How to use two-factor authentication to lock down your accounts the right way

Ready or not, two-factor authentication is something you’ll need to start thinking more about.

This approach to online security, also known as two-step authentication, multi-factor authentication, or just 2FA for short, involves combining a regular password with a secondary numeric code, which you must enter on any device where you haven’t logged in before. This extra code typically gets sent to your phone, so someone who steals your password can’t get into your account unless they have physical access to your phone as well (and know how to unlock it).

The added annoyance of 2FA is well worth the extra security it provides, which is why some tech companies have now started requiring it. Google and Amazon’s Ring both made 2FA mandatory last year, and it’s on by default for most Apple IDs. I’ve also noticed Amazon selectively enforcing 2FA on it apps and website, sending a link to click on via text message when you login on a new device.

While these are all positive steps, the smartest approach to 2FA isn’t merely passive. Many of these 2FA methods work by texting a code to your phone, which is better than nothing but is susceptible to potentially-devastating SIM hijacking attacks. (The FCC is only now starting to examine that problem.) And if your phone gets lost or stolen, you’ll want to have a backup 2FA method at the ready.

If you’re ready to take 2FA more seriously, here are some options to consider:

Use an authenticator app

Jared Newman / Foundry

Instead of sending 2FA codes by text message, most major online services let you use an authenticator app to generate codes on your phone. The authenticator app syncs up to your online service—usually by having you scan a one-time QR code—and from then on, you use the app to look up the code when you’re logging in on a new device.

While Google and Microsoft both offer their own authenticator apps that work with a wide range of online services, I personally prefer Authy. It’s free, and more importantly, you can install it on multiple devices at the same time. I have Authy installed on my iPhone, Android phone, iPad, Windows desktop, Windows laptop, and Mac Mini, which means my 2FA codes are never out of reach.

This convenience does come with a trade-off: Installing Authy on a new device requires its own authentication code, which Authy can send via text message. But Authy mitigates this in two ways: You must also enter a password to unlock your backups on a new device, and you can always disable the ability to install Authy on new devices. To turn the ability back on, you’d need physical access to a device where Authy is already installed.

I wouldn’t rely solely on Authy if you’re prone to forgetting passwords, because there’s no way to recover Authy’s if you lose it. But if you want easy access to 2FA codes across multiple devices—including your computer—its multi-device support makes it tough to beat.

Use email or app-based 2FA instead of text

Jared Newman / Foundry

If you’ve ever seen the “Are you trying to sign in?” prompt on your phone when logging into Gmail on a new device, this in itself is a form of 2FA, using an existing sign-in on one device to help you sign in on another. Similarly, some services can send you an extra verification code via email when you log in on a new device.

Either approach is better than getting codes via text message—at least, if your devices and email account are secure themselves—and in most cases you can set them up alongside an authenticator app such as Authy. That way, you have multiple methods for getting into your accounts when 2FA is enabled.

Use printed codes or a security key for extra backup

Jared Newman / Foundry

To make doubly sure that you can always get into your account, some services will let you print out backup codes or plug a USB security key into your device for 2FA. Last year, for instance, I set up a Yubico security key with my Gmail, Microsoft, Twitter, and Stripe accounts, so if I ever need to log in on a new device, I can just plug in the key instead of using Authy. You can see which online accounts work with Yubikey here.

Sign in with Google or Apple when possible

Once you’ve gone through the trouble of locking down your Google and Apple account, consider using them to log in on other sites whenever that’s an option. For instance, I often use “Sign in with Google” on sites that offer it, as spares me from creating another password and gives that site the same level of security as my Google account.

Setting it all up

Here’s where things get a little tricky: Not every app or online service works with all of the options I just described. Some may not support physical security keys or email-based authentication. Others may not provide printed codes as a backup method. Others still may only offer text-based two-factor authentication, or not offer 2FA at all.

the best overall password manager

LastPass


Best Prices Today:


$36 at LastPass

That doesn’t mean you should avoid 2FA entirely. Instead, you should use the best available options for each of your accounts, starting with the ones that store your most important data. If 2FA options are limited or unavailable, it’s all the more important to rely on strong passwords—preferably generated by a password manager.

Ready to get started? Here are quick links to setting up 2FA on Google, Microsoft, Yahoo, Amazon, Facebook, Twitter, LinkedIn, and Apple. Authy’s website also has a searchable list of tutorials for setting up 2FA on other sites.

For more practical tech advice, sign up for Jared’s Advisorator newsletter, where this column originally appeared.

Internet Security

Leave a Reply