July 14, 2026
The Second Lock on Your Online Accounts (That You Don’t Know About!)
It takes about three minutes to turn on.

By Liz Ndungu
6 min read
By Elizabeth Ndungu | Founder, Ndungu Consulting | Tech Coach for Adults 50+
Your front door probably has two locks. A latch that catches when you pull it shut, and a deadbolt you turn separately. Two locks, because one on its own can be defeated.
Your online accounts work the same way. Most people have one lock: a password. What most people do not know is that there is a second lock available on most accounts, and turning it on takes about three minutes.
It is called two-factor authentication. Many people who work with me have never heard of it. Some have met it without knowing what it was. Once they understand what it does, they usually turn it on for everything important that same week.
Your Password Is Only Half the Protection
Passwords can be stolen. They can be guessed. They can be bought and sold in bulk after a company you signed up with is hacked.
This is not rare. Large data breaches happen many times a year. If your password ends up in a stolen database, someone else now has it. They may not use it straight away. Automated systems test it against other accounts, waiting for one to open.
When that happens on your email, your Amazon account, or your online banking, a password alone is the only thing standing in the way. If the password still works and no second check is enabled, they may be able to get in.
Two-factor authentication adds a second step. Even with your password, they still have to get past the second check. Without it, they cannot get in.
What Two-Factor Authentication Actually Is
The name sounds technical. The experience is not.
When you turn it on, this is what happens at login: you type your password as usual, the account sends a short code to your phone, you type in the code, and you are in.
The idea is that the code goes to something only you have, your phone. Someone who only has your password, sitting at a computer far away, does not have that code. This can stop many automated attacks that test stolen passwords, the kind that try millions of combinations at once.
The most familiar version is a code sent by text message. You enter your password, your phone gets a text with a six-digit number, you type it in. That is the whole process.
Not All Second Factors Are Equal
This is the part most guides skip, and it matters. A text-message code is far better than no second factor, but it is the weakest of the options, because texts can sometimes be intercepted or redirected.
An authenticator app, a free app on your phone that generates the codes itself, is stronger. A passkey, which uses your phone's fingerprint or face unlock instead of a code, is stronger still and is very hard to phish.
So the order of preference is simple. If an account offers a passkey or an authenticator app, choose that. If it only offers text messages, use that rather than nothing. Microsoft's own research makes the same point: all forms of this second step help enormously, and app-based methods outperform text messages.
Why This Matters More Than Most Security Advice You've Heard
Most security advice focuses on passwords. Use a strong one. Do not reuse it across accounts. That is sensible, but even a strong password can be stolen, and often the theft happens at the company's end, not yours.
Two-factor authentication protects you even after a breach. If a company you signed up with is hacked and your password is taken, the second step makes that password useless on its own. The attacker still cannot get in without the code or passkey tied to your phone.
Security professionals rank it as one of the most effective steps an ordinary person can take. Microsoft's research found that turning it on blocks more than 99.2 percent of automated attacks on accounts, and that the overwhelming majority of accounts that do get compromised did not have it switched on. No single step protects you completely, but very few come close to that.
Why This Keeps Happening
You do not have to be careless to be caught by this. The weak point is usually a company you once signed up with, not you.
When a business is breached, the email addresses and passwords in its database can end up for sale. Criminals buy those lists and try the combinations on other accounts, counting on the fact that many people reuse the same password in more than one place. It is automated, and it happens at enormous scale.
The numbers are hard to picture. In 2025, researchers reported a single collection of around 16 billion stolen login records. Importantly, this was not one new break-in. It was a giant compilation assembled from many past breaches and from malware that harvests passwords off infected devices. Whether or not your details are in that particular collection, the safe assumption is that at least one old password of yours is circulating somewhere.
A password alone cannot protect you against that, because it may already be known. The second step is what makes a stolen password useless on its own.
How to Turn It On (Step by Step)
Your email is the most important account to protect first. If someone gets into your email, they can reset the password on almost every other account you have.
For Gmail:
Sign in on a computer.
Click your initial or profile photo in the top right.
Select "Manage your Google Account."
Go to the "Security" tab.
Under "How you sign in to Google," select "2-Step Verification" and follow the steps.
Google will also offer passkeys here, which are worth setting up.
For Outlook or Hotmail:
Go to account.microsoft.com.
Sign in, select "Security,"
Then "Advanced security options,"
Turn on "Two-step verification."
For your bank:
Most major UK and US banks now offer this, and some require it. Look in "Security" or "Account settings" in your banking app or website. If you are unsure, call the number on the back of your card and ask.
For Amazon: go to Account, select "Login and security," and find "Two-Step Verification (2SV) Settings."
Most setups will ask for a phone number, or let you choose an authenticator app instead, which is the better choice where it is offered. On a device you use regularly, you can usually tick "remember this device" so you are not entering a code every time on your own phone.
Is Two-Factor Authentication Safe and Reliable for Adults Over 50?
Yes. It is one of the most reliable security steps available to ordinary users, and it is designed to be simple.
One warning matters more than any setting: never read your code out to anyone. Scammers sometimes call pretending to be your bank and ask you to confirm the code that just arrived on your phone. The FBI is blunt about it: never give a two-factor code to anyone who contacts you, by phone, text, or email. A real bank will never ask for it. If someone asks you to share a code, the request itself is the scam. Hang up.
One practical point: if you change your phone number, update your two-factor settings on each account before you lose the old number. If your codes are going to a number you no longer have, you can find yourself locked out.
Many accounts will also give you a set of backup codes when you set this up. Write them on paper and keep them somewhere safe, not on your phone. A note in a drawer works perfectly. These codes let you back in if you ever lose access to your phone.
I write regularly about technology safety and digital literacy for adults over 50. Following me here on Medium is the best way to see the next piece when it comes out.
Basic Computer Skills Guide, a plain-English guide to internet safety, online accounts, and digital basics, is available here:
https://elizabethw2.gumroad.com/l/basiccomputerguide
For calm, one-on-one technology help with no pressure, no jargon, and no embarrassment, visit ndunguconsulting.com.
About the Author
Elizabeth Ndungu is the founder of Ndungu Consulting, a technology coaching and digital literacy practice that helps adults over 50 build confidence with everyday technology. Computers, phones, AI tools, email, Microsoft Office, online safety, and digital skills in plain English. She provides patient, practical support for people who want to learn without jargon, pressure, or embarrassment.
Sources
Microsoft, "Plan for mandatory Microsoft Entra multifactor authentication" (MFA blocks more than 99.2% of account compromise attacks): https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
Microsoft Research, "How effective is multifactor authentication at deterring cyberattacks?" (authenticator apps outperform SMS codes): https://www.microsoft.com/en-us/research/publication/how-effective-is-multifactor-authentication-at-deterring-cyberattacks/
BleepingComputer, "No, the 16 billion credentials leak is not a new data breach," 2025: https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/
FBI, "Account Takeover Fraud via Impersonation of Financial Institution Support" (never share a two-factor or one-time code), 2025: https://www.fbi.gov/investigate/cyber/alerts/2025/account-takeover-fraud-via-impersonation-of-financial-institution-support
Tags
Online Safety · Cybersecurity · Digital Literacy · Senior Citizens · Adults Over 50