your device when you set it up for a service. The private key never leaves your phone, laptop or password manager; the public key is stored by the service. To sign in, your device proves it holds the private key by unlocking it with your fingerprint, face or device PIN. There's no password to type, remember, reuse or leak — and built on the FIDO2 and WebAuthn open standards, it works the same way across every supported service.

On a supported service a passkey can replace both your password and your second factor at once. A single fingerprint or face check signs you in — there is no shared secret left for anyone to phish, intercept or steal.

Nothing to phish

A passkey is cryptographically bound to the genuine website's address. Show it a convincing fake login page and it simply won't work — there is no code or secret to hand over, so phishing fails by design.

No shared secret

The site only ever stores your public key, which is useless to a thief. Even if the service is breached, there's no password or seed to steal and replay against your account.

Unlocked by you, on your device

Signing in needs the private key on your device plus your fingerprint, face or PIN. An attacker on the other side of the world has neither, so a leaked database gets them nowhere.

Syncs across your devices

Passkeys sync securely through Apple iCloud Keychain, Google Password Manager, Microsoft, or a password manager such as 1Password or Bitwarden — so a new phone or laptop already has them, with no codes to re-enter.

How to Set Up Passkeys

Turn on a passkey provider once, then add a passkey to each account when it offers you the option (usually under Security settings).

1.Apple devices (iCloud Keychain)

On iPhone, iPad and Mac, passkeys are built in. Make sure iCloud Keychain is on (Settings → your name → iCloud → Passwords and Keychain), then choose 'Save a passkey' whenever a website or app offers it. They sync across all your Apple devices automatically.

2.Google Account

Open your Google Account, go to Security → 'How you sign in to Google' → Passkeys, and create one. Google Password Manager syncs it to your Android phones and to Chrome on every signed-in device.

3.Microsoft Account

Sign in at your Microsoft account security settings, choose 'Add a new way to sign in', and select Face, fingerprint, PIN or a security key. This sets up a passkey you can use to sign in without a password.

4.Password managers (1Password, Bitwarden)

A cross-platform password manager stores passkeys that work on iPhone, Android, Windows and Mac alike — handy if you mix ecosystems. Turn on passkey support in the app, then save passkeys to it whenever a site offers one.

If You Can't Use Passkeys Yet: 2FA Ranked

Plenty of accounts still don't offer passkeys. Turn on the strongest second factor each one supports — they are not equal. Avoid SMS where anything better is available.

Strongest:Hardware security key (FIDO2)

A small physical key (such as a YubiKey) you tap or plug in to approve sign-in. Like a passkey, it's phishing-resistant and bound to the genuine site — the gold standard of traditional 2FA. Buy two and register both, so you keep one as a spare.

Strong:Authenticator app (TOTP)

An app such as Google Authenticator, Microsoft Authenticator, Authy or your password manager generates a fresh six-digit code every 30 seconds, entirely on your device. No mobile signal needed, and nothing to intercept over the network. The best choice when passkeys or a hardware key aren't offered.

Good:Push approval

The service sends a 'Was this you?' prompt to an app on your phone and you tap Approve. Convenient and decent, but beware 'MFA fatigue' attacks — never approve a prompt you didn't start. Number-matching versions, where you type a code shown on screen, are stronger.

Weakest:SMS text code

A one-time code texted to your phone. Far better than no second factor at all, but vulnerable to SIM-swapping, network interception and phishing of the code itself. Use only as a last resort, and replace it as soon as you can.

SMS codes are the weakest option and a real risk for executives and high-value targets. In a SIM-swap attack a criminal tricks your mobile provider into moving your number to their SIM, then receives your codes. Use SMS only when nothing better is offered — and switch the moment an app or key becomes available.

Set Up an Authenticator App — Step by Step

The same six steps work for almost every account that supports authenticator (TOTP) codes.

1.Install an authenticator app

Choose a reputable app — Google Authenticator, Microsoft Authenticator, Authy, or the authenticator built into your password manager. Install it from your phone's official app store.

2.Open the account's security settings

On the account you want to protect, find Security, Login or Two-Factor Authentication settings, and choose to add an authenticator app (sometimes called 'app' or 'TOTP').

