How to Enable 2FA on Your Game Account (Riot, Epic and Steam)

Enabling two-factor authentication is the single most important action you should take immediately after securing or purchasing a game account — it is the only reliable way to lock out anyone who previously had access. Whether you just bought a League of Legends account, a Valorant smurf, or a CS2 profile, the window between ownership transfer and 2FA activation is the highest-risk period you will ever face. This guide walks you through the exact steps for Riot, Epic Games, and Steam.

Why 2FA Is Your First Priority — and the Correct Order of Operations

When you take ownership of a new account, the previous holder still has knowledge of the login credentials they created. Even after you change the password, a determined person can attempt account recovery through the original email address, linked phone number, or platform-specific recovery flows. Two-factor authentication breaks this chain: without access to your authenticator app or your phone, the recovery path closes.

The correct sequence every time you acquire an account is:

1. Change the email address to one you own and have never shared. This severs the most common recovery route immediately.
2. Change the password to a long, unique passphrase you have not used anywhere else.
3. Enable 2FA using an authenticator app wherever possible. This is the final lock on the door.

Skipping step one and jumping straight to a password change leaves the original email in place, meaning a platform's "forgot password" flow can still route recovery codes to an inbox you do not control. Always start with the email. If you need a walkthrough specific to Riot's email change process, see our guide on how to change your Valorant email. For a broader look at purchasing accounts safely in the first place, our safe account buying guide covers what to verify before you hand over payment.

Riot (League of Legends, Valorant, TFT)

All Riot titles — League of Legends, Valorant, Teamfight Tactics, and others — share a single Riot account. Securing one secures all of them.

1. Go to the Riot Games account page and sign in with the account credentials.
2. Navigate to the Security tab in your account settings.
3. Under the Two-Factor Authentication section, you will see an option to enable 2FA via email verification. Riot will send a six-digit code to your registered email address each time you log in from an unrecognized device.
4. If you want a stronger option, Riot supports linking a compatible authenticator app (such as Google Authenticator or Authy). Look for the option to set up an authenticator under the same Security tab, scan the QR code shown on screen into your app, then enter the six-digit code the app generates to confirm the link.
5. Save your changes and log out, then log back in to confirm that 2FA is being requested correctly.

Because Riot ties account recovery heavily to the registered email, completing the email change before this step is especially critical. If you encounter any issues with recovery after taking ownership, our Riot account recovery guide explains the support process in detail.

Epic Games (Fortnite)

Epic Games offers three 2FA methods — authenticator app, SMS, and email — and uniquely incentivizes you to enable it: activating any form of 2FA on your Epic account has historically unlocked a free Fortnite reward and is required to enter competitive modes.

1. Visit the Epic Games site and sign in, then click your account name and go to Account.
2. Select the Password & Security tab.
3. Scroll to the Two-Factor Authentication section. You will see all three options laid out.
4. To use an authenticator app (recommended): click "Enable Authenticator App," scan the QR code with your app of choice, enter the six-digit code shown, and save.
5. To use SMS: click "Enable SMS Authentication," enter your phone number, confirm the code sent to your device.
6. To use email: click "Enable Email Authentication" — Epic will send a code to your account email each login.
7. Once enabled, Epic prompts you to save backup codes. Store these somewhere secure and offline.

If you just purchased a Fortnite account, the authenticator app option is strongly preferred over SMS. Phone numbers can be ported by attackers through social engineering; your authenticator app cannot be hijacked remotely.

Steam (CS2)

Steam's security model is slightly different from Riot and Epic. Steam offers two layers: Steam Guard via email and the stronger Steam Guard Mobile Authenticator built into the Steam mobile app. For anyone holding a CS2 account, there is an important trade-off to understand before you choose.

1. Download and install the Steam mobile app on your phone if you have not already.
2. Sign in to the app with the account credentials.
3. Open the menu, go to Steam Guard, and select Add Authenticator.
4. Enter your phone number and confirm the SMS code Steam sends to verify your device.
5. Steam will show you a recovery code — this is critical. Write it down and store it somewhere safe. Without it, losing your phone means a lengthy lockout to recover the account.
6. Once the authenticator is active, you will see a rotating code in the Steam Guard section of the app. Every login and every trade will require this code.

