By Brian Barrett | 22 Jul 2018
HOPEFULLY BY NOW you’ve heeded the repeated warnings from your friends and loved ones (and friendly, beloved internet writers) to use two-factor authentication to secure your digital accounts. That’s where access to Facebook or Twitter or your online bank—anything that supports it, really—requires not just a password but also a special code. Not all two-factor is created equal, however. For better protection, you’re going to want an authenticator app.
Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside. Specifically, it leaves you exposed if someone hijacks your smartphone’s SIM, a longtime problem that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts.
“Unfortunately, it isn’t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number—either with a phone call to customer support or walking into a phone store,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.
Instagram, in particular, has seen a surge of troubling SIM attacks, largely because it only supports text-based two-factor for now. The company confirmed that it’s working on the obvious solution: Letting you use an authenticator app instead.
“Authenticator apps are not vulnerable to this problem” of SIM hijacking, says Cranor. “They’re a more secure way to do two-factor verification.”
The good news? Most of the sensitive accounts you use today already offer stronger 2FA. And there’s no shortage of third-party authenticator apps that’ll enable it for you. Here’s how to get set up, and make your sign-ins that much more stress-free.
The most popular authenticator apps are Google Authenticator and Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you’re heavy into Microsoft’s ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use.
Rather than send you an SMS, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device, rather than your phone number, extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.
Most services you would want to secure offer this type of token-based 2FA; Instagram is more of the exception than the rule at this point. You can see a comprehensive list for yourself here. As for which app to use, Google Authenticator offers a barebones experience backed by a company with a sterling security record, while Authy offers more features, like being able to pull codes from not just your smartphone but your desktop or tablet. It also lets you back up your codes to the cloud, enabling a seamless migration when you inevitably upgrade your smartphone. With Google Authenticator, when you switch your main device, you have to sync your accounts over again.
For that reason, we’ll use Authy for a quick walkthrough of how to actually use a more secure 2FA app. The steps are basically the same on Google Authenticator, but it covers a little more ground.
Lock It Down
Step one: Download the app. See? This is easy. No sweat.
Once you open Authy, it’ll ask for your phone number, and then send you a registration code via either phone call, SMS, or another device. From there, it’s a blank slate until you start pairing it with the accounts you want to secure.
Here comes the drudgery. You’ll need to go to every single account you want to pair your authenticator app with; there’s no omnibus route, and no automated way to transition from SMS to Authy or Authenticator. The silver lining: While you have to repeat the set-up process many, many times across all corners of the internet, it’s quick and relatively painless.
Let’s use Dropbox as an example. Once you’re signed in on the web on your desktop, click the ID icon in the upper right corner. From there, go to Settings, then Security. Toggle on Two-step verification, then head to Edit, under Preferred Method. Click Use a mobile app, and you’ll see a QR code. Tap Add Account on Authy, point your smartphone at the screen, and congrats! Your Dropbox account is locked down tight.
Now onto the rest: Twitter, Facebook, Gmail, Evernote, and on and on. Each uses slightly different wording for its menus, but go to the settings and click on words like “privacy” and “security” until you find the available two-factor options.
If you’re using Google Authenticator, that’s basically all you need to know. And to be absolutely clear, that no-frills approach works great for most people. If you want more features, though, you can take some extra steps with Authy.
For instance! Go to Settings and tap Accounts, then toggle on Authenticator Backups if you want to create encrypted backups in the cloud. The extra cautious may prefer to keep their codes on a single device, but the cloud backup makes it possible to use Authy on more than just your smartphone—there’s even a Chrome extension—and also makes switching to a phone much more seamless.
Speaking of which, to add more devices to your Authy account, go to Settings, then Devices, and tap Allow Multi-device. From there, you can authenticate whatever else you need. Authy also lets you protect the app with a 4-digit PIN, to keep people from accessing your tokens even if they steal your device.
One more miscellaneous tip: The services that offer two-factor will also generally offer one-time use backup codes. Print these out, especially if you’re traveling, and keep them in a safe place. If for whatever reason you can’t access your app or an SMS, it’s your last, best bet to keep from getting locked out of your account.
The 2FA Spectrum
Using an authenticator app for two-factor beats SMS, but it’s still not the absolute most secure way to go. To lock even your online accounts down even further, consider stepping up to a YubiKey, which adds a hardware layer of protection. (You can get a free YubiKey 4 with a new WIRED subscription.) If you’re an activist, journalist, or other potential target of attacks, Google Advanced Protection is the most secure option around.
As with so many things, it’s a matter of balancing security and convenience. But for most people, the few minutes it takes to set up an authenticator app are more than worth the benefit over sticking with SMS—especially once Instagram and other stragglers get around to offering it.