How to use two-factor authentication to properly lock down your accounts
Ready or not, two-factor authentication is something you need to start thinking more about.
This approach to online security, also known as two-step authentication, multi-factor authentication, or just 2FA for short, involves combining a regular password with a secondary numeric code, which you must enter on any device you’re not logged into. for. This extra code is usually sent to your phone, so someone who steals your password can’t get into your account unless they have physical access to your phone as well (and know how to unlock it).
The added annoyance of 2FA is well worth the extra security it provides, which is why some tech companies have now started requiring it. Google and Amazon’s Ring both made 2FA mandatory last year, and it’s on by default for most Apple IDs. I’ve also noticed that Amazon selectively enforces 2FA on the apps and website, and sends a link to click via text message when signing in to a new device.
While these are positive steps, the smartest approach to 2FA is not just passive. Many of these 2FA methods work by sending a text message to your phone, which is better than nothing, but is vulnerable to potentially devastating SIM hijacking attacks. (The FCC is only now beginning to investigate that issue.) And if your phone is lost or stolen, you’ll want a backup 2FA method ready.
If you’re ready to take 2FA more seriously, here are some options to consider:
Use an authenticator app
Instead of sending 2FA codes via text message, most major online services let you use an authenticator app to generate codes on your phone. The authenticator app syncs with your online service—usually by having you scan a one-time QR code—and from then on, you use the app to look up the code when you sign in to a new device.
While Google and Microsoft both offer their own authentication apps that work with a wide range of online services, I personally prefer Authy. It’s free, and more importantly, you can install it on multiple devices at once. I have Authy installed on my iPhone, Android phone, iPad, Windows desktop, Windows laptop and Mac Mini, which means my 2FA codes are never out of reach.
This convenience comes with a trade-off: Installing Authy on a new device requires its own authentication code, which Authy can send via text message. But Authy mitigates this in two ways: You also have to enter a password to unlock the backups on a new device, and you can always disable the ability to install Authy on new devices. To turn the feature back on, you need physical access to a device where Authy is already installed.
I wouldn’t rely solely on Authy if you’re prone to forgetting passwords, because there’s no way to recover Authys if you lose it. But if you want easy access to 2FA codes across multiple devices – including your computer – the multi-device support makes it hard to beat.
Use email or app-based 2FA instead of text
Jared Newman / Foundry
If you’ve ever seen the “Trying to sign in?” prompt on your phone when you sign into Gmail on a new device, this is itself a form of 2FA, using an existing login on one device to help you sign in on another. Similarly, some services may send you an additional verification code via email when you sign in to a new device.
Either approach is better than getting codes via text — at least if your devices and email account are self-secured — and in most cases you can set them up with an authenticator app like Authy. That way, you have multiple methods of accessing your accounts when 2FA is enabled.
Jared Newman / Foundry
To make doubly sure that you can always get into your account, some services allow you to print backup codes or connect a USB security key to your device for 2FA. For example, last year I set up a Yubico security key with my Gmail, Microsoft, Twitter, and Stripe accounts, so if I ever need to sign in to a new device, I can just connect the key instead of using Authy. You can see which online accounts work with Yubikey here.
Sign in with Google or Apple when possible
Once you’ve gone through the trouble of locking your Google and Apple accounts, consider using them to sign in to other sites when that’s an option. For example, I often use “Sign in with Google” on sites that offer it, to save me having to create a new password and give the site the same level of security as my Google account.
Setting up everything
Here’s where things get a little tricky: Not all apps or web services work with all the options I just described. Some may not support physical security keys or email-based authentication. Others may not provide printed codes as a backup. Still others may only offer text-based two-factor authentication, or not offer 2FA at all.
That doesn’t mean you should avoid 2FA altogether. Instead, you should use the best available options for each of your accounts, starting with the ones that store your most important data. If 2FA options are limited or unavailable, it’s all the more important to rely on strong passwords—preferably generated by a password manager.
Ready to get started? Here are quick links to set up 2FA on Google, Microsoft, Yahoo, Amazon, Facebook, Twitter, LinkedIn and Apple. Authy’s website also has a searchable list of tutorials for setting up 2FA on other websites.
For more practical tech advice, sign up for Jared’s Advisorator newsletter, where this column originally appeared.
