Getting started with 2FA
Secure your accounts now or regret it later.
Millions of users have their online accounts compromised every day. Password lists are traded on the dark web, and bad actors use automated processes to try them against lots of accounts and services. Sophisticated phishing attacks attempt to trick you into giving away your password (or the info necessary to reset it) by posing as legitimate services or customer support.
Obviously, the best defence against this sort of thing is to have a different, strong, hard-to-guess password for every single account you own. A good password manager like 1Password (fave.co/3320MD2) or LastPass (fave. co/3bAzJCX)is a key component in
managing that. But good passwords are not enough. Not a month goes by without another report of millions of passwords potentially compromised, and a computer infected with a virus can simply watch the passwords as you type them in. You need another layer of protection. You need 2FA.
WHAT IS 2FA?
Two-factor authentication (usually abbreviated 2FA) is a way to prove that you actually are the owner of a particular account by providing two ‘factors’ of evidence. One factor is a piece of knowledge – your password or PIN, for instance. Another factor may be possession of a particular object
– a phone that receives texts sent to a certain number, a USB key fob, or access to an email address. A another factor may be inheritance – something inherent to you, like your fingerprint or a retinal scan.
In other words, 2FA secures your account by making you provide something you know (your password or PIN) along with something you possess (your smartphone, fingerprint, or a physical key) or something you are (your fingerprint or a detailed face scan).
Consider the front door to your house. If you can open it with just a key, that’s one-factor authentication; you only must possess that specific object. If you had to open your door with both a physical key as well as dial in a four-digit pin into an electronic lock, that would be two-factor authentication.
Some companies call this sort of security MFA (multi-factor authentication) or two-step verification. While these terms are a little different than 2FA, for most consumer applications they essentially mean the same thing.
SMS, EMAIL OR APP?
The vast majority of 2FA methods for the kinds of everyday accounts consumers have will be your regular password or pin, together with one of three other methods of proof:
Email: When you try to log in, the service will send an email to the email address already associated with your account that contains a short code. The code is only usable for a limited time. You check your email, type in the code and access your account.
Text message: The service sends an SMS text message to the phone number it has on record for you, containing a code (typically a six-digit
number). The code is only good for a few minutes.
TOTP app: A special app on your smartphone generates a TOTP (Time-based One Time Password) based on a unique secret string shared with the service. The password (usually a string of six numbers) is only good for 30 seconds to a minute, after which another code is generated.
Of these methods, the TOTP app approach is best. A single good 2FA code app can be used for lots of services at once, and it’s more secure than having codes sent to your email (if your email login is what has been hacked, you’re in trouble) or via SMS (a process called SIM-jacking can enable scammers to transfer your phone number to a new SIM card and intercept your text messages).
TOTP apps are not as convenient as text messages. You have to load an app onto your phone, open it and check for codes whenever you log in from a new computer, browser, or device. But it’s the best blend of convenience, ubiquity, and security, so it’s the method that we recommend. Our favourite TOTP app is Authy (fave. co/3h7Jb1x), but you should also check out LastPass Authenticator (fave. co/2F8pg5O), Microsoft Authenticator (fave.co/3324QDi), and Google Authenticator (fave.co/3361wY8).
Unfortunately, some sites and services only offer 2FA through email or SMS. If that’s the case, take what you can get. It’s still a lot more secure than not enabling 2FA at all.
A hardware security key device is probably the most secure means of locking down your account. Someone would have to physically steal the hardware key fob from you in order to get in.
The best option for Mac and iPhone users is probably the YubiKey 5Ci (available from fave.co/35mRrZD), which has connections for both USB-C and Lightning and support for a wide array of security protocols and services. The downside? It’s £70 for a single key There are some cheaper options, but any way you slice it, it’s another physical thing you need to have with you at all times, or else you won’t be able to get into your accounts. And if you lose it (it’s tiny), you have to go through every service for which you enabled it and use whatever secondary authentication method they have to recover access to your account.
Hardware keys are great if you’re so inclined, but we still think the best intersection of security, cost, and easeof-use is a TOTP app.
HOW TO PROTECT YOUR ACCOUNTS WITH 2FA
We’ve already told you how to set this up on your Apple ID. That’s important, but you can’t stop there. Many of your other accounts are critically important to secure, too. The process for enabling 2FA is a little different for each account and service you may have. A simple Google search will help you find some instructions, but we’ve compiled a list of the most popular Internet accounts here, with links to their help pages describing how to enable 2FA.
Google supports many different 2FA methods and has a helpful site (see fave.co/2DJfoii) describing how it works.
Twitter is one of the most frequently – and publicly – compromised accounts
on the Internet. To enable 2FA, go to fave.co/2Zkdz2L.
With over 2 billion people on Facebook, it’s an enormous target for hackers. Thankfully, the service has a helpful article shows you how to set up 2FA – fave.co/2Fk9LYo.
Instagram has a help page for 2FA that tells you how to set it up on your account – fave.co/32aaVP6.
Your Amazon account likely has payment methods associated with it, and is a huge target for thieves looking to buy stuff using your money. This page shows you how to enable twostep verification – fave.co/3275IHA.
Like all major social media accounts, you should protect your Reddit account with 2FA. Here’s the help page describing how to do so – fave.co/2DE5ONt.
You may have your own Microsoft account, or one for work, or both. If you have an Xbox account, that’s a Microsoft account, and it’s a target for scammers and hackers. Here’s the page describing how to enable 2FA for your Microsoft accounts – fave.co/32amgPe.
PlayStation gamers will want to secure their account with 2FA as well. Sony, unfortunately, only supports text messages as its 2FA method. But it’s a lot better than nothing. For further details, go to fave.co/3h8fmy8.
A Nintendo account may be used on a Switch or Wii system, but also in some
Nintendo mobile apps. As with all gaming accounts, you’ll want to enable 2FA to lock it down. Nintendo tells you to use Google Authenticator for TOTP codes, but we’ve used other apps just fine. You can find out more at fave. co/3bEN9Of.
A password manager is the gatekeeper to all your passwords. How could you not enable 2FA on it? Every password manager has its own instructions for how to enable 2FA, but here are the help pages for: 1Password (fave. co/3ipdGBI), LastPass (fave.co/3htccVz) and Dashlane (fave.co/3iolyU3).
If someone gets access to your bank account online, they can basically take all your money. You’d be crazy not to secure those accounts with 2FA. There are too many banks and building societies to list them all here. Just be sure you have 2FA enabled for every place in which you store or borrow money. Don’t forget about credit card accounts and stock trading services, too. Fortunately, many banks enable 2FA by default these days – at least via email or text message. But some offer more secure options that you might want to explore.
Apps such as Authy (fave.co/3h7Jb1x) generate one-time codes for lots of sites and services.
Hardware keys like YubiKey are fast and secure, but aren’t cheap. And it’s another thing to carry around.
Setting up 2FA is slightly different for each account and service you have. Here’s Sony’s PlayStation page.