Get­ting started with 2FA

Se­cure your ac­counts now or re­gret it later.

iPad&iPhone user - - CONTENTS - Ja­son Cross re­ports

Mil­lions of users have their on­line ac­counts com­pro­mised every day. Pass­word lists are traded on the dark web, and bad ac­tors use au­to­mated pro­cesses to try them against lots of ac­counts and ser­vices. So­phis­ti­cated phish­ing at­tacks at­tempt to trick you into giv­ing away your pass­word (or the info nec­es­sary to re­set it) by pos­ing as le­git­i­mate ser­vices or cus­tomer sup­port.

Ob­vi­ously, the best de­fence against this sort of thing is to have a dif­fer­ent, strong, hard-to-guess pass­word for every sin­gle ac­count you own. A good pass­word man­ager like 1Pass­word ( or LastPass (fave. co/3bAzJCX)is a key com­po­nent in

man­ag­ing that. But good pass­words are not enough. Not a month goes by with­out an­other report of mil­lions of pass­words po­ten­tially com­pro­mised, and a com­puter in­fected with a virus can sim­ply watch the pass­words as you type them in. You need an­other layer of pro­tec­tion. You need 2FA.


Two-fac­tor au­then­ti­ca­tion (usu­ally ab­bre­vi­ated 2FA) is a way to prove that you ac­tu­ally are the owner of a par­tic­u­lar ac­count by pro­vid­ing two ‘fac­tors’ of ev­i­dence. One fac­tor is a piece of knowl­edge – your pass­word or PIN, for in­stance. An­other fac­tor may be pos­ses­sion of a par­tic­u­lar ob­ject

– a phone that re­ceives texts sent to a cer­tain num­ber, a USB key fob, or ac­cess to an email ad­dress. A an­other fac­tor may be in­her­i­tance – some­thing in­her­ent to you, like your fin­ger­print or a reti­nal scan.

In other words, 2FA se­cures your ac­count by mak­ing you pro­vide some­thing you know (your pass­word or PIN) along with some­thing you pos­sess (your smart­phone, fin­ger­print, or a phys­i­cal key) or some­thing you are (your fin­ger­print or a de­tailed face scan).

Con­sider the front door to your house. If you can open it with just a key, that’s one-fac­tor au­then­ti­ca­tion; you only must pos­sess that spe­cific ob­ject. If you had to open your door with both a phys­i­cal key as well as dial in a four-digit pin into an elec­tronic lock, that would be two-fac­tor au­then­ti­ca­tion.

Some com­pa­nies call this sort of se­cu­rity MFA (multi-fac­tor au­then­ti­ca­tion) or two-step ver­i­fi­ca­tion. While these terms are a lit­tle dif­fer­ent than 2FA, for most con­sumer ap­pli­ca­tions they es­sen­tially mean the same thing.


The vast ma­jor­ity of 2FA meth­ods for the kinds of every­day ac­counts con­sumers have will be your reg­u­lar pass­word or pin, to­gether with one of three other meth­ods of proof:

Email: When you try to log in, the ser­vice will send an email to the email ad­dress al­ready as­so­ci­ated with your ac­count that con­tains a short code. The code is only us­able for a lim­ited time. You check your email, type in the code and ac­cess your ac­count.

Text mes­sage: The ser­vice sends an SMS text mes­sage to the phone num­ber it has on record for you, con­tain­ing a code (typ­i­cally a six-digit

num­ber). The code is only good for a few min­utes.

TOTP app: A spe­cial app on your smart­phone gen­er­ates a TOTP (Time-based One Time Pass­word) based on a unique se­cret string shared with the ser­vice. The pass­word (usu­ally a string of six num­bers) is only good for 30 sec­onds to a minute, af­ter which an­other code is gen­er­ated.

Of these meth­ods, the TOTP app ap­proach is best. A sin­gle good 2FA code app can be used for lots of ser­vices at once, and it’s more se­cure than hav­ing codes sent to your email (if your email lo­gin is what has been hacked, you’re in trou­ble) or via SMS (a process called SIM-jack­ing can en­able scam­mers to trans­fer your phone num­ber to a new SIM card and in­ter­cept your text mes­sages).

TOTP apps are not as con­ve­nient as text mes­sages. You have to load an app onto your phone, open it and check for codes when­ever you log in from a new com­puter, browser, or de­vice. But it’s the best blend of con­ve­nience, ubiq­uity, and se­cu­rity, so it’s the method that we rec­om­mend. Our favourite TOTP app is Authy (fave. co/3h7Jb1x), but you should also check out LastPass Authen­ti­ca­tor (fave. co/2F8pg5O), Mi­crosoft Authen­ti­ca­tor (, and Google Authen­ti­ca­tor (

Un­for­tu­nately, some sites and ser­vices only of­fer 2FA through email or SMS. If that’s the case, take what you can get. It’s still a lot more se­cure than not en­abling 2FA at all.


