Don’t let scammers get their hands on your sensitive information. Here’s how to secure your online accounts with multi-factor authentication (MFA), and two-factor authentication (2FA).
The 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code. Our security nightmares have only gotten progressively worse in the years since.
What’s the average internet user to do? Well, you should have strong passwords. They’re a pretty laughable authentication method and can be scooped up pretty quickly by various methods. (But you can stop changing your passwords constantly unless they’re in a breach.)
What you need is a second way to verify yourself. That’s why many internet services, several of which have felt the pinch of being hacked or breached, offer multi-factor authentication (or MFA). Up until very recently, we’ve usually called it two-factor authentication (2FA), but more factors are better. You’ll find all the terms used interchangeably with “multi-step,” “two-step,” and “verification,” depending on the marketing.
As PCMag’s lead security analyst Neil J. Rubenking put it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.” Multi-factor means you might have even more than two.
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple’s Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone, as a code that can only be used once.
You can get that code via SMS text message (which is not a great idea) or a specialized smartphone app called an “authenticator.” Once linked to your accounts, the app displays a constantly rotating set of codes to utilize whenever needed—it doesn’t even require an internet connection. There are several apps, including some from big names like Microsoft and Google, plus Twilio Authy, Duo Mobile, and LastPass Authenticator. They all do the same thing, some with password management and other features. Here’s our rundown of The Best Authenticator Apps.
Most popular password managers (such as LastPass) also offer MFA authentication by default. The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser if supported.
Be aware that setting up MFA can actually break access within some older services. In such cases, you must rely on app passwords—a password you generate on the main website to use with a specific app. You’ll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and others—all of which are either used as third-party logins or have older functions you can access from other services. The need for app passwords is, thankfully, dwindling.
Remember this as you panic over how hard this all sounds: Being secure isn’t easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with MFA ability, but we cover the primary services everyone tends to use and walk you through the setup. Activate MFA on all of these, and you’ll be more secure than ever.
Amazon 2FA support is pretty important, as Amazon has its fingers in many pies, like Comixology, Audible.com, and sites that use Amazon for payments—all tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Two-Step Verification (2SV) Settings. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup method.
An excellent option with Amazon is the ability to tell the service to skip the codes on trusted devices (or on multiple trusted web browsers on the same device). If that option doesn’t work later, return to the Two-Step Verification (2SV) page and click Require OTP on all devices. OTP means one-time password; that’s what Amazon insists on calling the authentication code.
Apple Two-Factor Authentication
Your Apple ID is a big part of your life if you’re an iOS or Mac user. It’s essential for both access and storage via iCloud, purchases like movies, books, and apps, and subscriptions to services like Apple Music and Apple TV+.
To activate two-factor authentication, go to the Manage Your Apple ID page (Which opens in a new window) and sign in. Look for Account Security > Two-Factor Authentication and click “Get Started…”
You are then furnished with steps to set up 2FA for Apple using either iOS or macOS. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication. (Here are specifics on setting it up in iOS 15 so you can use your iOS device as an authenticator app.)
You’ll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it’s the number already on the phone you’re using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
After that, signing into anything with an Apple ID should generate the code on the device used for setup. Apple also supports app-specific passwords(Opens in a new window).
You can’t turn it off once Apple’s Two-Factor Authentication is active. “Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information,” Apple says(Opens in a new window).
Dropbox Two-Step Verification
Dropbox on the desktop website(Opens in a new window) has a tab called Security(Opens in a new window). It’s where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, turn on two-step verification. Toggle it to on, enter a password, and you’ll be asked if you want to get security codes via SMS text message or via a mobile authenticator app.
If you choose text, enter a phone number and receive a code immediately. You also get to enter a backup number, plus receive a 16-digit number you should save somewhere safe; it will allow you to deactivate two-step verification if needed. If you choose the authenticator app (and you should), you’ll see a QR code on-screen to scan. Other options include using a hardware security key if you’ve got one. Dropbox provides excellent MFA instructions(Opens in a new window).
Facebook Two-Factor Authentication
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop, you access it by going to Settings > Security and Login(Opens in a new window).
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you’d like to receive your second form of authentication: a text message, authenticator app, or physical security key. That’s something you plug into or put near your computer to get access—for more info, read The Best Security Keys for Multi-Factor Authentication.
If you select an authenticator app (which is the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select Add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook, and it requests your six-digit code, open the authenticator app to retrieve it.
The above options require you to have access to your phone, of course. But when you activate MFA, you can get a list of 10 recovery codes to download and use anytime, even if you don’t have your phone. Get them in the Two-Factor Authentication Settings area (Opens in a new window) and save them somewhere safe.
Facebook Two-Factor Authentication
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop, you access it by going to Settings > Security and Login (Opens in a new window).
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you’d like to receive your second form of authentication: a text message, authenticator app, or physical security key. That’s something you plug into or put near your computer to get access—for more info, read The Best Security Keys for Multi-Factor Authentication.
If you select an authenticator app (which is the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select Add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook, and it requests your six-digit code, open the authenticator app to retrieve it.
