Why I Ignored Two-Factor Auth for Years

I will be honest. I knew about two-factor authentication for a long time. Years, probably. Every few weeks, Gmail or Instagram or some other service would flash a banner telling me to turn it on, and I would close the banner without a second thought. Not because I did not understand the concept. I got it. Password plus a code from your phone equals harder to hack. Simple enough. I just could not be bothered.

My reasoning, if you can call it that, went something like: I have never been hacked before. My passwords are not terrible. I do not click on sketchy links. So why add another step to logging in? Why deal with codes and apps and backup nonsense when my accounts have been fine for years without any of it?

I know, I know. Famous last words.

The thing is, that logic held up right until it stopped holding up. And when it stopped, it stopped badly. A friend of mine from college, Rohit, called me on a Tuesday night sounding genuinely panicked. Someone had gotten into his Instagram. Not just "posted a weird story" gotten in. They had changed the email address linked to his account, changed the recovery phone number, updated the bio to some crypto scam pitch, and started messaging his followers asking them to invest in a fake token. Within an hour, his profile looked nothing like his. People in our friend circle were getting DMs from "him" asking for money. The whole thing spiralled fast. He contacted Meta support. They told him to fill out a form. Then another form. Then they asked him to upload a video of himself holding a piece of paper with a code on it. This back-and-forth took almost a month. He eventually got the account back, but by then people had unfollowed him, some friends had sent money to the scammer thinking it was Rohit, and the whole situation was just embarrassing and exhausting. When I asked him whether he had two-factor auth turned on, he said the same thing I had been saying: "I was going to set it up." That sentence stuck with me because I had been saying the exact same thing for three years straight.

So yeah. That is what it took. Not a security article. Not a statistic. A friend getting his account stolen while I watched it happen from the outside and thought, that could have been me.

I sat down that weekend with a cup of chai and went through my accounts one by one. Gmail, Facebook, Instagram, Amazon, Microsoft. I was ready for it to be annoying. I was ready for confusing menus and error messages and codes that did not work. I was not ready for how quick and painless it actually was, which made me feel even dumber for putting it off. But I will get to that in a minute.

Before I do, a quick note for anyone in India reading this: you already use a form of two-factor authentication whether you realise it or not. Every time you buy something online with your debit card and the bank texts you a one-time password, that is 2FA. Your card details are one factor. The OTP on your phone is the second. RBI made this mandatory for online transactions years ago, and it has prevented an enormous amount of fraud. The concept behind protecting your email or social media accounts is identical. You enter your password. Then the service asks for a second thing, usually a code from your phone, to prove that you are actually you and not someone halfway across the country who bought your login credentials off a Telegram channel for fifty rupees.

Google published a study a while back that said adding a recovery phone number to your Google account blocks 100 percent of automated bot attacks and 99 percent of bulk phishing attempts. Microsoft has published similar findings. I am not going to pretend those numbers convinced me. They did not. Rohit's story did. But the numbers are real, and they paint a fairly clear picture of what a difference one extra step makes.

Look, I get the resistance. I was the resistance. I spent years telling myself it was unnecessary hassle. But the hassle is about twenty minutes of setup and maybe ten extra seconds each time you log in on a new device. Compare that to weeks of begging a support team to return your stolen account, or worse, watching someone drain money from your linked bank account because they had your password and nothing stood between them and your inbox. The trade-off is not even close, and I wish I had not needed a friend's nightmare to figure that out.

Smartphone showing 2FA authentication code with laptop login screen in background

Getting Locked Out Changed My Mind

Fine, I will admit something. Even after turning on 2FA everywhere, I was not fully convinced it was worth the trouble. I treated it like a chore I had completed. Ticked the box, moved on, went back to being annoyed every time a service asked me for a code.

Then about six weeks later, I got an email from Google. The subject line was something like "Someone has your password." Not exactly those words, but close enough to make me put down my sandwich. Google was telling me that somebody had tried to sign into my account from a location I had never been to, using my actual password. The correct password. Not a guess. Not a brute-force attempt. My actual password, the one I had been using for that account for two years.

They did not get in. The login attempt failed because of 2FA. Google sent the person a prompt asking for the second factor, and since they did not have my phone, they could not complete the sign-in. That was it. Blocked. My account stayed safe, my data stayed private, and the only thing I had to do was change my password, which I should have done ages ago since I had been reusing it across a couple of services.

I sat there staring at my screen for a good minute. If I had not set up 2FA that weekend after Rohit's mess, whoever had my password would have walked right in. They would have had access to ten years of emails, my Google Drive files, my saved passwords in Chrome, everything linked to that account. And I would not have known until the damage was already done. That was the moment I stopped thinking of 2FA as an inconvenience and started thinking of it as a lock on my front door. You do not resent your house lock for making you carry a key. You just accept that locking doors is what reasonable people do.

I also learned something else from that scare. The password that got stolen was one I had used on a smaller website, some forum I signed up for years ago and forgot about. That site probably got breached at some point, and my email and password combination ended up in a leaked database. Attackers take these leaked credentials and try them on Gmail, on Facebook, on banking portals, everywhere. It is called credential stuffing, and it works because so many of us reuse passwords. I was one of those people. 2FA was the only thing that stopped a lazy password habit from turning into a real problem.

