How to do two-factor authentication like a pro

You can hold the key to your online security. Like, literally.
USB security key on laptop
“Where did I leave the spare key to my email account?” is a phrase you can actually say. Brina Blum via Unsplash

If your level of anxiety over online security and privacy is on the healthy side, you probably already have two-factor authentication (2FA) set up for your main accounts. If you don’t, you should seriously consider activating it to protect yourself from phishing, hacks, and anybody who may want to steal your data.

Don’t know what I’m talking about? Here’s the 101: 2FA adds an extra layer of security to your online accounts. When activated, this protocol will ask you for something other than your username and password whenever you log in from a new device. That may be a code, a key, or to accept a prompt on your smartphone. This way, if somebody gets your password, 2FA will prevent them from getting into your account.

“It’s definitely a lot better than not having any second factor. You’ve given any attacker more work that they need to do,” says Shuman Ghosemajumder, chief technology officer of Shape Security.

But deciding to activate 2FA is like deciding you want to start running—do you just want to jog a bit, train for a 5k, or get yourself in shape for an entire marathon? There are a number of options, including apps and security keys, that provide different levels of protection for all your security and privacy needs. You can use a single method that works best for you, or employ several for one account, depending on the platform. The choice is yours.

Level 1: SMS

Security SMS text from Google
Don’t get too excited—it’s not the cute guy from the weekend. It’s just Google. Sandra Gutierrez G.

People often choose to employ 2FA via text messaging (specifically, short message service, or SMS) because it’s so practical. The process is simple: you log into your account with your username and password, receive a text with a code, then type that code into the login screen to gain access to your account.

The problem with text messaging is that because it’s data that travels through a phone line, it can be compromised and your six-digit code intercepted. You know how you can switch cell phone providers and still keep your number? That’s called a SIM swap and you can request one by providing nothing more than your phone number and the last four digits of your Social Security number. Thanks, in part, to major hacks, the internet currently has a well-nurtured database of SSNs, which could make it rather easy for an account thief to steal your cell phone number and redirect your authentication texts to another device.

That’s exactly what happened in 2018 when hackers accessed Reddit employees’ accounts via text message-based 2FA, compromising data from thousands of the platforms’ users.

If you think nobody would ever go through so much trouble to steal your data, think again.

“It’s certainly something that happens, but what’s even easier than that is to just use that phone number to send a phishing message,” Ghosemajumder says.

That’s called smishing—a portmanteau of “SMS” and “phishing”—and it’s the text message version of those sketchy emails that claim to come from your bank and urge you to click a link.

Still, text message-based 2FA is practical and, regardless of its vulnerabilities, better than nothing at all. But if you store sensitive data in your accounts or if we’ve simply scared you away from text messages, there are other more secure methods you can try.

Level 2: Apps and prompts and codes, oh my!

Authy screenshot
Could you imagine someone snapping pictures with totally basic filters from your Snapchat? Better protect that account. Google Play Store

Google users can ask to receive prompts to verify a sign-in to their account from a new device. Then, when you log in with your username and password, you’ll see a pop-up window on your phone asking if it was actually you who tried to log in, and if you authorize it. These prompts are encrypted and travel through Google’s network, so they’re less likely to be compromised than texts, which makes them safer.

But not all platforms offer prompts. That’s why another popular strategy for 2FA is to use code generator apps. They’re pretty self-explanatory—the apps generate six-digit codes that you can use to log into your accounts. These codes are created randomly using time-based one-time password (TOTP) protocol, meaning they can only be used once, and for a limited amount of time—generally 30 seconds—before they’re automatically replaced with another. Code generator apps can be practical because they let you link as many accounts as you want, but you only need to go to one place for all your codes.

One of the simplest code generator apps is Google Authenticator (available for Android and iOS). It not only works with Google accounts, but also with any other platform that supports code generator-based 2FA.

If you want a more customizable experience, you can go for apps such as AndOTP (available only for Android) or Authy (also available for iOS), which let you add labels and icons featuring the logos of several platforms, so you can identify codes at a glance.

For extra safety, you can protect these apps with a PIN number or—in Authy’s case—your fingerprint, so even if someone steals your phone and gains access to it, they still couldn’t use your code generator app. Another cool feature of both AndOTP and Authy is “tap to reveal,” which hides all your codes and only reveals one at a time as you tap the one you need. This can be useful if you’re accessing one of your accounts in a public place where someone can easily look at your phone.

To use a code generator app on Facebook, for example, go to Settings > Security and Login > Use two-factor authentication > Authentication App. Facebook will then display a QR code you’ll have to scan with your phone’s camera via the code generator app when you add your Facebook account. Finally, enter the code provided by the app. This will make sure your app is in sync with Facebook.

Level 3: If you don’t trust digital, go analog

USB C security key
To charge or to use your security key? Ah, there’s the rub. Yubico

In an era when it sometimes seems nothing you put on your phone can be trusted to be safe, going back to basics may be a good idea. If your level of security anxiety is this high, there are a couple more-analog methods you can use with 2FA that will allow you to sleep better at night.

The easiest option is to get a security key—a tiny USB device you use the same way you would the keys to your apartment. Once you enter your username and password on a new device, the 2FA protocol will ask you to plug your security key into the device’s USB port and tap it once to complete your login. These little gadgets are super useful and exceptionally easy to carry around—just hook yours to your keychain and you’ll always have it with you.

The most traditional security keys on the market are compatible with USB-A ports or, as you may know them, regular duck-mouthed USB ports. This immediately leaves behind mobile devices such as smartphones and tablets, as well as tiny laptops such as the MacBook Air that don’t have their own USB-A ports. There are USB-C security keys on the market, too, and they’re compatible with most newer mobile devices, but they tend to be a little pricier, going for $40 to $60 on Amazon.

It’s common for people to register multiple security keys for a single account, Ghosemajumder says. That way, they can stash a spare in a secure place in case they lose one they use regularly.

If you keep misplacing your security keys or just don’t want to invest in one, your Android phone can act as a key for your Google account. The company announced this new feature in April, and it lets people use their smartphones to confirm logins through Bluetooth. Doing so will connect your phone to the device you’re logging into and make sure you’re accessing a secure website.

If this still isn’t analog enough for you, you can always opt for backup or recovery codes. Supported by all major platforms, including Google, Apple, Facebook, Instagram, and Twitter, this method involves one or more codes you can either save in a document or copy onto a piece of paper and carry around with you. For your Google account, for example, you can find them in Account > Security > 2-Step Verification > Backup Codes. In general, they’re listed within the recovery or backup codes section in the 2FA settings of most accounts.

Post its and a hand holding two Sharpies
Nothing is more analog than pen and paper. Although you can also carve your backup codes in a cave somewhere. That’ll work. Kelly Sikkema via Unsplash

These are limited and you can only use each of them once, so if you run out, you have to log in again and get more. Backup codes are not designed to be used instead of prompts or security keys, but they can be quite useful in extreme cases, such as when you’re traveling and don’t have your phone or security key with you.

As you can see, there are a lot of ways to use 2FA and you can choose which one works best for you. Different platforms support different methods, so check out Two Factor Auth to see which ones are available for your accounts.

Keep in mind that you can—and should—enable more than one method of 2FA. It’s always a good idea to have a backup in case you lose your phone or security key, or something is wrong with your connection. Just remember your security strategy will be as weak as the least-secure 2FA method you choose. So choose wisely.