The Best Way to Use Two-Factor Authentication
Consumer Reports has no financial relationship with advertisers on this site.
In a world plagued by cyber threats, it takes more than a strong password to protect your personal information. According to security experts, you need a second layer of defense for your online accounts, complements of two-factor authentication (2FA), which is also often called multifactor authentication, or MFA.
If you've ever had to use a six-digit verification code texted to your cell phone to log in to a Gmail account, you're familiar with how 2FA works. The code—entered after your password—basically acts like a second form of ID.
What you may not know is that you can now choose from a number of 2FA options beyond those texted codes, including mobile apps, your phone itself, and physical security keys that can make the process easier to manage and more secure.
And while 2FA doesn't work on everything just yet, it's not reserved solely for your laptops and smartphones. It's often useful on tablets and internet of things devices, too.
“Even if you have a good password strategy, like employing a password manager, I always recommend using multifactor authentication,” says Gerald Beuchelt, chief information security officer for LogMeIn, parent company of the popular password manager LastPass.
"This provides users with an extra layer of security, requiring them to verify their identity with factors such as biometrics, protecting them from the risk of weak or compromised credentials."
That's because passwords can be stolen through a data breach or even a simple phishing attack, no matter how strong you make them. And so, most online services that handle sensitive information—Social Security, banking, and credit card numbers; birthdates; and personal emails—now offer 2FA, as do connected devices such as security cameras.
But there are notable exceptions, such as Fitbit and Netflix. And 2FA is not always turned on by default, which means you can't count on it unless you activate it on your own.
Here’s a quick look at the pros and cons of the latest two-factor authentication methods. If you want to see whether your online banking, social media, and other accounts use one, here's a handy resource.
SMS Texts
This is the method familiar to most people. Any time you log into a digital account via a new laptop or smartphone, you're required to enter your password and then a multi-number code that gets texted to your phone.
The good: You don't need a fancy smartphone to use this method. As long as you can receive texts, you're good to go. In some cases, you can even have the code sent to you in the form of a robocall, which comes in handy if you'd like to have the numbers read aloud to you.
The bad: Smartphone batteries always seem to die at the worst time; and, when that happens, you can't receive texts. If you’re traveling overseas and haven’t set up your phone for international service, you'll have the same problem.
To receive those texts, you also have to hand over your phone number, which could open you up to marketing-related texts from the company that issues them.
Some experts say this method is less secure than the others, too, because cybercriminals can retrieve passcodes through phishing scams, which trick users into entering the code into fake websites, and by cloning your phone number. That last practice, known as "porting," allows the criminal to intercept the code by taking your existing cell-phone number and transferring it to a fake account.
But the odds of either of those things happening to the average person are very slim. And, in the rare instance that it does, the cybercriminal still has to crack your password.
Phones and Phone Apps
With this method, your smartphone acts as a security key.
If you choose to use a mobile app, such as Google Authenticator, you must scan a QR code presented by the site you wish to visit into the app. Once you do that, the app will continually generate the numerical codes required for log-in.
You also have the option to print out an image of the QR code for safekeeping. If you lose your phone, you just scan the code into a new one.
Google Authenticator is available for Android and iOS phones, but you need to have a Google account to set it up. And you have to sign up for Google 2-Step Verification before you can use it.
Instead of installing an app, you can also set up a push-based system such as Google Prompt, which sends notifications to all the phones signed into your Google account when a new log-in is detected. The notifications include location information for the log-in attempt.
You then have the choice of approving or denying the attempt.
This is the default method of 2-Step Verification for most Google accounts. Apple has adopted a similar approach for its products.
The good: Because the key is stored on your phone, you can use this method even if the device isn’t connected to a network. And, on the off chance someone manages to clone your phone number, they still won’t be able to retrieve the key without access to the phone itself.
The push-notification version offers the added benefit of being quicker and easier to use. It’s also less susceptible to phishing, because it doesn't rely on a passcode. And, if the approximated location is far away from your home or office, notifications like these might be more likely to grab your attention and spur you to take needed action.
The bad: With the QR code method, if your phone goes missing or loses power and you don’t have copies of the code saved elsewhere, you’re out of luck. But you can activate another version of 2FA as a backup to prevent that.
This method also can be a pain if you're like me and use lots of devices. And, unlike with the methods listed above, push notifications require a working cellular data connection.
Physical Security Keys
Though consumers may be less aware of this option, people who work at Google, Facebook, Twitter, and cybersecurity companies have been quick to embrace it.
Instead of entering a code into your computer to verify your identity, you insert a physical key.
In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.
The good: Google has famously claimed that not one of its 85,000 employees has had a work account phished since the company started using these physical keys in early 2017.
While hackers may be able to phish an SMS code from the other side of the world, they certainly can't fish a physical key out of the bottom of your purse or nightstand drawer remotely.
What's more, this method doesn't require a data connection or a powered-up cell phone.
The keys themselves are easy to set up and relatively inexpensive. Google and Yubico sell keys that start at $25 for consumers through their respective websites. Yubico's are also for sale on Amazon.
Regardless of brand and price, security experts recommend buying a key that supports the FIDO2 security standard, which mandates higher levels of cryptography and authentication.
The bad: Yes, you have to buy the key. And you have to make sure it's with you whenever you need it. Logging in without it can be horribly complicated.
But you can have a backup key or two, just in case the original gets lost. And there are now tiny models that you can just leave plugged into one of your computer's ports and forget about.
And while many of the major tech companies have embraced security keys, your bank may have not. The overall adoption rate still trails those of other 2FA methods.
And, just a warning, not all browsers work with physical security keys just yet. And if you want to use a key with a mobile device, make sure you buy one that's compatible. Otherwise, you'll need to fall back on one of the other 2FA methods above.
While most early keys were USB- or USB-C-compatible, new models also connect through Bluetooth and near-field communication (NFC). And Yubico now makes iPhone-friendly keys with lightning cable connectors.