After that, I stopped treating 2FA like a burden. I also started using a password manager, but that is a different story for a different day.

Setting It Up Was Less Painful Than Expected

I had imagined the setup process as this long, technical ordeal. Download some app, scan some code, type some number, mess it up, start over, get frustrated, give up. That is genuinely what I expected. Turns out it was so much simpler that I felt stupid for having waited three years.

I went through my most-used accounts one at a time. The whole thing took maybe twenty-five minutes, and most of that was spent finding the right settings page, because every platform buries the 2FA option in a slightly different place.

Gmail and Google account: Open a browser, go to myaccount.google.com, click on Security in the left sidebar, scroll down to "2-Step Verification," and click "Get Started." Google walks you through the whole thing. It first suggests Google Prompts, where your phone receives a pop-up notification asking "Is this you trying to sign in?" and you tap Yes or No. That alone is a decent layer of protection. But I also added an authenticator app because I wanted a backup method. I chose Authy. You open the app, scan a QR code that Google shows you on screen, and Authy starts generating six-digit codes that change every thirty seconds. I typed in the current code, Google confirmed the setup, and then it gave me a set of ten backup codes. I copied those into Bitwarden, my password manager. Entire process took about four minutes. Four minutes for a level of protection I had been dodging for three years.

Facebook: Log in on a browser. Go to Settings and Privacy, then Settings, then Accounts Centre, then Password and Security, then Two-Factor Authentication. Pick "Authentication App," scan the QR code with Authy, type the code. Save the recovery codes Facebook gives you. Maybe three minutes.

Instagram: Almost identical to Facebook because Meta owns both. Go to your profile, tap the three-line menu, go to Settings and Privacy, then Accounts Centre, then Password and Security, then Two-Factor Authentication. Same QR code scan, same six-digit code entry. Done. Another three minutes.

Banking apps and UPI: This works a bit differently in India because banks here already enforce OTP-based verification for transactions. The RBI mandated this, so if you have ever entered an OTP to confirm a debit card purchase online, you have already experienced the banking version of 2FA. What I did on top of that was enable biometric login on my SBI YONO app and my HDFC Bank app, so that even opening the app requires a fingerprint scan. For UPI apps like Google Pay, PhonePe, and Paytm, I turned on the in-app lock feature. This means that even if someone somehow unlocks my phone, they cannot open Google Pay without my fingerprint or a separate PIN. It is an extra wall between a thief and my money, and it takes about a minute to set up on each app. Go to the app's settings, look for "App Lock" or "Security," and turn it on.

The whole experience surprised me. I thought I would hate the daily friction. I thought I would constantly be fumbling for my phone to type in codes. But on my own devices, I barely notice 2FA is there. Google Prompts pop up once in a while and I tap a button. The authenticator app only matters when I log in from a new device or a new browser, which happens maybe twice a month. My banking apps use my fingerprint, which takes half a second. The imaginary version of 2FA I had built up in my head, where I would be typing codes fifty times a day and losing access to everything, just did not match what actually happened.

Look, I will be honest about the one annoying moment I had. Right after setting up 2FA on Microsoft, I tried to log into Outlook on my work laptop. My phone was charging in the bedroom. I had to walk across the flat, pick it up, open Authy, read the code, walk back to the laptop, and type it in. It took forty-five seconds. That was the single worst 2FA experience I have had in six months of using it. Forty-five seconds of walking. Compare that to what Rohit went through for a month trying to recover his Instagram. I think I can live with a short walk.

SMS vs App vs Hardware Key: My Actual Experience

There are three main flavours of two-factor authentication, and after six months of using them, I have thoughts on each. Not security-researcher thoughts. Just regular-person-who-uses-the-internet thoughts.

SMS OTPs. Everyone in India knows this one. You log in, the service sends a text message with a six-digit code, you type the code. Dead simple. Works on any phone, including that Rs 2,000 feature phone your uncle refuses to upgrade from. The security community has a lot of anxiety about SMS-based 2FA because of something called SIM swapping. That is when an attacker calls your telecom carrier — Jio, Airtel, Vi, BSNL — and convinces them to transfer your phone number to a new SIM card. Once they have your number, they receive all your OTPs. This has happened in India. There have been reported cases where scammers used fake documents at telecom stores to get replacement SIMs issued. But I want to be clear about something. SMS-based 2FA is still miles ahead of no 2FA at all. If a service only offers SMS as a second factor, take it. The attacks that SMS protects against, which are automated bots and bulk phishing, are the attacks that the vast majority of us are most likely to face. SIM swapping is a targeted attack. Someone has to specifically pick you and go through real effort. For most of us, the risk of being SIM-swapped is much lower than the risk of having an unprotected account broken into by a bot trying leaked passwords.

