2FA or “Two-Factor Authentication” prevents hackers from accessing your online accounts, even if they have your login credentials. How cool is that?
Think of the 6-digit SMS codes that your bank sends when you login. That’s an example of second factor of authentication, your password counting as the first one. 2FA is also called MFA for “Multi-Factor Authentication”, because you can have more than two.
In 2019, Google published a study showing that simply adding a recovery phone to an account blocked 100% of automated attacks, 99% of bulk phishing attacks, and 66% of targeted attacks. Now that’s impressive, and that’s why you need to set up 2FA to protect your sensitive accounts.
What Is 2FA?
The most common example of 2FA is the SMS verification code you receive when you log into websites like your bank, but there are other (and more secure) methods than SMS.
At the core, 2FA just means the website will verify your authentication with another method than just your password. There are 4 possible types of authentication “factors”:
- Something you know (e.g. password, PIN number, etc.)
- Something you own (e.g. sending a code to your phone number)
- Something you are (e.g. biometrics like a fingerprint)
- Where/when you are signing in from (e.g. IP address location tracking)
In theory, the more factors of authentication you can satisfy, the more confident a service is that it is indeed you trying to authenticate. While some highly secure facilities may require all four factors of authentication, in practice most websites rely on only one factor (password) or two factors at most (password + verification code).
How does the 2FA verification code increase security?
Unlike your password, the verification code you receive is only valid for a limited amount of time — actual time varies, but usually no more than 60 min. Next time you receive one, it will be different.
So if hackers want to login to your account, they would need your password (1st factor) and would also need to intercept the specific verification code at the time of login (2nd factor). That requires a lot more planning and a very targeted attack from the hacker. It’s unfortunately still possible, especially with SMS verification as we’ll see later, but it’s harder.
It’s worth noting that setting up 2FA has to be done for each account individually, so it can take a minute to set it up for all your accounts. That’s why I recommend you set it up primarily with your sensitive accounts — email accounts, financial institutions, social networks, etc. Some websites don’t offer that option at all unfortunately.
What Is The Best 2FA Method For You?
Once you’ve made the smart decision to secure your sensitive accounts with 2FA, you need to decide on a primary 2FA method. It essentially boils down to whether you prioritize convenience or security.
We’re talking about a primary 2FA method because it may not be possible to use the same method with every website. Each website decides which 2FA method they offer — if any. For example, many US banks are infamous for only offering SMS verification. The most common options available are SMS or email verification. The next most common option — much more secure and rapidly growing — is to receive codes via a dedicated Authenticator app.
In most cases, Authenticator apps offers the best overall balance of security and convenience. Most people are able to install an app on their phone, and once they’ve passed the initial learning curve it’s fairly easy to use. Password Managers can also act as an Authenticator app of sorts, which makes this option even easier to use.
Below is a table comparing the most common methods for 2FA.
Comparison Of Common 2FA Methods
SMS Code
Convenient since everyone has SMS and knows how to use it. But vulnerable to theft of phone number (“SIM Swap”)
Phone Call Code
Convenient since everyone has a phone and knows how to use it. But vulnerable to theft of phone number (“SIM Swap”)
Email Code
Convenient since the online service already has your email address. But vulnerable to email account getting compromised.
Biometrics
Fingerprint, facial recognition, etc. Convenient to use but scanning devices are not commonly used with retail computers. Secure, but not as much as people believe, and carries serious privacy concerns.
Authenticator App
Dedicated app that stores codes for any website you manually add to it. Codes generally renew every 30s. Only available if the website offers that technology, but more and more do. Very difficult to hack remotely.
Security Key
A physical device that you plug into your computer (or mobile). Extremely secure, but requires buying the device, preferably several for back up. And adding websites manually for multiple devices is not always obvious.
Verification code sent via SMS / Email / Phone Call
The simplest form of 2FA is a code sent via SMS, email, or a phone call. These methods are the weakest form of 2FA because they are vulnerable to remote access by attackers. Although in general weak security is better than none, an argument can be made that SMS/Email verification codes weaken your security in some cases.
The purpose of 2FA is to verify “something you own” to make sure you’re the person trying to authenticate. But email accounts are online accounts like any other, and as such can be hijacked like any other online account.
Phone numbers can also be hijacked — an attack known as “SIM swap attack” where the attacker impersonates you with your phone provider and switches your phone number to another phone in their possession.
