The three factors
- Something you know — PIN, password, passphrase.
- Something you have — authentication app, SMS code, security key, smart card.
- Something you are — fingerprint, face, iris scan.
MFA options compared
| Method | Security | Ease of use | Notes |
|---|---|---|---|
| SMS code | Medium | Easy | Most common, but vulnerable to SIM swapping. |
| Authenticator app | High | Easy | Google Authenticator, Microsoft Authenticator, Authy. |
| Biometrics | High | Very easy | Cannot be lost or forgotten on supported devices. |
| Physical token | High | Medium | Small USB-style key. |
| Security key (FIDO2) | Very high | Medium | Yubikey and similar. |
Turn it on here first
- Your main email account (Apple ID, Gmail, Outlook) — if attackers own this, they can reset all your other passwords.
- Online banking and payment apps.
- Accounts with saved card details — Amazon, eBay, PayPal, Coles, Woolworths.
- Social media — Facebook, Instagram, X (Twitter), LinkedIn, WhatsApp, Signal.
- Government services — myGov.
- Gaming accounts with payment methods — Steam, PlayStation, Xbox, Nintendo, Epic.
Stay safe while using MFA
- Do not click sign-in links in unexpected SMS or email — go to the service directly.
- Never share an MFA code with anyone, including 'support staff'.
- Reject any sign-in approval you did not start yourself.
- Save backup codes somewhere safe (password manager or printed copy).
- When changing phones, migrate your authenticator app before wiping the old device.
- When your phone number changes, update accounts that use SMS for MFA.