The age of automated authentication through biometric scanning is almost here. Yet even in this time of Apple’s Face ID, Windows 10’s Hello, and the up-and-coming FIDO2 specification, passwords are still the main way we log in to our various accounts. That’s why two-factor authentication (2FA) is an important secondary step to guard your online data and services.
What is two-factor authentication?
Two-factor, or multi-factor, authentication is an additional login code for an account—a second line of defense to your sensitive info.
The basic idea is that a single password for your important accounts simply isn’t enough. If your password is guessed, or hackers steal a database with your login information in plain text, your account is a sitting duck. Two-factor authentication tries to address that flaw by requiring a secondary code called a one-time password (OTP)—usually six characters in length and generated by a smartphone app—before you can gain access to your account. That way even if a hacker has your password they’ll still need to crack a secondary code, which makes getting in that much harder.
There’s also an easier way to use 2FA called the FIDO U2F standard, supported by Google, Facebook, and many others. With this kind of authentication you use a physical security key, and insert that into your PC, touch the key’s button, and you’re “automagically” logged in.
2FA isn’t foolproof, however. If you decide to get your 2FA codes via SMS, for example, the code could potentially be intercepted by hackers, as researchers for Positive Technologies demonstrated in 2017. That said, SMS authentication is still far better than nothing. In May 2019, Google announced a one-year study it did in partnership with New York University and the University of California, San Diego. The trio found that SMS authentication blocked 96 percent of bulk phishing attacks, and 76 percent of targeted attacks trying to crack into your Google account.
That’s not bad protection, but Google’s on-device prompt strategy (we’ll cover this later) was even better, blocking 99 percent of bulk phishing attacks, and 90 percent of targeted attacks. App-based two-factor authentication is similar in that the second step is generated on the smartphone itself. So while this study didn’t mention 2FA apps specifically, we expect the results would be the same as, if not better than, an on-device prompt.
The fact is, using a software- or hardware-based 2FA solution on a device you own is a great way to protect your account, and far better than simply using SMS.
Any service that supports the standard OTP 2FA approach will work with all of the apps below, and that includes most mainstream websites and services. One notable exception is Steam, which provides a homegrown 2FA option in its mobile app.
Google Authenticator: Best overall
Using it is very simple and can introduce beginners to the basic premise of most 2FA apps. What you do is enable two-factor authentication on your services such as Facebook, Gmail, Dropbox. etc. Once it’s enabled, the service will ask you to take a snapshot of a QR code using the app—Android users need to download a QR code reading app to work with Google Authenticator.
Note: In some cases, 2FA is also called two-step verification, which is a distinction we won’t get into here.
Once the QR code’s been read, Authenticator will start generating codes and the service will typically ask you to input the current one to verify 2FA is working. You can add as many accounts as you like to Google Authenticator as long as they support 2FA.
LastPass Authenticator: Runner up
LastPass’s free authentication app uses a feature called one-tap push notifications that lets you log in to select sites on PCs with a click instead of entering codes. LastPass has a video on YouTube demonstrating the feature.
One-tap logins work with LastPass itself, and also with five third-party sites including Amazon (not including AWS), Google, Dropbox, Facebook, and Evernote. To use one-tap notifications you must have the LastPass extension installed in your browser and enabled. That means you must have a LastPass account, but a free one will do. These one-tap logins are browser specific so if you one-tap log in on Chrome you will have to log in again if you use Microsoft Edge, for example.
It may all seem rather mysterious, but here’s what’s going on behind the scenes with one-tap logins on third-party sites. When a user logs in to a compatible site, the LastPass browser extension sends a push notification to the user’s phone, which alerts the user that a login is being requested. The user taps Allow on the phone, and a confirmation message is returned to the extension that includes the required 2FA code. The extension receives this information, provides it to the website, and the user is logged in.
LastPass Authenticator also integrates with several sites owned by the password manager’s parent company, LogMeIn, to offer a similar type of one-tap login. These sites include LastPass, LogMeIn Pro/Central, GotoAssist, LogMeIn Rescue, Xively.
Microsoft also has a free authenticator app for Android, iOS, and Windows 10 Mobile. It grabs codes for sites like Facebook and Dropbox by snapping a QR code just like the others. For personal Microsoft Accounts, however, it supports one-tap notifications similar to LastPass.
Microsoft’s feature can log you in to your account on any device. All you have to do is approve the login and it’s as good as entering the short code. It’s not a huge time saver, but it is slightly more convenient.