SIM swap attacks may seem too sophisticated to worry about for the average person, but they’re actually becoming more common. The FBI received 500% more complaints of SIM swap attacks in 2021 alone compared to the 3 years before together.
To make matters worse, an attacker stealing your phone number can sometimes use it to reset other account information, locking you out of your account entirely and giving the attacker access even if they don’t know your password. In this cases, adding SMS as a 2FA method makes your account arguably less secure! Some websites unfortunately consider SMS verification the ultimate proof of your identity, which makes phone numbers all the more attractive for hackers to steal.
Unfortunately some websites require your phone number to use it as a 2FA method, and don’t accept any other methods. That’s the case of many US banks, and that’s a serious vulnerability.
Because of these weaknesses, I recommend you avoid using SMS/phone call or email verification as a 2FA method anywhere you can.
Authenticator app One-Time-Password (“OTP”)
Authenticator apps are much more secure than SMS or email. They also use a “one-time-password” or “OTP” made of 6 digits to verify your identity, but that code is not sent to you at the time of login. Instead, it is generated by your Authenticator app based on a cryptographic formula that only the website and your Authenticator app know.
Overall, Authenticator apps provide the best balance of security and convenience, so it’s the 2FA method that most security experts recommend to most people.
In practice, when you authenticate with your login credentials, the website adds another step and asks you for your 6-digits OTP. You then pull out your phone, open the Authenticator app, and enter the numbers shown on the screen for that website.
It isn’t terribly complicated to use, but it requires having your phone with you, having installed the Authenticator app, and having registered it with the website beforehand. Therefore it’s admittedly more effort to set up than SMS verification, and tech-averse people may find it a bit confusing.
The extra security is well worth the effort though. Authenticator apps are not invulnerable, but remote attacks are very difficult. The main threats are direct physical theft of the phone or “social engineering” — whereby the hacker contacts you via email, phone, or SMS, and tries to con you into giving your code. Either way it’s not easy, and in both cases you’re in control.
Security Keys
Security keys are hardware devices — typically USB sticks — that you connect to your computer or mobile to sign into your online accounts.
Each brand comes with its specificities, but overall they’re very easy to use. Some brands like Yubikey offer USB dongles that you can leave connected to your computer for convenience, and simply tap it to activate it when needed during authentication.
Security keys are the most secure form of 2FA, which, combined with their ease of use, makes them an attractive 2FA solution.
In addition to their superior 2FA technology, security keys have the major advantage of removing the human from the process of communicating the authentication code. That makes security keys immune to phishing attacks — where a hacker cons you into giving him your code — since there is no code for you to give. And if you get directed to a fake website trying to get your credentials, the security key will recognize it’s not authentic and won’t give away the code.
Security keys are a great 2FA option, but we need to acknowledge some practical drawbacks:
- Managing backups: Since your secret codes are stored on the security key, it becomes really important to secure it. If it gets lost, stolen, or broken, you will need to contact each website to convince them you are the owner of the account so they let you in. You can’t rule out the risk of losing a small device, so it’s wise to have some back up. For instance, it’s a good idea to have 2 or 3 security keys in case you lose the primary one. But then each key needs to be registered separately with each website… Not the most convenient. Alternatively, you can use an Authenticator app as a back up 2FA method, but then why have a security key in the first place? Your security is only as strong as its weakest link. A good backup strategy is not obvious, and the logistical complications of managing one or several backup keys is more than what many people want to deal with.
- Low support: Many websites don’t support security keys. A lot of the big tech companies do (think Google, Facebook, etc.) but many others don’t. If you can’t use your security key everywhere, you need to have another 2FA method for other websites — preferably an Authenticator app. So now you’re managing 2 types of 2FA methods. Once again it may be more than most people want to deal with.
- Cost: Security keys are not expensive ($10-$40) but let’s face it, nobody likes to pay extra when there are free alternatives like Authenticator apps.
I personally love my security keys: the strong security gives me extra peace of mind, and it’s easier and faster to tap my security key to authenticate than reading and typing a 6-digit code from my phone. I don’t mind the extra hurdle of managing and securing back ups keys, so it works for me, but I’m admittedly a bit of security nerd.
Most people are not interested in adding more complexity to their online security. If that’s you, I recommend simply using an Authenticator app. If you’re curious about security keys, nothing stops you from trying one and see how it feels, while keeping an Authenticator app for your primary 2FA method. If you want to try it, I recommend you start with a Yubikey.
