A Pain-Free Way to Secure All Your Online Accounts

An emerging technology called passkeys conveniently replaces both passwords and 2FA codes, but it’s only supported on a small number of sites. (Image: Pixabay)
An emerging technology called passkeys conveniently replaces both passwords and 2FA codes, but it’s only supported on a small number of sites. (Image: Pixabay)

Summary

Two-factor authentication isn’t tech jargon but something everyone should use. Here’s how to set it up for easy, secure access.

There’s a basic equation for online security:

Long, unique passwords + two-factor authentication = safer money, work and personal data

With a password manager, that first component is easy. The software can create a different hard-to-guess combination of numbers and letters for each online account you have. It also stores those gibberish passwords safely, then auto-fills them in websites and apps when you need them. All you need to do is remember one master password.

And that second component? You typically see two-factor authentication—aka 2FA—as a time-sensitive code sent to you via text or generated by an app when you’re logging in somewhere. In many cases, it’s a setting you need to turn on. Don’t treat this as optional: Recent attacks on the Securities and Exchange Commission’s official X account and thousands of accounts at 23andMe might have been blocked had those users enabled 2FA.

Two-factor codes are a necessary security layer but they are inconvenient at best, and hazardous at worst if you lose access to the device that generates them.

An emerging technology called passkeys conveniently replaces both passwords and 2FA codes, but it’s only supported on a small number of sites. Until they’re ubiquitous, we’re stuck with pesky codes.Lately, I’ve discovered better tools and practices that simplify the 2FA process. My guide will help you get codes easily on your computer, and securely share them with a spouse who is trying to file taxes or pay a utility bill. It will also help you protect the codes so you don’t get locked out of accounts if you lose your phone.

Have a backup

Verification codes by text message are the least secure form of 2FA, because cell-carrier accounts are prone to attacks, said Trevor Hilligoss, vice president of security firm SpyCloud Labs. That said, if it’s your only option, you should still use it. “Any 2FA is better than no 2FA," he said.

A better bet is to set up an authenticator app—my picks are below—to generate the codes you need to sign in. Services from Amazon to X support them.

Log into a website or app, then go into settings. Under security, you should find two-factor or “multifactor" authentication—and a bevy of options, including one for authenticator or code-generator apps. Typically, the next screen will show a QR code. In your authenticator app, add an account, then scan the code. (Trust me, do it once and you’ll realize it’s easy.)

One caveat: If you lose your phone—or forget to transfer your authenticator app before trading your old phone in for a new one—you could risk losing access to accounts. The trick is to pick an app with a backup plan.

• Authy, a free authenticator app for iOS and Android, is my top choice. Its key benefit is a pair of recovery options: You can back up an encrypted version of your codes to Authy servers by enabling the Backup Password option in settings. Or you can download the app on multiple devices, say your phone and your tablet, and the same codes will show on both.

• Google Authenticator is another free option for iOS and Android devices. You can back up codes to your Google account, so you can set up the app on a new device even if you don’t have your old one. However, you can’t run the app simultaneously on multiple devices.

Another highly secure, but sometimes cumbersome, way to handle 2FA: physical dongles called security keys. Major online services support these keys, including Apple, Google, Facebook and Microsoft. Most password managers, such as 1Password, do too. You can set the key up as a backup-verification method, in addition to your authenticator app, and stash it in a safe place in the physical world, such as your sock drawer, where cybercriminals can’t get to it.

Password managers, such as 1Password and Dashlane, can also generate verification codes which, like your other logins, are backed up by your master password.

Relying on password managers for everything is putting all your cybersecurity eggs in one basket, said Hilligoss. But if you protect your password-manager app with a strong, unique master password, and create a long, complex passcode for your phone and other devices, you’re well-protected. Even a determined cybercriminal would struggle to get into your manager’s encrypted vaults.

Get codes on other devices

You’re on your laptop, trying to log into Amazon. It asks for an authentication code. You realize you left your phone, which has your authenticator app, charging in the other room. Sigh.

Don’t get up. There’s a better way!

My favorite authentication app, Authy, works on any newer Mac computer with an M chip—denoting Apple silicon. Unfortunately, Twilio, the app’s parent company, said it’s no longer supporting desktop apps for Windows and older Macs starting March 19, citing low usage.

If you use a third-party password manager for authentication codes, you can get them on your computer via your manager’s desktop app or browser extension.

If you are stuck getting codes on your phone, remember this trick: If you have an iPhone and a Mac, you can copy the code on your phone then instantly paste on the Mac. Be sure Bluetooth and Wi-Fi are on, and enable Handoff in settings. If you’re using Android and a Windows PC or Chromebook, you can use an equivalent feature, called Quick Share.

Share your secrets

Another familiar scenario: Your spouse is logging on to pay the cable bill, but you’re the one getting the account 2FA codes while sitting in a meeting at work. There are secure—and convenient—ways to share 2FA with someone who needs access to your accounts.

You can add any accounts you co-manage to a shared vault in a password manager. Our three recommended managers, 1Password, Dashlane and Bitwarden, all have encrypted features for sharing passwords, plus verification codes.

If you have Apple products updated to the latest software (iOS 17, MacOS Sonoma, etc.), you can create a group to share passwords and verification codes in the built-in iCloud Keychain manager. Go to Settings > Passwords.

If you have to text a code to someone, make sure you do it via an encrypted method, such as iMessage, WhatsApp or Signal. Better yet, call your trusted recipient, and read the code out loud. Unless there’s a hacker hiding behind your chair, that should be safe.

Write to Nicole Nguyen at nicole.nguyen@wsj.com

Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
more

MINT SPECIALS

Switch to the Mint app for fast and personalized news - Get App