Many online services offer two-factor authentication, which enhances security by requiring more than just your password to sign in. There are many different types of additional authentication methods you can use.
Different services offer different two-factor authentication methods, and in some cases, you can even choose from a few different options. Here’s how they work and how they differ.
Many services allow you to sign up to receive an SMS message whenever you log into your account. That SMS message will contain a short one-time-use code you’ll have to enter. With this system, your cell phone is used as the second authentication method. Someone can’t just get into your account if they have your password—they need your password and access to your phone or its SMS messages.
This is convenient, as you don’t need to do anything special, and most people have cell phones. Some services will even dial a phone number and have an automated system speak a code, allowing you to use this with a landline phone number that can’t receive text messages.
However, there are big problems with SMS verification. Attackers can use SIM swap attacks to gain access to your secure codes or intercept them thanks to flaws in the cellular network. We recommend against using SMS messages, if possible. However, SMS messages are still much more secure than not using any two-factor authentication at all!
App-Generated Codes (Like Google Authenticator and Authy)
You can also have your codes generated by an app on your phone. The most widely known app that does this is Google Authenticator, which Google offers for Android and iPhone. However, we prefer Authy, which does everything Google Authenticator does—and more. Despite the name, these apps use an open standard. For example, it’s possible to add Microsoft accounts and many other types of accounts to the Google Authenticator app.
Install the app, scan the code when setting up a new account, and that app will generate new codes approximately every 30 seconds. You’ll have to enter the current code displayed in the app on your phone as well as your password when you log into an account.
This doesn’t require a cellular signal at all, and the “seed” that allows the app to generate those time-limited codes is stored only on your device. That means that it’s much more secure, as even someone who gains access to your phone number or intercepts your text messages won’t know your codes.
Some services—for example, Blizzard’s Battle.net Authenticator—also have their own dedicated code-generating apps.
Physical Authentication Keys
Physical authentication keys are another option that are starting to become more popular. Big companies from the technology and financial sectors are creating a standard known as U2F, and it’s already possible to use a physical U2F token to secure your Google, Dropbox, and GitHub accounts. This is just a small USB key you put on your keychain. Whenever you want to log into your account from a new computer, you’ll have to insert the USB key and press a button on it. That’s it—no typing codes. In the future, these devices should work with NFC and Bluetooth for communicating with mobile devices without USB ports.
This solution works better than SMS verification and one-time-use codes because it can’t be intercepted and messed with. It’s also simpler and more convenient to use. For example, a phishing site could show you a fake Google login page and capture your one-time-use code when you attempt to log in. They could then use that code to log into Google. But, with a physical authentication key that works in concert with your browser, the browser can ensure it’s communicating with the real website and the code can’t be captured by an attacker.
Expect to see a lot more of these in the future.
Some mobile apps may provide two-factor authentication using the app itself. For example, Google now offers a code-less two-factor authentication as long as you have the Google app installed on your phone. Whenever you attempt to log into Google from another computer or device, you just need to tap a button on your phone, no code required. Google is checking to ensure you have access to your phone before you attempt to log in.
Apple’s two-step verification works similarly, although it doesn’t use an app—it uses the iOS operating system itself. Whenever you attempt to log in from a new device, you can receive a one-time-use code sent to a registered device, like your iPhone or iPad. Twitter’s mobile app has a similar feature called login verification as well. And, Google and Microsoft have added this feature to the Google and Microsoft Authenticator smartphone apps.
Other services rely on your email account to authenticate you. For example, if you enable Steam Guard, Steam will prompt you to enter a one-time-use code sent to your email every time you log in from a new computer. This at least ensures an attacker would need both your Steam account password and access to your email account to gain access to that account.
This isn’t as secure as other two-step verification methods, as it can be easy for someone to gain access to your email account, especially if you aren’t using two-step verification on it! Avoid email-based verification if you can use something stronger. (Thankfully, Steam does offer app-based authentication on its mobile app.)
The Last Resort: Recovery Codes
Recovery codes provide a safety net in case you lose the two-factor authentication method. When you set up two-factor authentication, you’ll usually be provided with recovery codes you should write down and store somewhere safe. You’ll need them if you ever lose your two-step verification method.
Be sure you have a copy of your recovery codes somewhere if you’re using two-step authentication.
You won’t find this many options for each of your accounts. However, many services do offer multiple two-step verification methods you can pick from.
There’s also the option of using multiple two-factor authentication methods. For example, if you set up both a code-generating app and a physical security key, you could gain access to your account via the app if you ever lose the physical key.