Biometrics Readers
Biometrics are not commonly used as 2FA methods today, but I included them in this list because many people see them as the future of authentication. The main advantage of biometrics is that it’s very convenient, no need to carry anything else with you. But biometrics are not as secure as they seem, especially for remote authentication. That’s why today their application is mostly limited to in-person authentication (unlock a phone, enter a door, etc.).
Biometrics seem secure because we’ve learned that they’re unique to each individual. But when computers analyze a fingerprint for example, they have to “translate” its features into a computer-readable code. From a technical perspective, that “fingerprint code” is just a glorified password except that you can’t change your fingerprint like you can change a password, so it’s an extremely sensitive piece of information.
“If a bad guy wants your biometric data, remember this: he doesn’t need your actual fingerprint, just the data that represents your fingerprint.”
— Mike Muscatel, Sr. Information Security Manager, Snyder’s-Lance, at SecureWorld Boston
The way that “fingerprint code” is processed for authentication determines how secure it is. If it’s stored in a database, it can get hacked, stolen, and copied. For example, in 2015 more than 5.6 million US fingerprint records were stolen by the Chinese government.
When you unlock your phone with your fingerprint, the “fingerprint code” is stored on a secure chip on the device that no software on the phone can access, which makes it much more secure. But using biometrics for remote access without exposing the raw biometric data itself to the Internet is a much more challenging equation.
Biometrics are convenient and have their use case, especially for physical access and when paired with another authentication method. But until that technology becomes bulletproof, the risks are just too high to use it for remote authentication. If you’re curious, read more about why biometrics are bad authenticators.
How To Use An Authenticator App
Now that you have an overview of the different 2FA methods, let’s focus on the Authenticator app as it’s the most practical option for most people. Even if you decided to use security keys, you will most likely also need an Authenticator app for websites that don’t support them (i.e. most of them).
How to choose an Authenticator app with contingencies in mind
There are several Authenticator apps available, and the good news is that most are free. Here are the main criteria to consider when choosing an Authenticator app:
- Secure and reliable
- Offers a secure backup process, in case the user loses their phone
- Allows the user to export their codes, in case they want to switch to a different app in the future
I’m planning to write a dedicated post comparing Authenticator apps in the future, but for now here is a sample of common apps and my recommendations. They’re all pretty much secure, the difference is in the features.
Authenticator Apps Features
Authy
Most User Friendly
- User friendly
- Automatic cloud backup of codes
- Can sync on multiple devices
- Cannot export codes
Google Authenticator
Most Basic (Too Basic…)
- Very simple to use
- Cannot back up codes (!)
- Cannot export codes
Authy: Best app for the tech-averse
If you want something that “just works” I would recommend Authy. Simply download the Authy app on your phone and follow the account creation process. Your Authy account is tied to your phone number, whereas other Authenticators on this list are tied to your phone itself. The difference is that if you lose your phone, you can recover your codes from your Authy account by verifying your phone number. It’s convenient… but it also means it’s a bit more vulnerable. That said, the extra convenience is worth the trade-off if you just want something that works similarly to other online accounts you have.
Raivo or Aegis: Best apps for the tech savvy
Raivo is for iPhone only, Aegis is for Android only. Raivo for iPhone in particular is almost perfect. It can back up your codes on iCloud automatically, which is extremely convenient.
Aegis’ backups are more complicated. You can only save the backup file manually, so if you forget to back up your codes and lose your phone, you lose your codes. You can save the back up files wherever you want, including on cloud services like Dropbox. So if you’re reasonably tech savvy, you can make it work for you. It just requires some configuration and understanding of what you’re doing.
One note of caution: both Raivo and Aegis allow you to set a password for the app. You should absolutely set a password as it will encrypt your backups. Without one, anyone could open and read your codes from your backup file.
Raivo’s and Aegis’ backup feature can also be used to export your codes if you want to switch to a different Authenticator app in the future. It’s a refreshing feature when you know that Google Authenticator, Authy, and other Authenticator apps (e.g. LastPass Authenticator) don’t allow you to transfer your codes and keep you captive of their app.