3.Scan the QR code

The service shows a QR code. In your authenticator app, choose 'Add' or '+', then scan it with your camera. The account now appears in the app, generating a new code every 30 seconds.

4.Confirm with a code

Type the current six-digit code from the app back into the website to prove the link worked. The codes refresh automatically — always enter the one showing right now.

5.Save your backup codes

The service offers one-time backup codes for when you can't reach the app. Download or print them and store them somewhere safe and offline — not in the same place you sign in from. They're your way back in if you lose your phone.

6.Add a second method

Where allowed, register a second method too — a hardware key, or the same account on a second device. One backup means you're never locked out because of a single lost or broken phone.

Turn It On Everywhere

Start with the accounts that matter most — your email first (it's the master key to everything else), then banking and social media. These links go straight to each provider's official security settings.

Don't Get Locked Out

Stronger sign-in only helps if you can still get in yourself. Set up your safety net before you need it.

Save your backup codes. Almost every service gives you one-time recovery codes when you turn on 2FA. Download or print them and keep them somewhere safe and offline — a locked drawer or a secure note in your password manager — never in the same inbox you're protecting.

Register more than one method. A second hardware key, a passkey on another device, or the same authenticator account on a second phone means a lost or broken device never locks you out for good.

Keep recovery details current. Make sure your recovery email and phone number are up to date and that you still control them. Review them whenever you change phone or email provider, so a future reset actually reaches you.

Frequently Asked Questions

The questions people ask most about passkeys and two-factor authentication.

Are passkeys safe?

Yes — passkeys are widely considered the safest mainstream sign-in method available. The private key never leaves your device and is unlocked only by your fingerprint, face or PIN, while the service stores only a useless public key. Because a passkey is bound to the genuine website's address, it can't be phished, and there's no shared secret to leak in a breach. They're built on the open FIDO2 and WebAuthn standards backed by Apple, Google and Microsoft.

What happens if I lose my phone?

You won't be locked out if you've planned ahead. Passkeys synced through iCloud Keychain, Google Password Manager, Microsoft or a password manager are restored automatically on a new device once you sign in. For authenticator-app codes, use your saved backup codes or a second registered method to get in, then re-add the app on your new phone. This is exactly why registering a second method and storing backup codes matters.

Is SMS 2FA better than nothing?

Yes — any second factor is far better than a password alone, and SMS still blocks the vast majority of automated attacks. But it's the weakest option: text codes can be intercepted, phished, or stolen via SIM-swapping, where a criminal moves your number to their SIM. Use SMS if it's all a service offers, but switch to an authenticator app, hardware key or passkey the moment one is available.

Can attackers bypass 2FA?

Traditional 2FA can be bypassed in two main ways. Real-time phishing pages can capture your code as you type it and relay it instantly, and infostealer malware can steal an active session cookie — an already-authenticated session that skips both your password and your 2FA. Passkeys defeat the phishing route entirely because there's no code to capture. To learn how cookie theft works, see our infostealer guide.

Do passkeys work across my devices?

Yes. Passkeys sync securely within an ecosystem — across your Apple devices via iCloud Keychain, across Android and Chrome via Google Password Manager, or everywhere at once via a cross-platform password manager like 1Password or Bitwarden. You can also use a passkey on a device that doesn't have it by scanning a QR code with your phone, which approves the sign-in over a secure local connection.

What about backing up my authenticator app?

Some authenticator apps (such as Authy and Microsoft Authenticator) can back up your codes to the cloud so they restore on a new phone, while others (like the classic Google Authenticator) traditionally lived only on one device — though Google Authenticator now also supports syncing to your account. Whichever you use, always keep each account's one-time backup codes offline as well, so you're never dependent on a single device.

Strong Sign-In Stops Most Attacks. Find Out What's Already Exposed

Even with 2FA on, credentials stolen by malware or leaked in a breach can already be circulating. DarkStrata monitors infostealer logs, breaches and criminal marketplaces for your logins — so you can act before attackers do.

Start 7-Day Free Trial