Recently, it was announced that Twitter would only offer SMS-based two-factor authentication (2FA) to its Twitter Blue members (those who are willing to pay $8 a month on Android or $11 a month on iOS). To tell you the truth, my first reaction was: just as well. If you want to use 2FA to secure your social media or another account, using text messaging is not the way to go. You’re much better off using either a third-party authenticator app or a hardware security key.
Security keys, such as the ones sold by Yubico, are the safest method to use. They can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s YubiKey 5C Nano, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access (which prevents you from accidentally logging in to a phishing site). The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, and others. The best thing to do is check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
But while physical security keys are the safest method, they are not the most convenient. If you don’t want to carry around (and possibly lose) a physical key, using an authentication app on your phone is the best way to go.
Authentication apps generate one-time numerical passcodes that change approximately every minute. When you log in to your service or app, it will ask for your authenticator code; you just open up the app to find the randomly generated code required to get past security.
Popular options include Authy, Google Authenticator, and Microsoft Authenticator. These apps mostly follow the same procedure when you’re adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.
Here is how to set up 2FA on some of the more popular online accounts. Not all of them allow for authenticator apps; in that case, we list what is available. (If you’re just interested in using an authenticator app for your Twitter account, you can go directly to this article, which gives you all the steps needed — however, just to be convenient, we’ve included Twitter with the others here.)
Note: most of the following directions are for websites; if you can use a mobile app, directions will be given for that as well.
- Log in to your Amazon account.
- Hover over Accounts & Lists (in the upper-right corner) and go to Account > Login & security. (You can also simply follow this link.)
- Scroll down to 2-step verification and click the Edit button. (You may be asked to reenter your password.)
- Click Get Started, and Amazon will walk you through the process of registering your preferred authenticator app by syncing it through a QR code.
If you wish, you can also register a phone number to use as a backup text 2FA. Amazon also lets you opt out of 2FA for any specific devices.
You can also activate 2FA on the Android and iOS Amazon apps.
- Tap the person icon on the bottom (second from left).
- Go to Your Account > Login & security.
- The same 2-step verification selection, with the same Edit button, should be available.
If you use any Apple devices, you turn on 2FA through your Apple ID — you can do it either on your mobile device or on the web. You also receive any verification codes via Apple’s system; there are no third-party authentication apps here. (Apple recently added the ability to use physical security keys if you have an iPhone on iOS 16.3 or later, an iPad on iPadOS 16.3 or later, or a Mac on macOS Ventura 13.2; you will need to have at least two keys in order to use this feature.)
A few other things to note (as detailed on Apple’s support page): if you turn on 2FA, you have two weeks to change your mind, and after that, it’s a done deal — you can’t turn it off. Once 2FA is established, then every time you sign in using your Apple ID on a new device, you’ll get a notification on a trusted device, and you’ll have to okay the sign-in. And finally, once you sign in to a device with the verification code, it will be considered a trusted device, and you won’t have to use a code again (unless you sign out, change your password, or erase the device). Finally, you’ll need a trusted phone number to establish 2FA.
