Two-factor authentication done right

Google two-factor prompt

Ready or not, two-factor authentication is something you’ll need to start thinking about.

This approach to online security, which I’ll call “2FA” from here on, involves combining a regular password with a secondary numeric code, which you must enter on any device where you haven’t logged in before. This extra code typically gets sent to your phone, so someone who steals your password can’t get into your account unless they also have your phone (and know how to unlock it).

The added annoyance of 2FA is well worth the extra security it provides, which is why some tech companies have now started requiring it. Google began automatically adding 2FA to users’ accounts in 2021, and it’s on by default for most Apple IDs. and Amazon’s Ring also made 2FA mandatory after a string of camera hacks led to a round of bad press, and I’ve noticed Amazon selectively enforcing 2FA on it apps and website, sending a link to click on via text message when you login on a new device.

While these are all positive steps in my view, the smartest approach to 2FA isn’t merely passive. Many of these 2FA methods work by texting a code to your phone, which is better than nothing but is susceptible to potentially-devastating SIM hijacking attacks. (The FCC is only now starting to examine that problem.) And if your phone gets lost or stolen, you’ll want to have a backup 2FA method at the ready.

If you’re ready to take 2FA more seriously, here are some options to consider:

Use an authenticator app

Authy app

Instead of sending 2FA codes by text message, most major online services let you use an authenticator app to generate codes on your phone. The authenticator app syncs up to your online service—usually by having you scan a one-time QR code—and from then on, you use the app to look up the code when you’re logging in on a new device.

While lots of companies offer these authenticator apps, I personally use Authy. It’s free, and more importantly, you can install it on multiple devices at the same time. I have Authy installed on my iPhone, Android phone, iPad, Windows desktop, Windows laptop, and Mac Mini, which means my 2FA codes are never out of reach.

This convenience does come with a trade-off: Installing Authy on a new device requires an authentication code that Authy can always send via text message. But Authy mitigates this in two ways: You must also enter a password to unlock your backups on a new device, and you can always disable the ability to install Authy on new devices. Only someone with physical access to your existing Authy apps can then turn that ability back on.

I wouldn’t recommend Authy if you’re prone to forgetting passwords, but otherwise, its backup abilities are tough to beat.

Use email or app-based 2FA instead of text

If you’ve ever seen the “Are you trying to sign in?” prompt on your phone when logging into Gmail on a new device, this in itself is a form of 2FA, using an existing sign-in on one device to help you sign in on another. It’s similar in principle to the way some services send you an extra verification code via email the first time you log in.

Either approach is more secure than getting codes via text message, and both can be used in addition to an authenticator app such as Authy, providing yet another backup method for getting into your account.

Use printed codes or a security key for extra backup

Yubikey

To make doubly sure that you can always get into your account, some services will let you print out backup codes or plug a USB security key into your device for 2FA. A couple months ago, I set up a Yubico security key with my Gmail, Microsoft, Twitter, and Stripe accounts, so if I ever need to log in on a new device, I can just plug in the key instead of using Authy. You can see which online accounts work with Yubikey here.

Sign in with Google or Apple

Once you’ve gone through the trouble of locking down your main accounts, you can use those accounts to log in on other sites whenever possible. Options like “Sign in with Google” and “Sign in with Apple” will spare you from creating another password and gives that site the same level of security.

Setting it all up

Here’s where things get a little tricky: Not every app or online service works with all of the options I just described. Some, like Google and Microsoft, support authenticator apps, physical security keys, email or app-based authentication, and printed security codes. Others may only support a subset of those methods. Still others may only provide 2FA via text message or not at all.

The best you can do, then, is size up the options for each account you have, starting with the ones you care most about protecting. If those options are limited, it’s all the more important to rely on strong passwords—preferably generated by a password manager.

Ready to get started? Here are quick links to setting up 2FA on GoogleMicrosoftYahooAmazonFacebookTwitterLinkedIn, and Apple. Authy’s website also has a searchable list of tutorials for setting up 2FA on other sites. And if you need more help, I’m always an email away.

← Back to more Advisorator Guides