How to: Enable Two-factor Authentication

Two-factor authentication (or “2FA ”) is a way to make your online accounts more secure by adding a requirement for additional proof ("factors") alongside your password when you log in. This may be something you know (like a password or PIN), something you have (like a security key or mobile phone), or something that is attached to or inseparable from you (like your fingerprint or face).

You probably already use 2FA in some parts of your life. When you use an ATM to withdraw cash, you must have both your physical bankcard (something you have) and your PIN (something you know). 2FA for online services uses the same basic logic.

How Does 2FA Work Online? anchor link

Many online services—including Facebook (as well as Instagram and WhatsApp), Apple, Google, X, Reddit, WeChat, Telegram, and TikTok—offer 2FA as an alternative to password-only authentication. Once you’ve enabled it, you’ll be prompted for both a password and a secondary method of authentication. 

This secondary method can be one of several things: an SMS message, a rotating code generated by an authenticator app, a push notification, or a USB device (called a security key ).

An authenticator app generates rotating six-digit codes that are specific to each website you’ve registered with it. Many companies make free mobile authenticator apps, like Google Authenticator and Authy. Some password managers work as an authenticator app too, so there is no reason why you should ever need to pay for one. 2FA apps typically use time-based one-time passwords (TOTP), unique numeric passwords generated by an algorithm. This means that they're single-use, and only valid for a short amount of time. In fact, most 2FA apps show a countdown clock, typically for 30 seconds, designating when the code will change. In these cases, the second factor is your mobile phone, something you (normally) possess. 

You may also encounter "push notification based 2FA," which is common with employers and services like Duo or Okta, but you may have also already used it with a Google, Apple, or Microsoft account. It's also popular with gaming services, like Steam and Blizzard. With push-based 2FA, the service can send a prompt to one of your devices during login. This prompt will indicate that someone (possibly you) is trying to log in, and an estimated location for the login attempt. You can then approve or deny the attempt. 

A second factor can also be another physical device that you purchase separately, called a security key. Security keys plug into your computer or phone through USB, or connect to phones wirelessly with NFC. Like the apps mentioned above, you register them with a website, and you cannot log into that website without supplying the key. Security keys are the strongest form of 2FA, but are not as widely supported on websites as other options.

Once you’ve opted-in to using 2FA, you’ll need to enter your password and then the second factor—the code sent from SMS or generated in your 2FA app, or a security key—to log into your account.

Why Should I Enable 2FA? anchor link

2FA offers you greater account security. Even if someone were to get ahold of your password, they could not access your account unless they also had your mobile phone or another secondary means of authentication. This is particularly important since data breaches that include user passwords are a common occurrence. Websites get breached all the time and reveal a person's password and username. 2FA is not an alternative to using strong and unique passwords, but it can provide a small extra layer of security in case someone has hit gold plugging your username and password into a different site.

In addition, security key 2FA and passkey authentication are effectively phishing-proof, because the key will not work on a site that it's not registered for. But this is not the case with other forms of 2FA, like codes generated in apps or from SMS messages. In recent years, phishing attacks have grown sophisticated enough to ask for 2FA codes, which SMS and authenticator apps have no protection against.

Are There Downsides to Using 2FA? anchor link

Although 2FA offers a more secure means of authentication, there is an increased risk of getting locked out of your account. For example, if you lose your phone, change your phone number, or travel to a country without turning on roaming you may lose access to your accounts. This is also true with security keys, which can be easier to lose than a phone.

Many 2FA services provide a short list of single-use “backup” or “recovery” codes. Each code works exactly once to log in to your account, and is no longer usable thereafter. If you are worried about losing access to your phone or other authentication device, print out and carry these codes with you. They'll still work as “something you have,” as long as you only make one copy, and keep it close. Remember to keep the codes secure and ensure that no one else sees them or has access to them at any time. If you use or lose your backup codes, you can generate a new list next time you’re able to log in to your account.

Some 2FA mobile apps solve this problem by offering the option to back up the information that generates the one-time codes. So, if you lose your phone, you can pull up the backup. For most people, backing up their authenticator codes is a good idea. But you might prefer not to back up authenticator codes if you're worried about the security of the service where you back them up, and you're confident you won't lose or break your phone. If you do enable them, check the app's documentation to ensure it uses end-to-end encryption for those backups. 

SMS 2FA is better than nothing, but does have potential issues because SMS messaging isn't very secure. It's possible for a sophisticated attacker who has access to the phone network (such as an intelligence agency or an organized crime operation) to intercept and use the codes that are sent by SMS. There have also been cases where a less sophisticated attacker (such as an individual) has managed to forward calls or text messages intended for one number to his or her own, or accessed telephone company services that show text messages sent to a phone number without needing to have the phone. SIM swapping is also a potential problem, which happens when someone transfers your phone number to a device they control, by tricking your mobile carrier (or by being an insider). Once they do that, they can then access any SMS 2FA codes, or worse, do a password reset via SMS. The Federal Trade Commission has attempted to steer companies away from SMS-based 2FA.