A hard­ware se­cu­rity key de­vice is prob­a­bly the most se­cure means of lock­ing down your ac­count. Some­one would have to phys­i­cally steal the hard­ware key fob from you in or­der to get in.

The best op­tion for Mac and iPhone users is prob­a­bly the Yu­biKey 5Ci (avail­able from, which has con­nec­tions for both USB-C and Light­ning and sup­port for a wide ar­ray of se­cu­rity pro­to­cols and ser­vices. The down­side? It’s £70 for a sin­gle key There are some cheaper op­tions, but any way you slice it, it’s an­other phys­i­cal thing you need to have with you at all times, or else you won’t be able to get into your ac­counts. And if you lose it (it’s tiny), you have to go through every ser­vice for which you en­abled it and use what­ever se­condary au­then­ti­ca­tion method they have to re­cover ac­cess to your ac­count.

Hard­ware keys are great if you’re so in­clined, but we still think the best in­ter­sec­tion of se­cu­rity, cost, and easeof-use is a TOTP app.


We’ve al­ready told you how to set this up on your Ap­ple ID. That’s im­por­tant, but you can’t stop there. Many of your other ac­counts are crit­i­cally im­por­tant to se­cure, too. The process for en­abling 2FA is a lit­tle dif­fer­ent for each ac­count and ser­vice you may have. A sim­ple Google search will help you find some in­struc­tions, but we’ve compiled a list of the most pop­u­lar In­ter­net ac­counts here, with links to their help pages de­scrib­ing how to en­able 2FA.


Google sup­ports many dif­fer­ent 2FA meth­ods and has a help­ful site (see­foii) de­scrib­ing how it works.


Twit­ter is one of the most fre­quently – and pub­licly – com­pro­mised ac­counts

on the In­ter­net. To en­able 2FA, go to


With over 2 bil­lion peo­ple on Face­book, it’s an enor­mous tar­get for hack­ers. Thank­fully, the ser­vice has a help­ful ar­ti­cle shows you how to set up 2FA –


In­sta­gram has a help page for 2FA that tells you how to set it up on your ac­count –


Your Ama­zon ac­count likely has pay­ment meth­ods as­so­ci­ated with it, and is a huge tar­get for thieves look­ing to buy stuff us­ing your money. This page shows you how to en­able twostep ver­i­fi­ca­tion –


Like all ma­jor so­cial me­dia ac­counts, you should pro­tect your Red­dit ac­count with 2FA. Here’s the help page de­scrib­ing how to do so –

Mi­crosoft (Xbox)

You may have your own Mi­crosoft ac­count, or one for work, or both. If you have an Xbox ac­count, that’s a Mi­crosoft ac­count, and it’s a tar­get for scam­mers and hack­ers. Here’s the page de­scrib­ing how to en­able 2FA for your Mi­crosoft ac­counts –


PlayS­ta­tion gamers will want to se­cure their ac­count with 2FA as well. Sony, un­for­tu­nately, only sup­ports text mes­sages as its 2FA method. But it’s a lot bet­ter than noth­ing. For fur­ther de­tails, go to


A Nin­tendo ac­count may be used on a Switch or Wii sys­tem, but also in some

Nin­tendo mo­bile apps. As with all gam­ing ac­counts, you’ll want to en­able 2FA to lock it down. Nin­tendo tells you to use Google Authen­ti­ca­tor for TOTP codes, but we’ve used other apps just fine. You can find out more at fave. co/3bEN9Of.


A pass­word man­ager is the gate­keeper to all your pass­words. How could you not en­able 2FA on it? Every pass­word man­ager has its own in­struc­tions for how to en­able 2FA, but here are the help pages for: 1Pass­word (fave. co/3ipdGBI), LastPass (­cVz) and Dash­lane (


If some­one gets ac­cess to your bank ac­count on­line, they can ba­si­cally take all your money. You’d be crazy not to se­cure those ac­counts with 2FA. There are too many banks and build­ing so­ci­eties to list them all here. Just be sure you have 2FA en­abled for every place in which you store or bor­row money. Don’t for­get about credit card ac­counts and stock trad­ing ser­vices, too. For­tu­nately, many banks en­able 2FA by de­fault these days – at least via email or text mes­sage. But some of­fer more se­cure op­tions that you might want to ex­plore.

Apps such as Authy ( gen­er­ate one-time codes for lots of sites and ser­vices.

Hard­ware keys like Yu­biKey are fast and se­cure, but aren’t cheap. And it’s an­other thing to carry around.

Set­ting up 2FA is slightly dif­fer­ent for each ac­count and ser­vice you have. Here’s Sony’s PlayS­ta­tion page.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.