Two-factor authentication, or 2FA, adds a layer of security to signing in to websites and services. The most common way this happens is when you log in from a new phone, tablet or computer, or from a new location that the website doesn’t recognise, it will send you a code via SMS to your mobile phone that you have to enter before you can finish signing in.
You should turn this on for every service you log in to, whether it's via an app or a website. Not every service offers it, but where it's available, turn it on.
This is a great way of protecting your accounts, as it stops hackers who might have got your password via a data breach or phishing scam from logging in.
Is getting a code by text the only 2FA method?
No. SMS is the most common way, but some websites and services also support using an authenticator app or a hardware device.
- An authenticator app such as LastPass Authenticator, Google Authenticator, Okta Verify, Authy (there are many others too) work in a similar way by generating codes for you to confirm that it’s you logging to a website from a new device or location.
- Biometrics – your fingerprint, a scan of your iris or a scan of your face – can also be used to verify that it’s you and not a hacker logging in to a website.
- Or you can get hardware keys. The most common is the Yubikey, which is widely supported, although there are others made to the same standards, and Google has recently announced that it will sell its own security keys too.
So which is the best?
Security experts are pretty unanimous in agreeing that the best method is the hardware key, with an authenticator app coming in second place.
2FA works by combining something you know (your password) with something you have (your mobile, the app, a key, your fingerprint), and it’s clear that some of the things you have are likely to be more secure than others.
- SMS is considered the least secure way to do 2FA. That’s because first, if your phone is stolen, the thief will be able to get codes to all your accounts. Also, SMS messages can be hijacked, or a thief can even quite easily just get your mobile provider to give them a Sim card for your account – this is known as “Sim-swapping”.
- Biometrics sounds like a secure choice because nobody else has your fingerprint, right? The downside of using biometrics for authentication, whether it’s as your main way of logging in or as a second layer of security, is that it can be bypassed fairly easily if you’re with the attacker. If you’re asleep or unconscious, it’s trivially easy to hold your finger to a sensor, or to scan your face, and there are also more elaborate hacks of biometrics being discovered all the time.
- Authenticator apps can be installed on any device and don't rely on a mobile signal. Security experts prefer them because they aren't vulnerable to Sim-swapping attacks. You can install the app on more than one device (though you need to set up each website on each device separately) and so don't necessarily rely on your mobile phone.
- Hardware keys are considered the most secure way to do 2FA, first because it’s very difficult, if not impossible, for a third party to hack them, and also because it doesn’t involve having a code sent to you that could be intercepted. Once you’ve got a hardware key set up, all you do to complete your login is plug in the key (or, if your phone supports NFC, tap it against your phone) and push a button on the key. If you lose your key, there’s nothing on it to identify you to someone who finds it, so they won’t be able to get into your accounts.
Perfect as the enemy of good
It’s up to you to pick the best method for you, and that choice should be based on a number of factors.
One thing to consider is how much of a target you are: nobody is not a target, because everyday hackers wanting to steal login details don’t care who they belong to, but some people are more at risk than others. Activists, people in senior or sensitive jobs and people who are at risk if their identity is exposed should probably use hardware keys, for example.
Google said recently that none of its 85,000-plus employees had been successfully phished since it started requiring that everybody use a hardware key.
But setting up authenticator apps and hardware keys is time-consuming if you have a lot of logins to protect, which puts people off.
Even though SMS is the least secure way to do two-factor authentication, it’s still better than not having it at all, so if you can’t face the friction of setting up apps or a key, then do at least turn on SMS 2FA.
How to turn it on
Every website or service will be slightly different, but generally you’ll find the options for 2FA in the security settings for your account. Typically you’ll be asked to enter your mobile number and then the website will send you a code which you then type in to confirm that you want to go ahead and set it up. And that’s it.
Some websites will require you to confirm your login each time: Twitter does, for example, even if you’re logging in from the same laptop every day. Others will only challenge your login if you’re signing in from a new device – or a new browser on an old device – or from an IP address you haven’t logged in from before. In most cases you can tell it to recognise you from that device/browser/IP address in future, though we’d recommend letting it challenge you each time.
What if I lose my phone or my Yubikey? Or what if I haven't got a mobile signal?
Most websites that use 2FA will also let you generate one-time codes: codes that you can print out or perhaps store safely in your cloud storage and then type in to complete your login.
If you decide to store those codes in your cloud storage you'll need to make sure you can access that if you're offline or you've had your phone stolen, of course.
Again, it's a bit of a pain to go through all your sites and generate them, and you'll need to work out the best way for you to store them, but it's a good back-up option.