How to get started with two-factor authentication
Unique passwords are essential, but they’re not enough. You should secure all accounts with 2FA. Jason Cross reports
Millions of users have their online accounts compromised every day. Password lists are traded on the dark web, and bad actors use automated processes to try them against lots of accounts and services. Sophisticated phishing attacks attempt to trick you into giving away your password (or the info necessary to reset it) by posing as legitimate services or customer support.
Obviously, the best defence against this sort of thing is to have a different, strong, hard-to-guess password for every single account you own. A good password manager like 1Password, LastPass or Dashlane is a key component in managing that (see page 61 for our round-up of the best password managers).
But good passwords are not enough. Not a month goes by without another report of millions of passwords potentially compromised, and a computer infected with a virus can simply watch the passwords as you type them in. You need another layer of protection. You need 2FA.
We’ve already told you how to enable 2FA on your Apple account, but what about all your other accounts? Those should be protected with just as much care. Here’s how to get started.
What is 2FA?
Two-factor authentication (usually abbreviated 2FA) is a way to prove that you actually are the owner of a particular account by providing two ‘factors’ of evidence. One factor is a piece of knowledge – your password or PIN, for instance. Another factor may be possession of a particular object – a phone that receives texts sent to a certain number, a USB key fob, or access to an email address. A another factor may be inheritance – something inherent to you, like your fingerprint or a retinal scan.
In other words, 2FA secures your account by making you provide something you know (your password or PIN) along with something you possess (your smartphone, fingerprint, or a physical key) or something you are (your fingerprint or a detailed face scan).
Consider the front door to your house. If you can open it with just a key, that’s one-factor authentication; you only must possess that specific object. If you had to open your door with both a physical key as well as dial in a four-digit pin into an electronic lock, that would be two-factor authentication. Some companies call this sort of security MFA (multi-factor authentication) or two-step verification. While these terms are a little different than 2FA, for most consumer applications they essentially mean the same thing.
SMS, email, or app?
The vast majority of 2FA methods for the kinds of everyday accounts consumers have will be your regular password or pin, together with one of three other methods of proof:
E-mail: When you try to log in, the service will send an email to the email address already associated with your account that contains a short code. The code is only usable for a limited time. You check your email, type in the code and access your account.
Text message: The service sends an SMS text message to the phone number it has on record for you, containing a code (typically a six-digit number). The code is only good for a few minutes.
TOTP app: An app on your phone generates a TOTP (Time-based One Time Password) based on a unique string shared with the service. The password (usually a
string of six numbers) is only good for 30 seconds to a minute, after which another code is generated.
Of these methods, the TOTP app approach is best. A single good 2FA code app can be used for lots of services at once, and it’s more secure than having codes sent to your email (if your email login is what has been hacked, you’re in trouble) or via SMS (a process called SIM-jacking can enable scammers to transfer your phone number to a new SIM card and intercept your text messages).
TOTP apps are not as convenient as text messages. You have to load an app onto your phone, open it, and check for codes whenever you log in from a new computer, browser, or device. But it’s the best blend of convenience, ubiquity, and security, so it’s the method that we recommend. Our favourite TOTP app is Authy ( fave.co/39K7QXL), but you should also check out LastPass Authenticator ( fave.co/3aotX5x), Microsoft Authenticator ( fave.co/32TmAR8) and Google Authenticator ( fave.co/2TqlyZP).
Unfortunately, some sites and services only offer 2FA through email or SMS. If that’s the case, take what you can get. It’s still a lot more secure than not enabling 2FA at all.
What about hardware keys?
A hardware security key device is probably the most secure means of locking down your account. Someone would have to physically steal the hardware key fob from you in order to get in. The best option for Mac and iPhone users is probably the YubiKey 5Ci, which has
connections for both USB-C and Lightning and support for a wide array of security protocols and services. The downside? It’s £76 (from fave.co/2TkUwCQ) for a single key. There are some cheaper options, but any way you slice it, it’s another physical thing you need to have with you at all times, or else you won’t be able to get into your accounts.
And if you lose it (it’s tiny), you have to go through every service for which you enabled it and use whatever secondary authentication method they have to recover access to your account.
Hardware keys are great if you’re so inclined, but we still think the best intersection of security, cost, and ease-of-use is a TOTP app.