(Illustration: René Ramos)
In a world where major security breaches happen every day and scammers lurk around every corner, what's the average internet user to do? Unfortunately, simply using strong passwords isn't enough anymore. Even complex and hard-to-guess passwords aren't a bulletproof form of security because they can be scooped up pretty easily by a variety of methods.
Instead, what you really need is a second way to verify yourself. That's why many internet services (some of which have felt the pinch of being hacked or breached) offer multi-factor authentication (MFA). We used to call it two-factor authentication (2FA), but it goes by many different names that are often used interchangeably, with "multi-step," "two-step," and "verification. "
As PCMag's Lead Security Analyst Neil J. Rubenking puts it, "There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options." Multi-factor means you might even use more than two.
Biometric scanners for fingerprints, retinas, or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string: a few digits sent to your phone as a code that can be used only once.
You can get that code via SMS text message (which is not a great idea) or a specialized smartphone app called an "authenticator." Once linked to your accounts, the app displays a constantly rotating set of codes to use for logins whenever needed—it doesn't even require an internet connection. There are numerous apps, some from big names such as Microsoft and Google, as well as our current favorites, 2FAS and Aegis Authenticator. They all do the same thing, essentially, but a few of them offer password management and other features. Here's our rundown of The Best Authenticator Apps.
The majority of popular password managers offer MFA authentication by default. The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on your phone and get a six-digit access code on your browser, if supported.
Be aware that setting up MFA can actually break access on some older services. In such cases, you must rely on app passwords—ones you generate on the main website to use with a specific app. You'll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and more—all of which either are used as third-party logins or have older functions you can access from within other services. The need for app passwords is, thankfully, dwindling.
We'll also note below when a service supports passkeys, which some hope will be the first step to doing away with passwords and MFA codes entirely. For more, ready Passkeys: What They Are and Why You Need Them ASAP.
Remember this as you panic over how hard this all sounds: Being secure isn't easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it's worth the extra work to avoid theft of your identity, data, or money.
The following is not an exhaustive list of services with MFA ability, but we cover the major services everyone tends to use and walk you through the setup. Activate MFA or a passkey on all of these services, and you'll be more secure than ever.
Amazon Two-Step Verification
(Credit: Amazon/PCMag)Amazon 2FA support is pretty important, as Amazon has its fingers in many pies, including Comixology, Audible.com, and sites that use Amazon for payments—all of which are tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu, and go to Account. Click on Login & Security. On the next page, click Manage next to 2-Step Verification. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup.
A nice option with Amazon is the ability to tell the service to skip the codes on trusted devices (or on multiple trusted web browsers on the same device). If that option doesn't work, or you've used it too many times for comfort, come back to the Two-Step Verification page and click Require OTP on all devices. OTP stands for "one-time password." That's what Amazon insists on calling the authentication code.
Amazon does support passkeys.
Apple Two-Factor Authentication
(Credit: Apple/PCMag)If you're an iOS or Mac user, your Apple Account (it used to be called the Apple ID) is a big part of your life. It's important not just for access, but also for storage via iCloud; purchases of movies, books, and apps; and subscriptions to services such as Apple Music and Apple TV+.
To activate two-factor authentication, go to the Manage Your Apple Account page and sign in. Look for Account Security > Two-Factor Authentication and click "Get Started..."
You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. On iOS you go to Settings > [your name at the top] > Sign-in & Security > Two-Factor Authentication. On macOS, go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication. (Here are specifics on setting it up in iOS so you can literally use your iOS device as an authenticator app.)
You'll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it's the number already on the phone you're using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
After that, signing into anything with an Apple ID should generate the code on the device used for setup. Apple also supports app-specific passwords, physical security keys, and passkeys.
Note that once Apple's Two-Factor Authentication is active, you can't turn it off. You only get that option if you turned it on inadvertently and do it within the first couple of weeks.
Facebook (Meta) Two-Factor Authentication
(Credit: Meta/PCMag)Facebook is the last place you want to lose control of an account. Its version of two-factor authentication will help prevent that. On the desktop, access it by going to your avatar menu at the upper right and selecting Settings & privacy > Settings > Accounts Center > Password and Security > Two-factor authentication. This will take you to the setup for each Meta account you might have, such as Facebook Pages or Instagram accounts. Pick one to set up.
On the next screen, select how you'd like to receive your second form of authentication: the recommended authenticator app, a text message, or even a physical security key, which is something you plug into or put near your computer to get access; for more info, read The Best Security Keys for Multi-Factor Authentication.
If you select an authenticator app (the best option), Facebook produces a QR code on the desktop screen. Open your authenticator app on your smartphone, select Add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app to retrieve it.
The above options require you to have access to your phone, of course. But when you activate MFA, you can get a list of 10 recovery codes (look under "Additional Methods") to download and use at any time, even if you don't have your phone. You can also find them in the Two-Factor Authentication Settings area. Save them somewhere safe.
