SMS-based two-factor authentication (2FA) — which sends a code via text messaging as a way to make sure your account is being accessed by you rather than an interloper — is better than nothing, but it isn’t that good. This was demonstrated recently when several members of our staff had password resets initiated on their Twitter accounts and then received messages trying to get them to text them a verification code. Messages like this one sent to senior news editor Richard Lawler:
This is despite the fact that Twitter now offers SMS-based two-factor authentication only to its Twitter Blue members (costs begin at $8 a month). In fact, many of The Verge staffers have moved to Mastodon and other social networks, but no matter where you’re hanging out these days, it’s not a good idea to give someone access to your account. And if you want to use 2FA to secure your social media or other services, using text messaging is not the way to go. You’re much better off using either a third-party authenticator app or a hardware security key.
What are security keys?
Security keys, such as the ones sold by Yubico, are the safest method to use. They can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s YubiKey 5C Nano, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access (which prevents you from accidentally logging in to a phishing site). The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, and others. The best thing to do is check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
What are authenticator apps?
But while physical security keys are the safest method, they are not the most convenient. If you don’t want to carry around (and possibly lose) a physical key, using an authentication app on your phone is the best way to go.
Authentication apps generate one-time numerical passcodes that change approximately every minute. When you log in to your service or app, it will ask for your authenticator code; you just open up the app to find the randomly generated code required to get past security.
Popular options include Authy, Google Authenticator, and Microsoft Authenticator. These apps mostly follow the same procedure when you’re adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.
Here is how to set up 2FA on some of the more popular online accounts. Not all of them allow for authenticator apps; in that case, we list what is available. (If you’re just interested in using an authenticator app for your Twitter account, you can go directly to this article, which gives you all the steps needed — however, just to be convenient, we’ve included Twitter with the others here.)
Note: most of the following directions are for websites; if you can use a mobile app, directions will be given for that as well.
- Log in to your Amazon account.
- Hover over Accounts & Lists (in the upper-right corner) and go to Account > Login & security. (You can also simply follow this link.)
- Scroll down to 2-step verification and click the Edit button. (You may be asked to reenter your password.)
- Click Get Started, and Amazon will walk you through the process of registering your preferred authenticator app by syncing it through a QR code.
If you wish, you can also register a phone number to use as a backup text 2FA. Amazon also lets you opt out of 2FA for any specific devices.
You can also activate 2FA on the Android and iOS Amazon apps.
- Tap the person icon on the bottom (second from left).
- Go to Your Account > Login & security.
- The same 2-step verification selection, with the same Edit button, should be available.
Apple iOS / macOS
If you use any Apple devices, you turn on 2FA through your Apple ID — you can do it either on your mobile device or on the web. You also receive any verification codes via Apple’s system; there are no third-party authentication apps here. (Apple recently added the ability to use physical security keys if you have an iPhone on iOS 16.3 or later, an iPad on iPadOS 16.3 or later, or a Mac on macOS Ventura 13.2; you will need to have at least two keys in order to use this feature.)
A few other things to note (as detailed on Apple’s support page): if you turn on 2FA, you have two weeks to change your mind, and after that, it’s a done deal — you can’t turn it off. Once 2FA is established, then every time you sign in using your Apple ID on a new device, you’ll get a notification on a trusted device, and you’ll have to okay the sign-in. And finally, once you sign in to a device with the verification code, it will be considered a trusted device, and you won’t have to use a code again (unless you sign out, change your password, or erase the device). Finally, you’ll need a trusted phone number to establish 2FA.
- Go to Settings > [Your Name] > Password & Security.
- Select Turn On Two-Factor Authentication, and follow the instructions.
- From your Apple menu (the Apple icon in the upper-left corner), go to System Settings (or, for older macOS versions, System Preferences), then click your name (or Apple ID).
- Select Password & Security.
- Look for Two-Factor Authentication. Select Turn On, and follow the instructions.
- From your Dropbox homepage on the web, click your profile avatar and select Settings.
- Click on the Security tab.
- Find Two-Step Verification, toggle to turn the feature on, and select Get Started.
You can choose to receive 2FA through a text or your authenticator app; obviously, we recommend the latter.
The way to access Facebook’s 2FA settings is a bit different depending on whether you’re using the mobile app or the web app (and Facebook tends to update both layouts often).