Authy: Best multi-device solution
If you’ve used 2FA for any length of time then you know that one of the downsides is you have to go through the hassle of re-enabling your authentication codes every time you switch to a new smartphone.
If you have 10 accounts with 2FA that means snapping 10 QR codes all over again. If you’re a smartphone addict who likes to switch devices every one or two years that process can be a hassle.
Authy’s free service aims to solve that problem by storing all your 2FA tokens—the behind the scenes data that makes your 2FA codes work—in the cloud on its servers. To use this feature you have to enable encrypted backups first, and then your tokens are stored on Authy’s servers.
That way when you log in to any Authy app, be it on your smartphone, tablet, or Windows or Mac laptop, you’ve got access to your codes. There’s even a Chrome app for Chrome OS users.
Multi-device access to your 2FA codes is awesome, but it does come with a drawback. Authy says your backups are encrypted based on a password entered on your smartphone before hitting the cloud. That means your passcode is the only way to decrypt them, and Authy doesn’t have it on file. If you forget your passcode you can get locked out of your accounts since you won’t have the 2FA codes. How you regain access to each account depends on each service’s account recovery policies.
If you’re new to 2FA this might not be the app for you unless you’re prepared to take proper steps to ensure you never lose access to Authy—like writing down your passcode and storing it somewhere safe.
The absolute safest way to lock down your accounts with two-factor authentication is to use a physical security key. In the Google study I mentioned earlier, it found that security keys blocked 100 percent of bulk phishing and targeted attacks.
The downside of using a security key, however, is that if you ever lose or break your key you could be locked out of your accounts—and you’ll have to switch your second-factor authentication method to a new key.
This option is my personal favorite. Yubico’s YubiKey is a hardware-based 2FA solution. It’s a small card-like device with one end that slots into a standard Type-A USB port. It can verify authentication with a button press instead of manually entering a short code. YubiKeys are also very durable and waterproof making it difficult to ruin these devices.
That one-tap approach only works for accounts that support the aforementioned FIDO U2F standard, such as Google and GitHub. For those services that don’t support the standard, a YubiKey can also store 2FA tokens and display codes on the Yubico Authenticator app.
How you use Yubico Authenticator to get a 2FA code depends on whether you’re using the authenticator app on a PC or an Android smartphone. On the desktop, you just insert the key into a USB port, and the authenticator immediately displays your short codes and lets you add new ones. Remove your YubiKey, and the app stops showing codes immediately. Yubico Authenticator on the desktop works with most YubiKey models except the basic FIDO U2F key.
On Android you need a YubiKey that supports NFC and the Yubico Authenticator app, which at this writing is the YubiKey 5 NFC ($45), and the now discontinued (but still supported) YubiKey Neo. With these keys all you do is open Authenticator on your phone, tap the key near your phone’s NFC chip, and your codes will appear on the app. There is also a $27 Security Key NFC, but it only supports FIDO U2F authentication (and FIDO2 password-less logins), not one-time-password functionality.
Similar to Authy, the beauty of YubiKey is that it allows you to easily transfer your authenticator codes from one device to the next.
Titan Security Key
Google debuted its own hardware security key in 2018, the Titan Security Key. This key comes in a $50 bundle with two physical devices. The first is a key with a USB-A insert similar to YubiKey. The second is a Bluetooth dongle that can connect to your phone wirelessly. The Titan Security Key has a few drawbacks. First, it only supports sites that use the FIDO and FIDO2F standard, meaning you can’t fall back on OTP codes for sites that support 2FA but not FIDO one-touch entry. Google also recently had to recall its Bluetooth dongles after a serious security flaw was discovered. Yubico, by comparison, has yet to release a Bluetooth version of its security key, because it does not believe the technology is secure enough.
Bonus: Google on-device prompts
An example of Google’s on-device prompts.
If diving into the world of 2FA is too much for you right now, why not dip your toe into the experience with Google on-device prompts? This is a simple security measure that helps protect your Google account.
Whenever you want to log in to Google on a new machine, you’ll have to authorize it with one click on your Android or iOS device. To get this to work on Android you’ll need the latest version of Google Play services, which most people should have automatically. Anyone on iOS devices needs a current version of the Google or Gmail apps.
Two-factor authentication is an important step to take to protect your important accounts whenever possible. It may seem like a pain at times to enter that extra code—which you may only have to do once per device or once every 30 days—but it’s a price worth paying to make your online accounts more secure.