When possible, opt to use an authenticator app, passkey, or a security key instead of SMS.  You should also check with your mobile carrier to see if they offer some tools for protecting against SIM swapping. This may be a PIN or verbal password you have to give when calling customer support to make changes.

In addition, using SMS-based 2FA means you may be handing over more information to a service than you are comfortable with. Suppose you use TikTok, and you signed up using a pseudonym . Even if you carefully avoid giving TikTok your identifying information, and even if you access the service only over Tor or a VPN , if you enable SMS 2FA, TikTok will necessarily have a record of your mobile number. That means that, if compelled by a court, TikTok can link your account to you via your phone number. This may not be a problem for you, especially if you already use your legal name on a given service, but if maintaining your anonymity is important, think twice about using SMS 2FA.

Even after enabling 2FA, make sure to still use a password manager to create strong, unique passwords. See our creating strong passwords guide for tips.

What About Passkeys? anchor link

Passkeys are a newer option for logging in that provide all the security of 2FA, with a lot less hassle. A passkey is approximately 100-1400 bytes of random data, generated on your device (like your phone, laptop, or security key) for the purpose of logging in on a specific website. It is neither a password nor 2FA, but can functionally replace both.

Instead of requiring you to enter your password and a code, passkeys build in a second factor. Each time you use the passkey to log in, your browser or operating system may ask you to re-enter your device unlock PIN. If you use a fingerprint or facial recognition to unlock your device, your browser might instead request you re-enter your fingerprint or show your face, to confirm that it’s really you asking to log in. That gives two factors of authentication: the device that stores your passkey is something you have, and it’s accompanied by something you know (the PIN) or something you are (a fingerprint or a face).

If you’re already using 2FA on a given site, a passkey will be much more convenient, and may be more secure. SMS or authenticator app 2FA methods are vulnerable to phishing attacks, since a fake site can ask you for the one-time code and pass it along to the real site along with your phished password. Passkeys are more secure than SMS or authenticator app 2FA because they aren’t vulnerable to phishing. Your browser knows exactly which site goes with which passkey, and isn’t tricked by fake websites.

How Do I Enable 2FA? anchor link

Note: if you haven’t yet set up a password manager and started using unique passwords for each site, do that first. Using unique passwords for each site helps enormously all by itself.

Enabling 2FA differs from platform to platform, as does the terminology used. An extensive list of sites supporting 2FA is available at https://2fa.directory/.  Everyone's security plan has different needs, and not every website will even offer you options for different forms of 2FA, but when you have the luxury of choice, think of each type of 2FA in this order: 

• Passkeys are strong and easy to use (when they work correctly), but are still a new technology that isn't always offered, and which can cause hiccups in the login process when not implemented correctly that are frustrating to troubleshoot.
• Security keys are very strong but can be annoying to use since you always need to have that physical key with you.
• Push notification-based authentication provides medium security and is easy to use, but is only available for a small number of web services, and since it's not standardized, can mean that you'll end up with a bunch of different authenticator apps on your phone.
• Authenticator app/TOTP authentication is very common these days, and provides a medium-level of security but it can be annoying to copy/paste codes between apps, especially on mobile devices. 
• SMS provides the lowest level of security, can be annoying to use in some circumstances (or impossible if you don't have mobile service), but is still better than nothing if it's the only option offered.

Once you poke around the account settings and find the option to enable 2FA, you'll often need to take one more step to finish the process. How this works also depends on the type of 2FA you are using and the website itself, but it typically goes like this:

• If you choose to use a passkey, the site will create and store a passkey on the device you make it on (like your phone or laptop). You will need to have that specific device handy to log in with that passkey, though some password managers will sync the passkey across devices. Many services will also still require you to have a username and password, so you may still need to use another form of 2FA for the time being.
• If you opt for a security key, you'll need to insert the key, confirm that you want to create a credential (this depends on the key itself, but typically means tapping the key, or pushing a button on it) and then follow the directions to finish linking it to your account. Note that some websites require a second form of 2FA as a backup when you use a security key, so you may need to set that up first. 
• If you use a mobile authenticator app, you will need to scan a QR code on your computer's screen with your phone. After that your phone will start generating rotating codes, and you will have to enter one of those codes to prove you completed this process successfully.
• If you turn on SMS, you will receive a code that you then need to type in to finish the process of enabling 2FA. 

The process of enabling 2FA can be daunting when you first start out, but you can make it easier on yourself by breaking it up into smaller projects. 

Start with your email accounts. Because most services allow password reset via email, anyone who takes over your address can do password resets to get into other services, so it’s the most important service to secure first. Next, set it up for any services that back up your files—like an Apple, Google or Microsoft account. After that, social networks and communication apps should be next on your priority to secure. From there, you can tick down the list on the 2FA directory site to look for websites you use.