On the mobile app
- Access your privacy settings by tapping your personal icon on the upper-right corner (Android) or the lower-right corner (iOS).
- Scroll down to the bottom to find the Settings & privacy menu. Tap Settings > Security and login, and select Set up two-factor authentication.
You can opt for a text message, an authenticator app, or a security key; you can also use one of these as a backup method.
On the web
- Click your personal icon in the upper-right corner.
- Select Settings & Privacy > Settings > Security and login.
- Under the Recommended heading, you will find Set up two-factor authentication. On the next page, click the Setup button next to Authentication app to start the process.
Note: if you scroll down in the Security and login page, you’ll find a section dedicated to two-factor authentication. It offers Use two-factor authentication (which leads to the same setup page as mentioned above) but also lets you establish Authorized logins, a list of devices where you don’t have to deal with 2FA.
You can easily turn 2FA on across your Google accounts (e.g., Gmail, YouTube, or Google Maps).
On the web
- Head over to your Google account page.
- Click on Security > 2-Step Verification, and follow the directions.
After that, Google will first send prompts to your phone that allow you to select “Yes” or “No” when a login attempt occurs. If that doesn’t work, it will call or send a text message.
Like Apple, Google has its own 2FA system — but unlike Apple, you can use an authenticator app as a backup, alongside text, backup codes, or a security key (either a physical key or your phone). If you have an iPhone, you’ll need to install the Google Smart Lock app.
You can also generate backup codes for offline access. Google generates 10 codes at a time, and they’re designed to be single-use, so once you’ve successfully used one, cross it out (assuming you’ve printed them), as it will no longer work.
Instagram added 2FA to its mobile app in 2017, but you can also activate it through the web.
On the mobile app
- Tap on your profile icon in the lower-right corner and select the hamburger menu in the upper-right corner.
- Select Settings > Security.
- Choose the menu item for Two-factor Authentication.
- Tap on the Get started button. You can toggle on one of three types: an authentication app (Instagram will either choose one that is already installed or recommend one to download); use WhatsApp to generate a login code; or use a text message.
On the web
- Click on your profile icon in the upper-right corner.
- Select the settings cog from the drop-down menu.
- Select Privacy and Security, and scroll down to Two-Factor Authentication. You can choose either an authentication app or a text message as your 2FA method (but WhatsApp is not available on the web).
If you’re a Twitter user who has moved to Mastodon — or if you’re an original Mastodon user — you can enable 2FA from the standard Mastodon web app. (Note: because the features of Mastodon can vary depending on which instance you are using, there is a possibility 2FA may not be available. Also, it will probably not be available in a mobile app, although again, that may vary.)
- Access your Preferences, either by clicking the three dots opposite your personal icon or by clicking on Preferences at the bottom of the right-hand main menu.
- In the left-hand menu, click on Account > Two-factor Auth.
You can enable an authenticator app or a security key. You can also generate recovery codes to hold on to in case you lose your phone.
- Log in to your Microsoft account and find the Security menu. (There are several ways to get there; click on this link for the easiest.)
- You should see Two-step verification in the main header to the right of Security and Change password. If it’s not there, scroll down to the Additional security section. Look for Two-step verification, and click on the setup link.
- You’ll be walked through the steps needed to use either the Microsoft Authenticator app or a different authentication app. You’ll also be able to create passwords for apps that don’t accept 2FA.
- In the Additional security section, you can also make your account passwordless; in other words, you would sign in with an authentication app, Windows Hello, a security key, or SMS codes.
Current Nest users will have signed in to the app via their Google accounts and will be using Google’s 2FA feature (see above).
If you’ve resisted migrating your existing Nest account to your Google account, you are required to use 2FA — and, in fact, you were probably emailed about it as of May 2020. In the unlikely possibility that you still haven’t switched:
- From the homescreen, go to Settings > Account > Manage account > Account security.
- Select two-step verification, and toggle the switch on.
- A series of prompts will ask for your password, phone number, and the verification code that will be sent to your phone.
Keep in mind that all of your devices will be automatically signed out, so you’ll have to sign in again using two-step verification.
If all your family members don’t have their own logins and have been using yours, it’s a good idea to set them up with separate logins using Family Accounts. Otherwise, when they try to log on using two-step verification, the necessary code will be sent to your phone, not theirs.
- On the main Summary page, click the gear icon and select the Security tab.