The above options require you to have access to your phone, of course. But when you activate MFA, you can get a list of 10 recovery codes to download and use anytime, even if you don’t have your phone. Get them in the Two-Factor Authentication Settings area (Opens in a new window) and save them somewhere safe.
Microsoft Two-Step Verification
Microsoft has tied together most of its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 subscription, the Windows operating system itself, and much more can all use the same account. Naturally, it should get some extra protection.
Microsoft said in 2021 that it wouldn’t even require a password on accounts—as long as you use one of its ways to log-in MFA-style. That means using either the Microsoft Authenticator app on iOS(Opens in a new window) or Android(Opens in a new window), Windows Hello biometric sign-in. But you can stick with using a password and getting a security key or verification code.
Sign in to your Microsoft account at account.microsoft.com/profile(Opens in a new window). In the top navigation, click Security; on the next page, click Advanced security options. You’ll see a link called Add a new way to sign in or verify, and you can enter lots of info here, such as email addresses and phone numbers that can be used to get a code—plus you can set up Enter a code from an authenticator app. Under that, you’ll see options for Passwordless account and Two-Step Verification.
You don’t need to use Microsoft Authenticator if you’re only setting up MFA access with a password. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick “other” during the setup. Or you can get the codes sent via text message or email.
But if you want to use the new Passwordless account option, Microsoft Authenticator will be required on your smartphone. But you may not even have to enter a code—the app will pop up if you try to sign in somewhere, and after you log into the phone the app is on, you usually click a couple of boxes to authenticate easy-peasy. (Some might say too easy—since all anyone needs to access your Microsoft account now is to steal your phone since there’s no password.)
Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways).
PayPal 2-Step Verification
As a service dedicated to making payments, PayPal should be as secure as possible.
When you log in, click the gear icon to get a menu and access Settings (Opens in a new window)> Security. Next to 2-Step verification, click Set Up. You can to receive a text message or code via an authenticator app; for the latter, you do the usual steps of scanning a QR code with the app. Pick one option to be the primary method.
You can add a backup MFA method to your account, such as a different number or even another whole authenticator app, for when you can’t reach your phone. Go back into Settings > Security and click Update if you ever want to add methods or turn MFA off completely. You can also skip the MFA on select devices as you log into them so that you won’t be asked for a code on that device/browser again.
The steps for this are slightly different if you have a business account, but ultimately you just have to find your way to Settings to get to 2-Step verification.
Slack 2-Factor Authentication
Got an office Slack? Whether you can secure it with two-factor depends on your workspace’s account settings. If you sign into Slack using your G Suite account, you will handle two-factor through Google. If you’re accessing multiple Slack workspaces, you need to set up MFA on each workspace individually—some may use it, some may not.
Otherwise, go to Account > Settings > Two-Factor Authentication to find the Set Up Two-Factor Authentication button. (If you don’t see it, it’s not an option for you.) After you enter your password, you get two choices: receive the code via SMS text messages, or use an authenticator app. Even if you pick the app, you get the option to enter a backup mobile phone number.
Owners/admins can go into Workspace Settings & Permissions > Authentication to require workspace-wide two-factor authentication if desired.
To activate Login Verification on Twitter.com on the desktop, click the More menu on the left and select Settings & Privacy > Security and account access > Security > Two-Factor Authentication(Opens in a new window). Choose to get codes via phone (SMS text), authentication app, or a physical security key (or any combination of the three). The steps in the mobile Twitter app are much the same, but you start by clicking on your profile pic.
Twitter will generate backup codes for when you lose a device and temporary passwords to use one time when logging in at services/places/times when you can’t get a regular MFA code.
You may also use the Twitter app itself as an authentication app. On the mobile app (this doesn’t work on the desktop), go to Settings > Security and account access > Security > Two-factor authentication > Login code generator to view a six-digit number that updates every 30 seconds, precisely like an authenticator app. This can help when signing in to third-party sites with your Twitter credentials.
Yahoo Account Key or 2-Step Verification
To set up verification at Yahoo, access your Personal info(Opens in a new window) (look for your name or the link to Sign In, in the upper-right corner of any Yahoo page, and select Add or Manage Accounts > Account Info). Click Account Security, and you’ll see the Two-step verification toggle. It will immediately confirm the phone number on your account or ask for a new one and send a verification code. It also warns you that certain apps won’t work with second sign-in verification—those will require app passwords.
There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. It expects you to have at least one Yahoo-made app on your phone, such as Yahoo Mail. When you try to sign in, you have to launch the app; then, Yahoo Account Key will send a notification to it directly. You push a button to confirm it’s you, and that’s it—no codes or passwords to enter.
If you don’t have a Yahoo app on your mobile device, Yahoo can text or email you an MFA code. When/if you activate Yahoo Account Key, Yahoo deactivates two-step verification, and vice versa, as Account Key must be turned off to allow two-step verification.
After you set up either of the above, the Account Security list displays another option: Generate app password. When you’re ready to access Yahoo services on devices without direct support, you’ll go here to create the new unique password that will allow access.