Getting started with 2FA: Secure your accounts now or regret it later!

Unique passwords are essential, but they’re not enough. You should secure all important accounts with two-factor authentication.

icloud 2fa apple id
Michael Simon/IDG

Millions of users have their online accounts compromised every day. Password lists are traded on the dark web, and bad actors use automated processes to try them against lots of accounts and services. Sophisticated phishing attacks attempt to trick you into giving away your password (or the info necessary to reset it) by posing as legitimate services or customer support.

Obviously, the best defense against this sort of thing is to have a different, strong, hard-to-guess password for every single account you own. A good password manager like 1Password, LastPass, or Dashlane is a key component in managing that.

But good passwords are not enough! Not a month goes by without another report of millions of passwords potentially compromised, and a computer infected with a virus can simply watch the passwords as you type them in. You need another layer of protection. You need 2FA.

We’ve already told you how to enable 2FA on your Apple account, but what about all your other accounts? Those should be protected with just as much care. Here’s how to get started.

What is 2FA?

Two-factor authentication (usually abbreviated 2FA) is a way to prove that you actually are the owner of a particular account by providing two “factors” of evidence. One factor is a piece of knowledge—your password or PIN, for instance. Another factor may be possession of a particular object—a phone that receives texts sent to a certain number, a USB key fob, or access to an email address. A another factor may be inheritance—something inherent to you, like your fingerprint or a retinal scan.

In other words, 2FA secures your account by making you provide something you know (your password or PIN) along with something you possess (your smartphone, fingerprint, or a physical key) or something you are (your fingerprint or a detailed face scan).

Consider the front door to your house. If you can open it with just a key, that’s one-factor authentication; you only must possess that specific object. If you had to open your door with both a physical key as well as dial in a four-digit pin into an electronic lock, that would be two-factor authentication.

Some companies call this sort of security MFA (multi-factor authentication) or two-step verification. While these terms are a little different than 2FA, for most consumer applications they essentially mean the same thing.

SMS, email, or app?

The vast majority of 2FA methods for the kinds of everyday accounts consumers have will be your regular password or pin, together with one of three other methods of proof:

E-mail: When you try to log in, the service will send an email to the email address already associated with your account that contains a short code. The code is only usable for a limited time. You check your email, type in the code, and access your account.

Text message: The service sends an SMS text message to the phone number it has on record for you, containing a code (typically a six-digit number). The code is only good for a few minutes.

TOTP app: A special app on your smartphone generates a TOTP (Time-based One Time Password) based on a unique secret string shared with the service. The password (usually a string of six numbers) is only good for 30 seconds to a minute, after which another code is generated.

authy app Authy

Apps like Authy generate one-time codes for lots of sites and services.

Of these methods, the TOTP app approach is best. A single good 2FA code app can be used for lots of services at once, and it’s more secure than having codes sent to your email (if your email login is what has been hacked, you’re in trouble!) or via SMS (a process called SIM-jacking can enable scammers to transfer your phone number to a new SIM card and intercept your text messages).

TOTP apps are not as convenient as text messages. You have to load an app onto your phone, open it, and check for codes whenever you log in from a new computer, browser, or device. But it’s the best blend of convenience, ubiquity, and security, so it’s the method that we recommend. Our favorite TOTP app is Authy, but you should also check out LastPass Authenticator, Microsoft Authenticator, and Google Authenticator.

Unfortunately, some sites and services only offer 2FA through email or SMS. If that’s the case, take what you can get! It’s still a lot more secure than not enabling 2FA at all.

What about hardware keys?

A hardware security key device is probably the most secure means of locking down your account. Someone would have to physically steal the hardware key fob from you in order to get in.

The best option for Mac and iPhone users is probably the YubiKey 5Ci, which has connections for both USB-C and Lightning and support for a pretty wide array of security protocols and services. The downside? It’s $70 for a single key! There are some cheaper options, but any way you slice it, it’s another physical thing you need to have with you at all times, or else you won’t be able to get into your accounts.

And if you lose it (it’s tiny!), you have to go through every service for which you enabled it and use whatever secondary authentication method they have to recover access to your account.

yubikey 5ci Yubico

Hardware keys like YubiKey are fast and secure, but aren’t cheap. And it’s another thing to carry around.

Hardware keys are great if you’re so inclined, but we still think the best intersection of security, cost, and ease-of-use is a TOTP app.

How to protect popular accounts with 2FA

We’ve already told you how to set this up on your Apple ID. That’s important, but you can’t stop there. Many of your other accounts are critically important to secure, too.

The process for enabling 2FA is a little different for each account and service you may have. A simple Google search will help you find some instructions, but we’ve compiled a helpful list of the most popular internet accounts here, with links to their help pages describing how to enable 2FA.

Google

Google supports many different 2FA methods and has a helpful site describing how it all works.

Twitter

Twitter’s one of the most frequently—and publicly—compromised accounts on the internet. Here’s how to get 2FA enabled on your account.

Facebook

With over 2 billion people on Facebook, it’s an enormous target for hackers. This help article shows you how to set up 2FA.

Instagram

Instagram has a help page for 2FA that tells you how to set it up on your account.

Amazon

Your Amazon account likely has payment methods associated with it, and is a huge target for thieves looking to buy stuff using your money. This help page shows you how to enable two-step verification.

Reddit

Like all major social media accounts, you should protect your Reddit account with 2FA. Here’s the help page describing how to do so.

Microsoft (Xbox)

You may have your own Microsoft account, or one for work, or both. If you have an Xbox account, that’s a Microsoft account, and it’s a huge target for scammers and hackers. Here’s the page describing how to enable 2FA for your Microsoft accounts.

PlayStation

PlayStation gamers will want to secure their account with 2FA as well. Sony, unfortunately, only supports text messages as its 2FA method. But it’s a lot better than nothing.

Nintendo

A Nintendo account may be used on a Switch or Wii system, but also in some Nintendo mobile apps. As with all gaming accounts, you’ll want to enable 2FA to lock it down. Nintendo tells you to use Google Authenticator for TOTP codes, but we’ve used other apps just fine.

Password managers

A password manager is the gatekeeper to all your passwords. How could you not enable 2FA on it? Every password manager has its own instructions for how to enable 2FA, but here are the help pages for: 1Password, LastPass, and Dashlane.

Bank accounts

If someone gets access to your bank account online, they can basically take all your money. You’d be crazy not to secure those accounts with 2FA.

There are too many banks, credit unions, and financial institutions to list them all here. Just be sure you have 2FA enabled for every place in which you store or borrow money. Don’t forget about credit card accounts and stock trading services, too.

Fortunately, many banks enable 2FA by default these days—at least via email or text message. But some offer more secure options that you might want to explore.

This story, "Getting started with 2FA: Secure your accounts now or regret it later!" was originally published by Macworld.

Related:
  
Shop Tech Products at Amazon