Thing 3: Two-factor authentication (2FA)

Passwords can be stolen by cyber criminals, potentially giving them access to your online accounts. This could happen if a hacked website stored your password without encryption, if you disclose your password in response to a phishing email or if malware like a keylogger intercepts it. However, accounts that have been set up to use 2FA will require an extra check, so even if a criminal knows your password, they won't be able to access your accounts.

Most services tend to offer 2FA over text message by default. During setup, you provide your phone number, and the service will send you a message containing the code to use. Some services can also send a code using voice message if you find this easier. Text messages are not the most secure type of 2FA, but still offer a huge advantage over not using any 2FA. Any two-factor authentication is better than not having it at all.

Authenticator Apps on your smart phone (or tablet) are the main alternative to text messages. Google Authenticator, Microsoft Authenticator, Authy and Lastpass Authenticator are examples of this type of app. Once you've installed one, you can use the same app when setting up 2FA on any accounts that have this as an option. These apps offer lots of advantages over text messages, such as not needing a mobile signal, or having to wait for a text message to arrive.

These small USB or wireless devices like Yubico’s Yubikey and Google’s Titan security key are easier and faster to use, since you only need to tap them with your finger or tap the key against your device to complete the 2FA process.

Physical keys like these are considered more secure than code generating authenticator apps whose codes could be intercepted and used by a sophisticated phishing attack.

Some online services will already have 2FA switched on. However most don't, so you will need to switch it on yourself to give extra protection to your other online accounts, such as email, social media and cloud storage. If available, the option to switch on 2FA is usually found in the security settings of your account (where it may also be called 'two-step verification').

Telesign’s Turn it on website contains up-to-date instructions on how to set up 2FA across popular online services such as Gmail, Facebook, Twitter, LinkedIn, Outlook and iTunes.

Some accounts also give you a list of backup codes when you switch on 2FA. When asked for a code you can use one of these, but each code will only work once, so you'll need to create more when you've used them all. Backup codes are useful if you need to log on without a phone to hand. You will need to store the codes somewhere safe.

It's also a good idea to have a backup plan, in case you haven't got access to your usual second factor (for example, if the battery on your mobile phone has run out). Many services let you set up more than one option for this reason. Backup codes are ideal for this, since they can be used even if you lose your phone.

It’s important to keep the devices you use for 2FA safe. This is especially critical if the device is a smartphone because someone would likely be able to access your email, online accounts and your authenticator app all in one. Make sure you have a passcode or biometric challenge set for the device so nobody can use it if it is lost or stolen.