- Look for the section called 2-step verification, and click on the Set Up link.
You’ll be able to choose whether to have a code texted to you, use an authenticator app, or use a security key. (PayPal also offers to find an authenticator app if you want one.)
If you lose your phone, change numbers, or decide to revoke authorization rights, come back to this menu to make adjustments.
Ring has made 2FA mandatory. If you haven’t activated it yet (or if, for some reason, you were not asked to do so when you first installed the software), then once you’ve made sure your Ring app is up to date:
- Go to your app’s Dashboard and tap on the hamburger icon (the three lines) at the top left.
- Go to Control Center > Account Verification.
- You can choose to use an authenticator app or text messaging. Select the one you want to use (as always, we suggest the former), and follow the directions.
Once you use 2FA to log in, you won’t have to do so again unless you haven’t logged in for over 30 days, logged out, or deleted all your authorized devices. (Note: previously, you could also opt to have the codes sent to your email address; that is no longer available.)
To enable 2FA, you’ll first need to find the Account Settings page. There are several ways to access this:
- You can click on your username or profile picture in the Slack app to open a drop-down menu, and then select Profile. Your account information will now display on the right side of the chat window.
- Or, under your avatar next to the View as button, click the three-dot icon and select Account settings.
- You can also head straight to my.slack.com/account/settings.
- However you get there, you should immediately see the selection for Two-Factor Authentication.
- Select Expand on Two-Factor Authentication and hit the Set Up Two-Factor Authentication button to verify your information via an SMS text message or authenticator app.
If you can’t find the option for 2FA, check whether you have a work account. Some employers may use single sign-on services that bypass the need for 2FA, which would remove this option from Slack’s account settings page.
- From the app’s main camera screen, tap your profile icon and find the gear icon to access your settings. Select Two-Factor Authentication, and then tap Continue.
- Choose whether to use SMS verification or an authenticator app. If you choose the latter, you can either have the app automatically hook up to an already installed authenticator app, set one up manually, or find an app.
- To set up 2FA on TikTok (in this case, we’re assuming a mobile device), tap your profile icon on the lower right, then click the three lines in the upper right of the screen.
- Go to Settings and privacy > Security and look for 2-step verification.
Unfortunately, TikTok only offers to send a verification code via a text message or email.
Using the mobile app
- Tap your personal icon at the top left of the screen and select Settings & Support > Settings and privacy > Security and account access > Security.
- Tap Two-factor authentication. You have the choice of using a text message (well no, you actually don’t — if you’re not a Twitter Blue member and you choose text message, you’ll get an error pop-up), authentication app, or security key; you can also get a single-use backup code just in case.
Using the web app
- Click on More in the left-hand menu.
- Just as in the mobile app, go to Settings & Support > Settings and privacy > Security and account access > Security. (You can also just follow this link.)
- Click on Two-factor authentication. You will get the same choices as in the mobile app.
As with other services mentioned above, you can generate a backup code to use when you’re traveling and will be without internet or cell service. You may also see an option to create a temporary app password that you can use to log in from other devices. This can be used to log in to third-party apps if you have them linked to your Twitter account. Note that the temporary password expires one hour after being generated.
- Open WhatsApp and find the Settings menu under the upper-right dots icon.
- Look under Account > Two-step verification > Turn on.
- The app will ask you to enter a six-digit PIN to use as verification; after that, it will request it the next time you register your phone number and also every once in a while (so you don’t want to forget it). You can optionally add an email address in case you forget your PIN.
Having an email associated with your WhatsApp account is important — if you don’t have one and forget your PIN, you’ll have to wait seven days before you can reset it. In the same vein, be cautious of emails encouraging you to turn off 2FA if you didn’t request it yourself.
Did we miss your favorite apps?
For more information, check out the 2FA Directory, which categorizes and lists companies that support 2FA and gives you the option to message a company on Twitter, Facebook, or email to request that 2FA be added.
A final note: while adding 2FA is great for an extra layer of security on all your accounts, remember that you should be changing and updating your passwords regularly even with 2FA enabled just to stay in tip-top shape. If that’s not your style, you can also use a password manager to automatically take care of it for you.
Update April 18th, 2023, 4:00PM ET: This article was originally published on February 28th, 2023, and has been updated to add the fact that Apple now offers 2FA with security keys and to warn about new phishing attempts.