Authenticate with Google
We’re going to highlight the Google Authenticator as a prime TFA tool.
Install it on your phone, then fire up the service you want to protect with TFA. LastPass uses Google Authenticator (among others) to do so. Using that as an example, head to ‘LastPass Vault > Account Settings > Multifactor options’. Click the Edit button and enable it. Use the Barcode option to display a QR code. On your phone, open Google Authenticator, tap the + and click ‘Scan barcode’, then point your phone at the on-screen QR code. LastPass has now been added to Google Authenticator.
Any time someone tries to access your LastPass Vault from a new device, they must enter the current code (this updates every 30 seconds) before access is granted. There’s an option to allow access for 30 days, before another TFA prompt appears on that device, so it’s not too annoying. Without your phone, there’s no access.
TFA is great, but does have a couple of provisos. Firstly, the service using it mustn’t be monumentally stupid. It was discovered that some services could have TFA circumvented by simply calling up and providing some basic personal information, making the use of TFA more security theatre than actual security. The second is that potentially the TFA code is locked to the one phone. Technically, a rooted Android device enables you to transfer the Google Authenticator secrets, but if you get a new phone, ensure you disable TFA on your services, before wiping your old one. Otherwise, you could be locked out of vital services. LastPass keeps the QR code secret, so you can have it on multiple devices, and transfer it later on — as long as you can log in.
Because of the magical nature of cryptography math, many services also offer offline access options, usually via a bank of single-use passcodes that you can print or scribble down, and keep safe somewhere. It means if your phone is stolen or broken, you can still access accounts.