Setting Up Two-Factor Authentication

|Two-factor authentication protects your accounts in ways even the strongest password can’t. Let’s go through how to set it up.

Two-factor authentication is the new standard for locking up your accounts, especially those you take with you everywhere on your mobile phone.

That’s because when it comes to your online security, simply having a “strong password” is no longer good enough. With the right skills and tools, even the strongest password will crack.

In the same way that getting a virtual U.S. phone number adds another layer of privacy, two-factor authentication (sometimes known as “2FA”)adds another layer of security to your account. Even if a hacker has your username and password, they can’t get into your account without authorization. 

What is two-factor authentication?

Two-factor authentication (sometimes referred to as two-factor verification) is a practice that requires an additional form of verification to allow you access to an account even after you have provided your password.

Hackers can use a brute-force attack to crack your password or use login credentials that have been exposed in data breaches, which is why you should add another step in the account login process that either relies on something you have or something that you are (i.e. physical proof of your identity, like with retinas/fingerprint scans).

Since biometric scanners have yet to be universally adopted, that leaves us with a few other ways to secure your accounts:

  1. SMS-based two-factor authentication (often used with banks)
  2. Authenticator apps (such as Google Authenticator or Authy)
  3. Physical two-factor authentication security keys (such as those from Yubikey)

1. SMS-based two-factor authentication

This one is easy and you’ve probably used it before. Your phone number is tied to your account, and when you log in, you’re prompted to enter a numeric code that’s been texted to your number. 

However, hackers have since come up with a way to take over your SIM card (and intercept those messages), so this method is now considered the least secure of these two-factor authentication methods.

2. Authenticator apps

You may have used one of these apps before (like Google Authenticator, Microsoft Authenticator, or Authy). Instead of having a verification code sent to your phone, you enter the time-based code provided by the authenticator app.

Authenticator apps refresh the verification code every 30 seconds, so even in the extremely unlikely event that someone gets access to the code, it will have expired by the time they get to use it.

3. Physical two-factor security keys (“Hardware tokens”)

Think of hardware tokens like authenticator apps, only instead of installing them on your phone, you carry them around with you in the form of a USB stick.

Some hardware tokens (such as those from Yubikey) also act like an authenticator app by providing one-time passcodes that are stored on the key.

Two-factor authentication apps are widely considered to be the most secure form of two-factor authentication, but they’re expensive, so we’re going to focus on the free method …

Setting up two-factor authentication on your phone

  1. Download an authenticator app (like Google Authenticator, Microsoft Authenticator, Authy or the Yubico Authenticator)
  2. Turn on two-factor authentication for the accounts you wish to secure. 
    1. Many apps will prompt you to turn on this feature, while also giving you the text option if you don’t wish to download an app.
    2. If you’re using the Google Authenticator app, click on the + button to add an account. You can choose to scan the QR code provided (if you’re doing this with two different devices) or manually enter the code below it (if you’re doing this on only one device). Once that’s done, the authenticator app will generate a code that you need to enter into your account to complete the process.
  3. Store your backups. If you lose access to your authenticator app, some accounts can be recovered while others will lock you out permanently, so create a backup in a safe place (containing any backup codes or QR codes) that can be accessed from another device if you ever need it.

How to use two-factor authentication when logging in

Once you have enabled two-factor authentication for all your accounts, you will be prompted to enter a passcode every time you log in to your account on a new device, or after a certain period of time.

All you have to do is open your authenticator app and enter the code attached to that specific account. Just remember that the code refreshes at random intervals and will expire if you wait too long before inputting it.

Also, if you trust that the device you are using is secure, you can add it to your trusted device list so that you are not prompted to enter the code every time you use the device to log in to that specific account.

Whichever form of two-factor authentication you choose, it’s absolutely worth the time and effort to keep your accounts protected.

Josh Summers writes about privacy and security on the All Things Secured website, where he focuses on helping the average internet user protect their data and identity online. Connect with Josh directly on Twitter.