The trade and market hold implication: When you first activate the Steam Guard Mobile Authenticator on an account, Steam imposes a multi-day trade hold on items sent to other accounts. This is Steam's anti-hijacking measure — it gives the legitimate owner time to cancel fraudulent trades. Plan around this if you intend to trade CS2 items immediately. Email-only Steam Guard carries a longer hold period, which is another reason to use the mobile authenticator despite the short wait.

Authenticator App vs SMS — Which Is Safer?

The short answer: an authenticator app is meaningfully more secure than SMS every time. Here is why that matters in practice.

SMS 2FA routes codes through your mobile carrier. Attackers with enough persistence can perform a SIM-swap attack — convincing your carrier to transfer your phone number to a new SIM card they control, intercepting every code meant for you. This is a real, documented attack vector that has been used to steal valuable gaming accounts.

Authenticator apps generate codes locally on your device using a shared cryptographic secret established at setup. No network request is made to produce a code, so there is nothing for an attacker to intercept in transit. The only way to get a code from an authenticator app is to have physical access to your device.

Recommended authenticator apps: Authy (supports encrypted cloud backup, useful if you switch phones), Google Authenticator, and Microsoft Authenticator. Authy's backup feature is particularly convenient if you manage multiple accounts across Riot, Epic, and Steam.

Recovery codes: Every platform that offers 2FA will give you a set of single-use recovery codes when you enable it. These codes let you access your account if your phone is lost or damaged. Print them or write them down — do not store them in a cloud note synced to the same account that holds your email, or you have created a circular vulnerability. Treat recovery codes like a physical house key.

Frequently Asked Questions

Why should I enable 2FA before doing anything else after buying an account?

Because the email change and password change you perform are only as secure as the platform's recovery system allows. If the original email address is still registered and 2FA is not active, an account recovery request submitted by the previous owner could theoretically bypass your new password entirely. Enabling 2FA — especially via an authenticator app tied to your phone — makes the account tied to a device only you possess, not just a password that exists in someone else's memory.

Is an authenticator app really that much safer than SMS?

Yes, significantly. SMS codes travel over the public telephone network and can be intercepted via SIM-swapping, which requires an attacker to social-engineer your mobile carrier rather than hack any game platform directly. Authenticator apps generate codes locally using time-based one-time password (TOTP) cryptography and never transmit anything over a network. For a high-value account, SMS is better than nothing, but an app is the correct choice.

What happens if I lose the phone my authenticator is on?

This is exactly why recovery codes exist. When you enabled 2FA, the platform gave you a set of backup codes — use one of those to log in, then immediately visit your account security settings to re-link your authenticator to a new device. If you did not save your recovery codes and you lose access to your authenticator, each platform has a support-based identity verification process to regain access, but it can take days and requires proof of ownership. For Riot accounts specifically, our Riot account recovery guide outlines what documentation helps speed up that process.

Does enabling 2FA prevent the original seller from getting the account back?

2FA substantially raises the barrier — they cannot log in from a new device without your authenticator code. However, 2FA alone is not the complete answer; the full sequence (new email then new password then 2FA) is what creates genuine separation. With the email changed to one you control, the original owner loses access to the primary recovery route. With 2FA active, they cannot log in even if they remember the original password. Together, these three steps make unauthorized re-access through normal platform mechanisms effectively impossible. Always buy from a verified marketplace so the seller has no legitimate claim to raise a dispute: browse our League of Legends, Valorant, CS2, and Fortnite catalogs for verified, supported listings.

Account security is not a one-time task — it is the foundation every other improvement is built on. Change the email, change the password, enable 2FA with an authenticator app, and save your recovery codes somewhere offline. Those four steps, done in order, are the difference between an account you own and one you merely borrowed. If you are still choosing where to buy in the first place, our guide to buying game accounts safely explains what to look for before you commit to any seller.