If your level of anxiety over online security and privacy is on the healthy side, you probably already have two-factor authentication (2FA) set up for your main accounts. If you don’t, you should seriously consider activating it to protect yourself from phishing, hacks, and anybody who may want to steal your data.
Don’t know what we’re talking about? Here’s the 101: 2FA adds an extra layer of security to your online accounts. When activated, this protocol will ask you for something other than your username and password whenever you log in from a new device. That may be a code, a key, or to accept a prompt on your smartphone. This way, if somebody gets your password, 2FA will prevent them from getting into your account.
But deciding to activate 2FA is like deciding you want to start running—do you just want to jog a bit, train for a 5k, or get yourself in shape for an entire marathon? There are a number of options, including apps and security keys, that provide different levels of protection for all your security and privacy needs. You can use a single method that works best for you, or employ several for one account, depending on the platform. The choice is yours.
Level 1: SMS
People often choose to employ 2FA via text messaging (specifically, short message service, or SMS) because it’s so practical. The process is simple: you log into your account with your username and password, receive a text with a code, then type that code into the login screen to gain access to your account.
The problem with text messaging is that because it’s data that travels through a phone line, it can be compromised, and your six-digit code intercepted. You know how you can switch cell phone providers and still keep your number? That’s called a SIM swap and you can request one by providing nothing more than your phone number and the last four digits of your Social Security number. Thanks, in part, to major hacks, the internet currently has a well-nurtured database of SSNs, which could make it rather easy for an account thief to steal your cell phone number and redirect your authentication texts to another device.
If you think nobody would ever go through so much trouble to steal your data, think again.
Smishing, a portmanteau of “SMS” and “phishing”— it’s the text message version of those sketchy emails that claim to come from your bank and urge you to click a link.
Still, text message-based 2FA is practical and, regardless of its vulnerabilities, better than nothing at all. But if you store sensitive data in your accounts or if we’ve simply scared you away from text messages, there are other more secure methods you can try.
Level 2: Apps and prompts and codes, oh my!
Google users can ask to receive prompts to verify a sign-in to their account from a new device. Then, when you log in with your username and password, you’ll see a pop-up window on your phone asking if it was actually you who tried to log in, and if you authorize it. These prompts are encrypted and travel through Google’s network, so they’re less likely to be compromised than texts, which makes them safer.
But not all platforms offer prompts. That’s why another popular strategy for 2FA is to use code generator apps. They’re pretty self-explanatory—the apps generate six-digit codes that you can use to log into your accounts. These codes are created randomly using time-based one-time password (TOTP) protocol, meaning they can only be used once, and for a limited amount of time—generally 30 seconds—before they’re automatically replaced with another. Code generator apps can be practical because they let you link as many accounts as you want, but you only need to go to one place for all your codes.
To use a code generator app on Facebook, for example, go to Settings > Security and Login > Use two-factor authentication > Authentication App. Facebook will then display a QR code you’ll have to scan with your phone’s camera via the code generator app when you add your Facebook account. Finally, enter the code provided by the app. This will make sure your app is in sync with Facebook.
Level 3: If you don’t trust digital, go analog
In an era when it sometimes seems nothing you put on your phone can be trusted to be safe, going back to basics may be a good idea. If your level of security anxiety is this high, there are a couple more-analog methods you can use with 2FA that will allow you to sleep better at night.
The easiest option is to get a security key—a tiny USB device you use the same way you would the keys to your apartment. Once you enter your username and password on a new device, the 2FA protocol will ask you to plug your security key into the device’s USB port and tap it once to complete your login. These little gadgets are super useful and exceptionally easy to carry around—just hook yours to your keychain and you’ll always have it with you.
The most traditional security keys on the market are compatible with USB-A ports or, as you may know them, regular duck-mouthed USB ports. This immediately leaves behind mobile devices such as smartphones and tablets. There are USB-C security keys on the market, too, and they’re compatible with most newer mobile devices, but they tend to be a little pricier.
If this still isn’t analog enough for you, you can always opt for backup or recovery codes. Supported by all major platforms, including Google, Apple, Facebook, Instagram, and Twitter, this method involves one or more codes you can either save in a password manager or copy onto a piece of paper and carry around with you. For your Google account, for example, you can find them in Account > Security > 2-Step Verification > Backup Codes. In general, they’re listed within the recovery or backup codes section in the 2FA settings of most accounts.
These are limited and you can only use each of them once, so if you run out, you have to log in again and get more. Backup codes are not designed to be used instead of prompts or security keys, but they can be quite useful in extreme cases, such as when you’re traveling and don’t have your phone or security key with you.
As you can see, there are a lot of ways to use 2FA and you can choose which one works best for you. Different platforms support different methods, so check out Two Factor Auth to see which ones are available for your accounts.
Keep in mind that you can—and should—enable more than one method of 2FA. It’s always a good idea to have a backup in case you lose your phone or security key, or something is wrong with your connection. Just remember your security strategy will be as weak as the least-secure 2FA method you choose. So, choose wisely.