Move beyond passwords alone and keep important accounts safe
Passwords aren’t enough to secure your online accounts. They never were. But the protection they offer continues to diminish. You might think your accounts are safe because you use bewilderingly complicated passwords and a password manager. Even then, your accounts may be at risk.
Data breaches occur alarmingly often these days, frequently impacting massive organizations that hold millions of passwords. Chances are, details for some of your accounts are already in the wild. (If you want to check, the have i been pwned website lets you see how your email addresses and phone numbers have fared to date.)
The danger in doing nothing is that one day, an important account might be accessed by a third party. If you’re fortunate, you’ll be notified of a dodgy login and secure your account before damage is done. But a hijacked account can quickly turn into a personal loss, leading to your identity being hijacked and/or payments being authorized that you’ll then have to battle to get a refund for.
Why 2FA matters
To avoid such problems, make use of multi-factor authentication – sometimes called two-factor authentication, or 2FA – wherever it’s available. This only allows a user access to an account when they provide two (or more) separate pieces of information (factors).
You’ll have used this system before in your life, but might not have realized. Withdrawing money from an ATM is a 2FA experience, requiring a combination of a physical object (your bank card) and knowledge (your PIN). One or the other just won’t cut it. Similar combinations of the physical and virtual sometimes exist in computing, with passwords and USB fobs being used together to allow account access.
Hardware-based solutions aren’t viable and scaleable, though, and so tend to be limited to enabling access to corporate business machines or online banking services. Instead, it’s most common for 2FA to pair a password and an authentication token provided by other means.
App to it
SMS was once the main way to send tokens to users. This technique survives, but is in decline, due to security concerns. SMS messages contain one-time codes, and the messages themselves can potentially be intercepted through SIM card hijacking – an increasingly common occurrence.
Authentication apps provide a superior alternative. They create authentication tokens that constantly change. They’re dynamically generated rather than sent to the user, so there’s nothing to intercept. And although they cause minor added friction when accessing an account, the extra security layer makes that worthwhile.
Downsides remain: you can end up locked out of accounts if not armed with the right device. And your security can be vulnerable to theft – if someone can get into your device and it has an authenticator, they could have free rein. But if you’re into securing your kit, we’d hope you’d already have protected against such eventualities by using biometric authentication (Face ID or Touch ID) and being aware of remote wipe.
Get started with 2FA
Assuming you’re convinced, where should you start? As of iOS 15 (and iPadOS 15), Apple incorporates 2FA into Settings. In the Passwords section, access an account you know supports 2FA and tap Set Up Verification Code. Here, you’ll scan in a QR code or type in an alphanumeric code found in the relevant section of your account settings on the service’s website. Tokens will then automatically generate and cycle within Apple’s Settings app, and should autofill when necessary when you need to use them online.
There are alternatives to Apple’s solution, though, which might better suit your needs. Google Authenticator (free) is basic, usable and robust if you prefer a standalone authenticator. Twilio Authy (free) ups the ante with secure iCloud backups that keep tokens safe, optional multi-device sync and offline support.
Authenticator App ($9.99/£8.99 per year) is more of a pro option. It has the best interface of any iPhone authenticator app we’ve seen, useful sorting and editing functionality, backup and sync, and even Home Screen widgets. But it does require a subscription. Still, all this shows you have choices when it comes to how to use 2FA. Just make sure you do – it’s too risky not to.