Two Factor Authentication adds a layer of security to your accounts by asking a code generated every 30 seconds on an authenticator app installed on your phone. So even if a hacker has access to your password, he would also need access to your phone in the next 30 seconds.
Several authenticator apps are available on the market (Google, Microsoft, LastPass, …). They all work with the same standard so you can choose only one for all your 2FA needs. I use the LastPass Authenticator because I am a LastPass user and it was the first app I used.
Many websites are now using 2FA and I encourage you to deploy it for you and your family for added peace of mind. You can use 2FA with:
- LastPass (highly recommended)
- Microsoft
- Amazon
- Paypal
- DropBox
- and many others
Note: Apple doesn’t use an authenticator app but uses instead an Apple specific system based on trusted devices and phone number.
Activate 2FA through the authenticator where possible, and if not possible, activate at least two steps verification through SMS or email.
Example of 2FA setup on a website (http://whirlpool.net.au)
That’s it! Your account is now secured with 2FA.
What to do if you lose access to your phone?
This is obviously a problem as you wouldn’t be able to access the accounts secured with 2FA. Luckily if you have activated the backup function in the LastPass authenticator, you will be able to restore the accounts on a new device as described below. Otherwise websites should also provide fixed recovery codes when you enable 2FA. These codes can be used if the app is not available. They should be safely stored, preferably in the LastPass vault.
Why not use only SMS or email two step verification instead of an authenticator?
Email is not as secure and could have already been compromised. The objective of 2FA is to use a code that will be present in your hand when required.
SMS is more secure but is prone to SIM swapping where a hacker would actually steal your phone number and receive codes by SMS.
Please note: an authenticator app is not foolproof as many websites will offer the option to fallback to SMS or email if the app is not available. Where possible this fallback option should be disabled and recovery codes used instead.
