Enable 2FA: Top 50 Websites

This guide shows you how to enable Two-Factor Authentication (2FA) with TOTP (Time-based One-Time Password) on the most important websites.


Overview

Category Count
TOTP supported 42
SMS/Email 2FA only 5
No 2FA available 3

84% of top websites support TOTP!


What is TOTP?

TOTP (Time-based One-Time Password) is an algorithm that generates unique 6-digit codes that change every 30 seconds.

Supported Authenticator Apps

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • Bitwarden
  • iKeePass (this app!)

Advantages over SMS-2FA

Method Security Offline usable SIM-swap safe
TOTP App High Yes Yes
SMS Medium No No
Email Medium No Yes

Search Engines

# Website 2FA TOTP Instructions
1 Google Yes Yes Account > Security > 2-Step Verification
2 Bing Yes Yes Via Microsoft account
3 Yahoo Yes Yes Account Security > 2-Step Verification
4 DuckDuckGo No No No account required
5 Baidu SMS only No SMS only

Video & Streaming

# Website 2FA TOTP Instructions
6 YouTube Yes Yes Via Google account
7 Netflix No No Not available
8 Twitch Yes Yes Settings > Security > Set up 2FA
9 Vimeo Yes Yes Account > Security > 2FA
10 Disney+ Email only No Email verification only

Social Networks

# Website 2FA TOTP Instructions
11 Facebook Yes Yes Settings > Security > 2FA
12 Instagram Yes Yes Settings > Security > 2FA
13 X (Twitter) Yes Yes Settings > Security > 2FA > Authenticator App
14 LinkedIn Yes Yes Settings > Sign in & Security
15 TikTok Yes Yes Settings > Security > 2-Step Verification
16 Reddit Yes Yes Settings > Security > 2FA (desktop only)
17 Pinterest Yes Yes Settings > Security > 2FA
18 Snapchat Yes Yes Settings > 2FA > Authenticator App
19 WhatsApp PIN-based No PIN-based, no TOTP
20 Telegram Password-based No Password-based, no TOTP

E-Commerce

# Website 2FA TOTP Instructions
21 Amazon Yes Yes Account > Login & Security > 2-Step Verification
22 eBay Yes Yes Account Settings > 2-Step Verification
23 AliExpress Yes Yes Account Settings > Security
24 Etsy Yes Yes Account Settings > Security > 2FA
25 Shopify Yes Yes Manage Account > Security

Finance & Payments

# Website 2FA TOTP Instructions
26 PayPal Yes Yes Settings > Security > 2-Step Verification
27 Stripe Yes Yes Dashboard > Settings > 2FA
28 Coinbase Yes Yes Settings > Security > 2-Step Verification
29 Binance Yes Yes Security > 2FA > Google Authenticator
30 Revolut Yes Yes App > Profile > Security

Productivity & Cloud

# Website 2FA TOTP Instructions
31 Microsoft 365 Yes Yes account.microsoft.com > Security
32 Dropbox Yes Yes Settings > Security
33 Google Drive Yes Yes Via Google account
34 Slack Yes Yes Account Settings > Set up 2FA
35 Zoom Yes Yes Profile > Security > 2FA
36 Notion Yes Yes Settings > Security > 2FA
37 Trello Yes Yes Via Atlassian account

Developer & Tech

# Website 2FA TOTP Instructions
38 GitHub Yes Yes Settings > Security > 2FA REQUIRED!
39 GitLab Yes Yes Settings > Account > 2FA
40 AWS Yes Yes IAM > Security Credentials > MFA
41 Azure Yes Yes Via Microsoft account
42 DigitalOcean Yes Yes Account Settings > Security
43 Cloudflare Yes Yes Profile > Authentication > 2FA
44 Heroku Yes Yes Account Settings > 2FA
45 npm Yes Yes Account Settings > 2FA

Music & Entertainment

# Website 2FA TOTP Instructions
46 Spotify Artists only Artists only Artists only
47 Apple Music Yes Yes Via Apple ID
48 SoundCloud Yes Yes Settings > Security > 2FA
49 Discord Yes Yes Settings > My Account > Enable 2FA
50 Steam Yes Yes Steam Guard > Mobile Authenticator

Detailed Instructions

Google / YouTube / Gmail

  1. Open myaccount.google.com
  2. Click Security in the left menu
  3. Under “Signing in to Google” > 2-Step Verification
  4. Click Authenticator App
  5. Scan the QR code with iKeePass
  6. Enter the 6-digit code to confirm

Facebook / Instagram / Meta

  1. Open accountscenter.facebook.com
  2. Go to Password and Security
  3. Select Two-Factor Authentication
  4. Choose Authenticator App
  5. Scan the QR code with iKeePass
  6. Save the backup codes!

X (Twitter)

  1. Open twitter.com/settings/account
  2. Go to Security and account access > Security
  3. Select Two-factor authentication
  4. Enable Authentication app
  5. Scan the QR code with iKeePass
  6. Enter the confirmation code

GitHub (REQUIRED!)

GitHub requires 2FA for all code contributors since March 2023!

  1. Open github.com/settings/security
  2. Under “Two-factor authentication” > Enable
  3. Choose Set up using an app
  4. Scan the QR code with iKeePass
  5. Enter the verification code
  6. Save the recovery codes!

Amazon

  1. Open amazon.com/a/settings/security
  2. Click Edit next to “Two-Step Verification”
  3. Click Get Started
  4. Choose Authenticator App
  5. Scan the QR code with iKeePass

PayPal

  1. Open paypal.com/myaccount/settings/
  2. Go to Security > 2-Step Verification
  3. Choose Use an authenticator app
  4. Scan the QR code with iKeePass
  5. Enter the 6-digit code

Discord

  1. Open Discord > User Settings (gear icon)
  2. Go to My Account
  3. Click Enable Two-Factor Auth
  4. Enter your password
  5. Scan the QR code with iKeePass
  6. Enter the 6-digit code
  7. Download SMS backup

Services WITHOUT TOTP

Netflix

Netflix offers no two-factor authentication.

Recommendation: Use a strong, unique password and regularly check your active sessions under Netflix > Account > Manage devices.

Spotify (regular users)

Spotify offers TOTP only for Spotify for Artists.

Workaround: Sign in via Facebook and enable 2FA there.

WhatsApp / Telegram

These messengers offer PIN-based 2-step verification, but no real TOTP:

App 2FA Method Description
WhatsApp 6-digit PIN Asked during re-registration
Telegram Password In addition to SMS code
Signal Registration Lock PIN Prevents number takeover

Best Practices

Recommendations

  1. Enable TOTP on ALL accounts that support it
  2. Store backup codes securely in iKeePass
  3. Use TOTP instead of SMS where possible
  4. Secure your authenticator app (export to iKeePass)
  5. Use different passwords for every service

Warnings

  1. Don’t lose your phone without backup codes
  2. Disable 2FA before device change or transfer codes
  3. Don’t use unencrypted cloud syncs
  4. Ignore phishing attempts asking for TOTP codes

Resources