Authenticator apps. This is what I use for most of my accounts now. Apps like Google Authenticator, Microsoft Authenticator, and Authy all do the same basic thing. They generate a six-digit code on your phone that refreshes every thirty seconds. The code is created locally on your device based on a shared secret that was set up when you scanned that QR code. No text message involved, no network needed. Even if someone clones your SIM, they do not get these codes because the codes are not tied to your phone number. They are tied to the app on your specific device. I went with Authy because it offers encrypted cloud backup of your codes. If my phone gets stolen or stops working, I can install Authy on a replacement phone, log in with my Authy account, and recover all my codes without having to re-set-up 2FA on every single service from scratch. Google Authenticator added a similar cloud sync feature recently, which is a relief, because before that, losing your phone with Google Authenticator on it meant losing access to every account that used it for 2FA. I have heard horror stories from people who upgraded phones and did not think to transfer their authenticator app data first.

Hardware security keys. These are physical devices, like a small USB stick, that you plug into your computer or tap against your phone when logging in. YubiKey is the best-known brand. They are extremely secure. Phishing does not work against them because the key checks the actual website domain before responding, so even if you land on a fake Google login page, the key refuses to authenticate. I do not use one. They cost between 4,000 and 6,000 rupees in India, you have to remember to carry the key with you, and if you lose it, recovery can be painful. They make a lot of sense for journalists, activists, politicians, business owners, or anyone whose accounts are high-value targets for determined attackers. For someone like me, an authenticator app provides more than enough protection.

One thing I want to say about the phone-as-second-factor approach, whether SMS or app. There is a real risk most people do not think about: losing the phone. If your phone is stolen or breaks and you have no backup codes saved, you can lock yourself out of your own accounts. Most services give you a set of one-time recovery codes when you first enable 2FA. These are meant for emergencies. I keep mine in Bitwarden and also on a printed sheet in a drawer at home. If you set up 2FA and skip the recovery codes, you are building a security system with no emergency exit. A colleague of mine learned this the hard way. Her phone died, she had no backup codes, and she spent days trying to prove to Google that she was actually the owner of her own account. It was a mess. Save the codes. Put them somewhere safe. Not in a file called "backup_codes.txt" on your desktop.

My setup, if you are curious: Authy as my main authenticator for Gmail, Facebook, Instagram, Amazon, Microsoft, and a few other services. Google Prompts as a secondary method on my Google account because it is genuinely quick and convenient. SMS as a fallback on the few services that do not support authenticator apps. Recovery codes stored in Bitwarden and printed on paper. I also have biometric locks on all my banking and UPI apps. Is it a perfect setup? Probably not. But it is so much better than what I had six months ago, which was nothing but a recycled password and a vague sense of optimism.

Phone displaying authenticator app with one-time security codes

Six Months In: Is It Worth the Hassle?

I want to answer this honestly, because I have seen too many security articles that treat 2FA like some life-changing revelation that made the author weep with gratitude. It is not that. It is a security measure. It works. It is also occasionally annoying.

The annoyances are real. I have been locked out of my own accounts twice because I was travelling and my phone had no signal, so the SMS OTP never arrived. I have been caught without my phone when trying to log in on a friend's computer. I accidentally deleted Authy once while cleaning up apps on my phone and had a full ten minutes of panic before I reinstalled it and realised cloud backup had saved everything. These are minor frustrations, but they are not zero.

I also made a mistake I keep repeating: approving Google Prompts without reading them. My phone buzzes with "Did you just try to sign in?" and I tap "Yes" out of muscle memory before I even register the question. That defeats the entire purpose. If someone else has my password and triggers a prompt, my instinct to tap Yes would hand them my account. I have gotten better about pausing and actually reading the notification before responding, but I am not perfect at it. I know, I know, the whole point is to pay attention. I am working on it.

One more thing that tripped me up. I had only enabled 2FA on what I thought of as my "main" accounts — the big ones like Gmail and Instagram. I left Amazon, Flipkart, and Swiggy unprotected. Then I thought about what those accounts actually contain. My Amazon account has my home address, my saved debit card, and a record of everything I have bought for years. Flipkart has the same. Swiggy knows where I live and where I order food. If any of those got broken into, someone could order products on my card or just learn a lot about my life. I went back and added 2FA where possible. Swiggy and Zomato do not offer authenticator-based 2FA yet, which is frustrating, but I at least made sure those accounts had unique, strong passwords.

And one more hard-learned lesson. Never, under any circumstances, share an OTP with anyone who asks for it over the phone. Not someone claiming to be from your bank. Not a "customer care agent" on WhatsApp. Not anyone. No real service will ever call you and ask you to read out the code they just sent. If someone calls and asks for an OTP, it is a scam. Every single time. I had a relative who nearly fell for this when someone called claiming to be from SBI and asked her to confirm "a verification code." She was about to read it out when her son grabbed the phone and hung up. The scammer had initiated a password reset on her account and needed the OTP to complete it. That is how close it was.

So. Six months of 2FA. My honest summary.

Still annoying. Still worth it. I lock myself out of things more often than I should. But nobody has broken into any of my accounts since I set it up, and that used to happen about once a year. So yeah. Fine. It works.