Two-factor authentication adds a second proof of identity beyond your password, usually a code from an app on your phone, so a stolen password alone cannot get in. Yes, you need it, at least on the accounts that control your business: your host, your database, your domain, your email. It is free and it stops the most common takeovers.
Information current as at 5 July 2026
Passwords leak. They get guessed, reused, phished, or spilled in someone else's breach, and once a password is out, a password is all it takes. Two-factor authentication breaks that, by demanding a second proof that a thief almost never has. It is one of the highest-value, lowest-effort security steps available, and it costs nothing. Here is what it is and where you genuinely need it.
Authentication is the act of proving you are who you say you are. A password is one factor, something you know. The trouble is that knowledge can be stolen: passwords get phished, guessed, reused across sites, and exposed in other companies' breaches, and a password on its own is a single point of failure. Two-factor authentication adds a second, different kind of proof, usually something you have, like a code generated by an app on your phone. Now a thief needs both your password and your physical device, which is a far higher bar. The whole point is that the two factors are independent, so compromising one does not hand over the other.
There are a few common second factors, and they are not equal. A code sent by text message is the weakest, because phone numbers can be hijacked, though it is still far better than nothing. A code from an authenticator app on your phone is stronger and widely available, generating a new short-lived code every thirty seconds without needing a signal. A physical security key is stronger still, a small device you tap, resistant even to sophisticated phishing. For most people running a small app, an authenticator app is the sweet spot: free, strong, and easy. The one rule is to prefer an app over text where you have the choice, and to reserve text for services that offer nothing better.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
You do not need it on everything equally; you need it most on the accounts that, if taken over, would let someone dismantle or hijack your business. These are your keystone accounts: the host that runs your app, the database that holds your data, the registrar that controls your domain, your email (which can reset everything else), your payment processor, and your code repository. If any of these fall, the damage cascades, because control of your email or domain can be used to seize the rest. Turn on two-factor authentication on every one of these first. Then extend it to any account holding customer data or money. The effort is a few minutes each; the protection is against the most common way businesses get hijacked.
The one real risk with two-factor authentication is locking yourself out if you lose your phone, and it is entirely avoidable. When you switch it on, the service offers recovery codes, one-time backup codes that get you in if your second factor is unavailable. Save these somewhere safe and offline, such as a password manager or a written note in a secure place, not in the same phone that holds the authenticator. Consider registering a second factor as backup where the service allows. With recovery codes stored, two-factor authentication has no real downside: you get the strong protection and keep a way back in. Should you also offer it to your own customers on their logins, the same logic applies, and it is a genuine trust signal that you take their security seriously.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.