A friend's SafeW account almost got hijacked last week. Someone had his password but got stuck at the second verification step and couldn't get in — he'd casually turned on two-factor authentication months earlier. That's the whole point of SafeW 2FA: a leaked password no longer means a lost account. But this protection has one part people keep overlooking — the recovery codes generated when you enable it. You actually have to save them. This guide walks through how to turn on two-factor authentication, how to back up recovery codes, and how to recover when you switch phones.
Before you start: 2FA codes are tightly tied to your device clock. Turn on "Set time automatically" in your system settings first, or the codes your authenticator generates may never match. There's more on this in the login and sync troubleshooting guide.
Step 1: Pick your method — authenticator over SMS
SafeW two-factor supports two kinds of second factor: SMS codes, and TOTP codes from an authenticator app. Both work, but they're not equally safe.
SMS depends on your carrier. A SIM that gets ported away (SIM swapping), roaming that won't deliver texts abroad, weak signal that delays a code past expiry — any of these breaks the SMS path. An authenticator app generates codes locally on your phone, works offline, skips the carrier entirely, and is a clear step up in security.
My advice is blunt: use an authenticator if you can, and keep SMS as the fallback for when you don't have your main phone.
Step 2: Enable two-factor inside SafeW
The exact path may shift slightly by version, but the order is roughly this:
- Open SafeW, go to Settings → Account & Security (or Privacy & Security)
- Find "Two-Factor Authentication" and tap Enable
- Choose the authenticator method; SafeW shows a QR code or a secret key
- Scan it with your authenticator app — a six-digit code that refreshes every 30 seconds appears
- Type that current six-digit code back into SafeW to finish binding
Once bound, the next time you log in on a new device, entering your password prompts a second step for the authenticator code. An attacker with only your password can't get in — that's the core of how 2FA stops account theft.
Step 3: Recovery codes — get this wrong and the rest is wasted
After you bind 2FA, SafeW gives you a one-time set of recovery codes. What are they for? When your phone is lost, your authenticator gets wiped, or SMS won't arrive, the recovery codes are the only backup key to bypass that second step and get your account back.
Store recovery codes like this
- Write them offline: on paper, somewhere you can find but others can't dig up — tucked in a document folder, for instance
- Offline password manager: a local vault that doesn't auto-sync to the cloud
- Avoid: screenshots in your photo library, messaging them to yourself, or saving to auto-syncing cloud notes
Why hammer on "offline"? Recovery codes are essentially a master backdoor to your account. Screenshot them into your photos, your photos sync to the cloud, and that backdoor key now sits on a server you don't control. The day that cloud account itself gets breached, the attacker walks off with your recovery codes too, and 2FA becomes meaningless.
Switching phones: where recovery codes earn their keep
A new phone is the most common moment recovery codes save you. Install SafeW on the new device, enter your password, reach the second step — if your old authenticator is still around and the time is right, just enter the code. But if the old phone is already wiped and the authenticator didn't migrate, this is when you tap "Use recovery code," enter the set you saved, and re-bind the authenticator on your new device.
Phone switching has another snag: the device limit. An old device still signed in plus a new one coming online can hit the cap. See device limit and signed-in devices for the order to handle it — log out the ones you don't use first.
Enabled 2FA but still can't log in? Check these
Two-factor occasionally locks out its own owner. Usually it's one of these:
- Device clock is off → enable "Set time automatically," and check the timezone too
- You used a code about to expire → wait for it to refresh before typing
- SMS won't arrive → see verification code not received
- Login is stuck overall → run through login and connection troubleshooting
Two-factor isn't a set-it-and-forget-it switch; it's a habit that includes arranging the recovery-code escape route. Spending ten minutes now to enable and back it up is far calmer than scrambling at 2 a.m. when you spot a login from another country. If you don't have SafeW yet, grab it from the SafeW download page first, then make this your first move in settings.