![](\"https:\/\/media.wired.com\/photos\/5b524495e6d8d808477c3e84\/master\/pass\/Featured%20Image%20-%20How%20to%20use%20an%20authenticator%20app%20for%20better%20two-factor.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sun, 22 Jul 2018 11:00:00 +0000<\/strong><\/p>\n Hopefully by now <\/span>you\u2019ve heeded the repeated warnings from your friends and loved ones (and friendly, beloved internet writers) to use two-factor authentication to secure your digital accounts<\/a>. That\u2019s where access to Facebook<\/a> or Twitter<\/a> or your online bank\u2014anything that supports it, really\u2014requires not just a password but also a special code. Not all two-factor is created equal, however. For better protection, you\u2019re going to want an authenticator app.<\/p>\n Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside<\/a>. Specifically, it leaves you exposed if someone hijacks your smartphone\u2019s SIM, a longtime problem<\/a> that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts.<\/p>\n \u201cUnfortunately, it isn\u2019t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number\u2014either with a phone call to customer support or walking into a phone store,\u201d says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen<\/a> in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.<\/p>\n Instagram, in particular, has seen a surge<\/a> of troubling SIM attacks, largely because it only supports text-based two-factor for now. The company confirmed that it\u2019s working on the obvious solution: Letting you use an authenticator app instead.<\/p>\n \u201cAuthenticator apps are not vulnerable to this problem\u201d of SIM hijacking, says Cranor. \u201cThey\u2019re a more secure way to do two-factor verification.\u201d<\/p>\n The good news? Most of the sensitive accounts you use today already offer stronger 2FA. And there\u2019s no shortage of third-party authenticator apps that\u2019ll enable it for you. Here\u2019s how to get set up, and make your sign-ins that much more stress-free.<\/p>\n The most popular authenticator apps are Google Authenticator<\/a> and Authy<\/a>, but password managers 1Password<\/a> and LastPass<\/a> offer the service as well, if that helps you streamline. If you're heavy into Microsoft's ecosystem, you might want Microsoft Authenticator<\/a>. While they all differ somewhat in features, the core functionality is the same no matter which one you use.<\/p>\n Rather than send you an SMS, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you\u2019re trying to log into. The benefits of tying those codes to a physical device, rather than your phone number, extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here\u2019s some relief.<\/p>\n 'They\u2019re a more secure way to do two-factor verification.'<\/p>\n Lorrie Cranor, CMU<\/p>\n Most services you would want to secure offer this type of token-based 2FA; Instagram is more of the exception than the rule at this point. You can see a comprehensive list for yourself here<\/a>. As for which app to use, Google Authenticator offers a barebones experience backed by a company with a sterling security record, while Authy offers more features, like being able to pull codes from not just your smartphone but your desktop or tablet. It also lets you back up your codes to the cloud, enabling a seamless migration when you inevitably upgrade your smartphone. With Google Authenticator, when you switch your main device, you have to sync your accounts over again.<\/p>\n For that reason, we\u2019ll use Authy for a quick walkthrough of how to actually use a more secure 2FA app. The steps are basically the same on Google Authenticator, but it covers a little more ground.<\/p>\n Step one: Download the app. See? This is easy. No sweat.<\/p>\n Once you open Authy, it\u2019ll ask for your phone number, and then send you a registration code via either phone call, SMS, or another device. From there, it\u2019s a blank slate until you start pairing it with the accounts you want to secure.<\/p>\n Here comes the drudgery. You\u2019ll need to go to every single account you want to pair your authenticator app with; there\u2019s no omnibus route, and no automated way to transition from SMS to Authy or Authenticator. The silver lining: While you have to repeat the set-up process many, many times across all corners of the internet, it\u2019s quick and relatively painless.<\/p>\n Let\u2019s use Dropbox as an example. Once you\u2019re signed in on the web on your desktop, click the ID icon in the upper right corner. From there, go to Settings<\/strong>, then Security<\/strong>. Toggle on Two-step verification<\/strong>, then head to Edit<\/strong>, under Preferred Method<\/strong>. Click Use a mobile app<\/strong>, and you\u2019ll see a QR code. Tap Add Account<\/strong> on Authy, point your smartphone at the screen, and congrats! Your Dropbox account is locked down tight.<\/p>\n Now onto the rest: Twitter, Facebook, Gmail, Evernote, and on and on. Each uses slightly different wording for its menus, but go to the settings and click on words like "privacy" and "security" until you find the available two-factor options.<\/p>\n If you're using Google Authenticator, that's basically all you need to know. And to be absolutely clear, that no-frills approach works great for most people. If you want more features, though, you can take some extra steps with Authy.<\/p>\n As with so many things, it's a matter of balancing security and convenience.<\/p>\n For instance! Go to Settings<\/strong> and tap Accounts<\/strong>, then toggle on Authenticator Backups<\/strong> if you want to create encrypted backups in the cloud. The extra cautious may prefer to keep their codes on a single device, but the cloud backup makes it possible to use Authy on more than just your smartphone\u2014there's even a Chrome extension<\/a>\u2014and also makes switching to a phone much more seamless.<\/p>\n Speaking of which, to add more devices to your Authy account, go to Settings<\/strong>, then Devices<\/strong>, and tap Allow Multi-device<\/strong>. From there, you can authenticate whatever else you need. Authy also lets you protect the app with a 4-digit PIN, to keep people from accessing your tokens even if they steal your device.<\/p>\n One more miscellaneous tip: The services that offer two-factor will also generally offer one-time use backup codes. Print these out, especially if you're traveling, and keep them in a safe place. If for whatever reason you can't access your app or an SMS, it's your last, best bet to keep from getting locked out of your account.<\/p>\n Using an authenticator app for two-factor beats SMS, but it's still not the absolute most secure way to go. To lock even your online accounts down even further, consider stepping up to a YubiKey<\/a>, which adds a hardware layer of protection. (You can get a free YubiKey 4 with a new WIRED subscription<\/a>.) If you're an activist, journalist, or other potential target of attacks, Google Advanced Protection<\/a> is the most secure option around.<\/p>\n As with so many things, it's a matter of balancing security and convenience. But for most people, the few minutes it takes to set up an authenticator app are more than worth the benefit over sticking with SMS\u2014especially once Instagram and other stragglers get around to offering it.<\/p>\n