Two-Factor Authentication on
WhatsApp, Gmail, and UPI Apps
Two-factor authentication (2FA) is the single most effective step you can take to protect your accounts. Here's how to set it up on every major Indian app — WhatsApp, Gmail, GPay, PhonePe, and your bank.
Last updated: July 2026 · 7 min read
What Two-Factor Authentication Actually Does
Two-factor authentication means that logging into your account requires two things: your password (something you know) and a one-time code sent to your phone or generated by an app (something you have). Even if someone steals your password — through a data breach, phishing, or by looking over your shoulder — they still can't log in without the second factor.
Most Indian account takeovers in 2025–26 targeted accounts that had no 2FA. Enabling it on your most important apps takes less than 10 minutes and blocks the most common attack methods entirely.
WhatsApp: Two-Step Verification
WhatsApp's 2FA is called "Two-step verification." It sets a 6-digit PIN that's required whenever you register your WhatsApp number on any new device — preventing SIM-swap attackers from taking over your account even if they port your number.
Open WhatsApp → Settings (three dots) → Account → Two-step verification
Tap Enable and set a 6-digit PIN you will remember
Add an email address — WhatsApp uses this to send a reset link if you forget the PIN
Confirm the PIN. Done — WhatsApp will periodically ask you to enter it to keep it in memory
Important: Do not share this PIN with anyone. WhatsApp will never ask for it. If you receive an OTP claiming to be for WhatsApp 2FA reset — that is a scam.
Gmail and Google Account: 2-Step Verification
Your Google account protects Gmail, Google Drive, Photos, Android backups, and every app you've signed in to with Google. This is the most important 2FA to enable.
Open Settings → Google → Manage your Google Account → Security tab
Tap "2-Step Verification" → Get started
Choose your second factor: Google Prompts (a tap on your phone) is easiest; Authenticator App is most secure
For strongest security: also add a backup code (Settings → 2-Step Verification → Backup codes). Save these offline.
UPI Apps: GPay, PhonePe, Paytm
UPI apps don't use a traditional 2FA login — they use a layered system: device binding, app PIN, and UPI PIN. Each layer matters.
Google Pay (GPay)
GPay is bound to your device. If your phone is stolen, deregister the device: Open GPay on another device → Profile → Settings → Privacy and security → Manage devices → remove the stolen device.
PhonePe
PhonePe → Profile → Security → App Lock (enable fingerprint/PIN). Also: if your phone is stolen, call PhonePe support (080-6872-0000) to delink your number from the stolen device.
Paytm
Paytm → Profile → Security & Privacy → Two-factor Authentication. Enable the Paytm-specific login PIN. Also enable App Lock under the same menu.
UPI PIN (all apps)
Your UPI PIN is the final line of defence — no transaction goes through without it. Keep it different from your phone PIN and known only to you. Change it from your bank's UPI settings if you suspect it was compromised.
Bank Apps and Net Banking
SBI YONO
Login → Profile → Security Settings → enable "Login with MPIN + OTP" (device-based 2FA). Also register your mobile number for transaction alerts.
HDFC Bank App
The app uses a Secure Device PIN which acts as device binding. Unlink your device if the phone is stolen: call 1800-202-6161 or log in via net banking and remove the device.
ICICI iMobile
Settings → Security → Activate Multi-level Authentication. You can also enable biometric authentication as an additional factor.
Axis Mobile
Profile → Security → Two Factor Authentication — enable OTP + PIN login for all transactions.
One Rule: Never Share an OTP
Two-factor authentication only works if the second factor stays with you. The most common way 2FA gets bypassed in India is through social engineering — a caller pretending to be from your bank, WhatsApp, or a government agency who asks you to "verify" by reading out the OTP you just received. No legitimate organisation will ever ask for an OTP over a phone call. If anyone asks, hang up.