From banking to email, a lot of our professional and private lives now revolve around digital accounts on the internet. However, securing these accounts effectively isn’t as easy as setting a strong password. Even if you use unique passwords for every account, a keylogger or similar basic attack could quickly compromise them. To that end, it’s worth adding an additional layer of security to your accounts in the form of two-factor authentication.
These days, you’ll find that most websites and security experts recommend turning on two-factor authentication — and you absolutely should, especially for your most sensitive accounts. To understand why, let’s go over what the feature is, how it works, and the various methods available.
What is two-factor authentication?
Hadlee Simons / Android Authority
Two-factor authentication (2FA) adds an additional verification step to a website’s login process. The idea is to increase security by combining two separate pieces of information: something you know, like a password, and something you have, like a temporary code sent to your phone. This dual-pronged approach ensures that nobody except you can access your account — even if an attacker somehow knows your password.
Two-factor authentication ensures that nobody except you can access your online accounts.
So what does two-factor authentication look like in practice? Take logging into your Gmail account, for example. After you enter your email address and password, you will be prompted to enter a secondary code. You can choose to receive this code via a text message (as pictured above) or an app that lives on your smartphone.
Since an attacker won’t have access to this secondary code, they simply won’t be able to advance and access your account. Two-factor authentication codes typically change every few seconds, making them impossible to store, guess, or brute-force. The bottom line: the feature offers a lot more protection than a password alone. We’ll discuss how to enable two-factor authentication for your Google account in a later section.
See also: 10 best privacy apps for Android
Types of two-factor authentication: SMS, TOTP, and more
C. Scott Brown / Android Authority
Many websites and services offer more than one way to enable two-factor authentication. Here’s a quick run-down of the various methods and how they work:
SMS-based 2FA: As the title suggests, a verification code, also known as a one-time password, is sent to your registered phone number as a text message during the login process. This is the most widely used form of two-factor authentication, especially among financial services like bank apps.
TOTP-based 2FA: TOTPs, or time-based one-time passwords, involve using an app on your smartphone to generate new codes. Manually registering a new account is pretty simple — just scan the provided QR code. The advantage of this method is that it doesn’t require an internet connection. The app can generate new codes as long as you have the correct time set on the device.
Read more: 10 best TOTP apps for Android
Prompt-based 2FA: This is a relatively new method of achieving two-factor authentication, most commonly used by Google and Apple. It’s also the simplest — the service sends a security notification to your smartphone, tablet, or smartwatch. You simply have to approve the login request to proceed. It requires less manual input than previous methods since you don’t have to enter a code.
Physical hardware: Those serious about online security swear by using a physical hardware device to achieve two-factor authentication. The most well-known device in this class is the Yubikey, but alternatives like Google’s Titan Security Key exist too. They typically come in various form factors — you can get one that lives on your keychain, for example, or in the form of a tiny dongle that stays plugged into your computer permanently. Either way, the device acts as a hardware “key” to access your account once you register it.
In some cases, you can combine several of these methods for multi-factor authentication, for additional security.
Which 2FA method is the most secure?
As a security feature, it’s naturally important to pick the most secure two-factor authentication solution available to you. So which method should you choose?
SMS is notoriously bad for anything security-related because you can become a victim of SIM swap scams where an attacker impersonates you to clone your SIM card and hijack your SMS remotely. On the other end of the spectrum, while hardware-based 2FA is undoubtedly extremely secure, it requires you to pay extra and carry around additional hardware. Furthermore, not all websites support the FIDO 2FA standard.
Ultimately, TOTP provides the best mix of convenience and security. It also helps that most TOTP apps like Google Authenticator don’t need a cellular or internet connection to work. This makes them significantly less vulnerable to remote exploits. You’ll find most security experts echo this sentiment. The National Institute of Standards and Technology (NIST), for example, has cautioned users against SMS-based 2FA since at least 2016.
Time-based one-time passwords generated by an app on your smartphone offer the best mix of security and convenience.
If you’re wondering about the security of prompt-based authentication, it’s typically viewed as safer than SMS. This is because the prompts are sent directly to your smartphone over the internet. As long as you enable some form of screen lock, there’s no way for an attacker to approve login requests without your consent.
How to secure your Google account with 2FA
The first place to start using two-factor authentication might as well be your Google account. This way, new devices can’t sign in to your email, access your Play Store account, or mess with your Photos or Drive files if your Google password ever becomes compromised.
There are a few options for Google’s 2-Step Verification system. You can opt to receive a text message or call, use Google prompts, or use a security key. Here’s how to begin on your Android smartphone:
- Head to Settings > Google > Google Account.
- Find the Security tab.
- Tap 2-Step Verification and log in.
- Update your recovery phone number and/or email in case you need to recover your account.
You should now be on the 2-Step Verification page. At the bottom, you’ll see a list of all the devices currently connected to your account. Here you can enable Google Prompt if you like, or select an alternative like SMS.
From now on, you’ll receive a security notification each time you log into your Google account on a new device. If you want to swap to a different method or would like to disable 2-Step Verification, just head back into your Google Security settings and repeat the steps.