Google Authenticator is just too basic
Google Authenticator was one of the first Authenticator apps and still has a large user base, that’s why it’s on this list. But Google hasn’t been updating their app much since its inception. It works and it’s secure, but it doesn’t offer any backups and it’s tied to your phone. If you lose your phone, you lose your codes, period. You can transfer your codes from one phone to another if you still have the old phone (when you purchase a new phone for example), but if the old phone is lost, stolen, or broken, you’re out of luck. For that reason I can’t recommend Google Authenticator.
How to set up and use your Authenticator app
Once you’ve installed an Authenticator app, you can start adding your 2FA codes to it. You need to log into each website individually and find their security settings. If they offer 2FA, they probably offer the Authenticator app method. Once a website code is added to your Authenticator app, you will be able to see that code in your app refreshing every 30 sec. Any time you log into this website from a new device for the first time (and occasionally thereafter, but not every time), you will be required to enter that code to authenticate.
Adding an account to your Authenticator app
A video is worth a million words, so here is an example of adding my Google account to my Authenticator app (in this example, Google Authenticator).
Using your Authenticator app to login
After I’ve added my Google account to my Authenticator app, here is an example of how I use it to log into Google.
Beware of “Recovery Backdoors”
First, congratulations! You have installed an Authenticator app and have added your accounts to it. These accounts are now very difficult for hackers to access. If you haven’t left any backdoor for them to exploit, that is. Your security is only as strong as its weakest link.
Let me explain. Imagine you own a country house with 2 doors. The front door is a typical door and the backdoor is an old wooden door with weak hinges and an old lock. You decide to improve your home security, so you install a metal-reinforced front door with a high-security deadbolt. Does it sound like a wise investment?
Obviously, the weak point of entry is the backdoor, so there is no point reinforcing the front door if you leave the backdoor untouched. And yet that’s what many of us do when it comes to online security.
Hackers always attack the weakest entry point
Suppose you add an Authenticator app 2FA to an online account, but you leave the option for SMS code verification as a back up, just in case you lose access to your Authenticator app. It’s a common practice.
As a hacker, why would I try to hack your Authenticator app codes (very difficult) if I’m able to simply request an SMS code instead (much easier to hack)?
In this video, you can see that I’m able to easily bypass the Authenticator app by selecting SMS verification instead.
That’s why a good Authenticator app should allow you to back up your codes. Instead of relying on weak SMS or email verification in case you lose your phone, you want to rely on your Authenticator app backups to retrieve your codes.
Once you can trust that you will always be able to access your Authenticator app codes, you can disable other 2FA verification methods from your account like SMS or email. By removing the backdoor, you ensure that any hacker has to face your reinforced front door as the only entry point.
Tip: you can also use your Password Manager for 2FA
If you’re using a dedicated Password Manager (if you’re not, you really should), it may also have a feature to store and generate your 2FA codes. It’s really convenient as you don’t need to pull up your phone to access your codes. Not all Password Managers offer that feature, but Bitwarden and LastPass do.
Although a good Password Manager encrypts your credentials with your master password, it is theoretically possible that your encrypted credentials get stolen and later decrypted if your master password is not strong enough.
Adding your 2FA codes into your Password Manager therefore carries the risk of putting all your eggs in the same basket. You could make a case that it’s best not to add your 2FA codes in your Password Manager for your sensitive accounts.
On the other hand, if the extra convenience of having your 2FA available from your desktop is what will encourage you to use 2FA with a specific website, then it is definitely worth adding it in your Password Manager.
However, I don’t recommend you replace your Authenticator app with your Password Manager for 2FA codes. Use your Authenticator app for all your 2FA codes, and in addition you may choose to also add some to your Password Manager.
Conclusion
Passwords are not enough to guarantee the security of your online accounts. They’re vulnerable to data breaches and rely too much on the user’s security know-how to be safe. But adding another layer of security with “two-factor authentication” (2FA) has proven extremely effective at stopping most cyber attacks, so it has become an essential tool for securing online accounts, especially the sensitive ones.
The main obstacle for broad 2FA adoption is that the average person doesn’t know about it and it seems complicated to adopt. Hopefully this article has helped you understand how to set up a 2FA method other than SMS verification codes, which have proven unsafe.
Authenticator apps are the best 2FA method for most people because they strike the right balance of security and usability. Although I recommend the authenticators Raivo or Aegis if you are tech savvy enough, most people will feel more comfortable with Authy. Simply create an Authy account, install the app on your phone, and add your codes. Just make sure to disable SMS as a verification method on websites that allow it.
After you’ve done all that, you’re part of the minority of the population with much, much higher security than average.