Meta/Facebook doesn't yet support passkeys.
Instagram Two-Factor Authentication
Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile in the mobile app or the desktop, then tap the hamburger menu to get to Accounts Center > Password and Security > Two-factor authentication. From there, most of the settings are the same as with Facebook. Interestingly, if you try to set it up on a device you don't use much--as I encountered when accessing the page on the desktop, when usually I use the 'gram on my phone, it throws up a warning, telling you to set it up on your most-used device.
Google 2-Step Verification
(Credit: Google/PCMag)With access to your credit card (for shopping on Google Play or paying via Google Pay), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well protected. Thankfully, the company has been offering MFA since 2010.
Visit Google Account Security to find 2-Step Verification.
The easy way to log in is the Google Prompt. Simply add your smartphone to your account, thne make sure the Google search app is on your phone. When you go to login, you'll get a popup on your phone. Acknowledge with a tap that you are the one signing in.
If that doesn't work, you'll need to enter the extra MFA code. That is sent to your phone via SMS text, via a voice call, or by using an authenticator app. Google Authenticator—or any authenticator app—can generate the verification code for you, no internet required. Register your trusted computer so you don't have to enter a code during every sign-in.
Revisit Google account security settings as needed to select optional phone numbers or emails that can receive codes, switch to using an authenticator app, generate app-specific passwords, and get backup codes to store safely elsewhere until needed.
Google supports passkeys.
Microsoft Two-Step Verification
(Credit: Microsoft/PCMag)Microsoft has tied together most of its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office subscription, the Windows operating system itself, and much more can all use the same account. Naturally, it requires some extra protection.
Microsoft said in 2021 that it won't even require a password on accounts—as long as you use one of its MFA-style methods to log in. That means using either the Microsoft Authenticator app on iOS or Android or the Windows Hello biometric sign-in. But you can stick with using a password and getting a security key or verification code, if you prefer.
Sign in to your Microsoft account at account.microsoft.com/profile. Click Security; on the next page, click Manage How I Sign In. This will take you to the "ways to prove who you are" which include codes sent to email, text, authentication app, face/fingerprint/PIN/security key (that's a passkeys).
You don't have to use Microsoft Authenticator. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick "Use an app" during the setup.
To use the Passwordless account option, Microsoft Authenticator is required on your smartphone. When you sign on to a Microsoft account, the app will pop up, you click a couple of boxes to match some numbers to authenticate yourself, easy-peasy. (Some might say too easy—all anyone needs to access your Microsoft account now is to steal your phone.)
Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). You may also need App Passwords to authenticate older tech like Xbox 360 or an old Windows Phone.
LinkedIn Two-Step Verification
Business social network LinkedIn is owned by Microsoft, but treated separately, so you need a LinkedIn-specific account. It makes it easy to set up a very limited MFA verification, either by SMS text or an authentication app. Go to the Me menu > Settings & Privacy > Sign in & Security > Two-step verification.
You'll immediately get a six-digit code to enter to verify you're you. You get only one phone number (no backup). You can also go here to get recovery codes that let you access the account even when you don't have access to your phone. It also has passkey support. You can have up to five.
X (Twitter) Two-Factor Authentication
(Credit: Twitter/PCMag)Elon may change this on a whim, but here you go: To activate Login Verification on X.com on the desktop, click the More menu on the left and select Settings And Support > Settings And Privacy> Security and account access > Security > Two-Factor Authentication. Choose to get codes via phone (SMS text), via an authentication app, or with a physical security key (or any combination of the three). In the mobile app, the steps are much the same, but you start by clicking on your profile pic. X will generate backup codes for when you lose a device or for when logging in at services/places/times when you can't get a regular MFA code.
X only supports passkeys for users on iOS and Android.
Yahoo Account Key or 2-Step Verification
To set up verification at Yahoo, access your Personal info (look for your name or the link to Sign In, in the upper-right corner of any Yahoo page, and select Account Info). Click Security, and you'll see many options under Account Access. Top among them is the "password with 2-Step Verification" setting. Click that to set up where codes go, including to an authenticator app, or simply to any Yahoo app on your phone (such as Yahoo Mail) via a push notification. There's also an option for Face/Fingerprint/PIN sign-in (this is a passkey) and App Password (which you may want if you access Yahoo Mail in a third-party app).
All the Sites With MFA
(Credit: The 2FA Directory/PCMag)The list above covers the biggest tech companies that have important access to your data. But if you need a comprehensive listing of just about every site or service that offers multi-factor authentication, complete with instructions, there's an option. The 2FA Directory has a list of sites that support MFA and what method they use to send codes (they call an authenticator app a "software token" on the site.) It also provides links to the documentation on each site/service for how to set up MFA.