In 2014, the Heartbleed exploit left everyone's login information potentially up for grabs thanks to one itty-bitty piece of code, and in the past few years our security nightmares have only gotten worse.
What's the average internet user to do? Well, you should definitely change your passwords—regularly! Passwords are a pretty laughable method of authentication and can be scooped up by scammers pretty easily, from sheer brute force to simple phishing
What you really need is a second way to verify yourself. That's why many internet services, a number of which have felt the pinch of being hacked, offer two-factor authentication. It's sometimes called 2FA, or used interchangeably with the terms "two-step" and "verification" depending on the marketing. Even the White House once had a campaign asking you to #TurnOn2FA. But what is it exactly?
As PCMag's lead security analyst Neil J. Rubenking puts it, "there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options."
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
You can get that code via text message or a specialized smartphone app called an "authenticator." Once linked to your accounts, the app displays a constantly rotating set of codes you can use whenever needed—and it doesn't even require a internet connection. The arguable leader in this area is Google Authenticator (free on Android and iOS). Twilio Authy, Duo Mobile, SAASPASS, and LastPass Authenticator among others all do the same thing on mobile and some desktop platforms, and the majority of popular password managers all have 2FA by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.Here's a video Google made about two-step verification basics, which provides a good idea of what's involved.
Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that's great—until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You'll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you'll be more secure than ever.
Google 2-Step Verification
With access to your credit card (for shopping on Google Play), important messages and documents, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.
Google calls its system 2-Step Verification. It's all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge with a tap that you are the one signing in. Easy.
If that doesn't work, you'll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, opt to register your computer so you don't have to enter a code during every sign-in. If you have a G Suite account for business, you can opt to only receive a code every 30 days.
Google Authenticator—actually, any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text, voice calls, or email.
Once you've set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can't get to the authenticator app.)
This is also where you generate app-specific passwords. Let's say you want to use your Google account with a service or software that doesn't use the standard Google login (I ran into this with Trillian on iOS). You typically get shut out of such a service if you've got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.
People with particularly high-risk jobs should consider using Google's Advanced Protection Program.
Facebook Two-Factor Authentication
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop you access it by going to Settings > Security and Login.
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you'd like to receive your second form of authentication: a text message, authenticator app, or physical security key.
If you select an authenticator app (which might be the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app and retrieve it there.
For apps that don't work with two-factor authentication when you log in with your Facebook credentials (Xbox, Spotify, Skype), Facebook offers App Passwords, a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you'll have to generate a new, unique app password. This is necessary for older devices. Get them via Settings > Security and Logins > App passwords > Generate app passwords.
The above options require you to have access to your phone, of course. But when you activate 2FA, you can get a list of 10 recovery codes you can download and use at any time, even if you don't have your phone. Get them in the 2FA settings area and save them somewhere safe.
Instagram Two-Factor Authentication
Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile and tap the hamburger menu () on the top-right. Tap Settings > Privacy and Security > Two-Factor Authentication, where you can choose how you'd like to get your authentication code.
Option one: turn on Text Message and add your phone number (include the country code, because Instagram is everywhere) You'll get a confirmation code via SMS text message. Enter it. Option two: turn on Authentication App. The app will walk you through the steps to set it up (since you can't exactly scan a QR code from your mobile phone while using the app on your mobile phone.)
The app also offers a list of five recovery codes for use in the future to turn off 2FA or get access via other devices. It even offers to take a screenshot of them to add to your camera roll; you can always re-access them in the app as well.
WhatsApp Two-Step Verification
WhatsApp introduced end-to-end encryption as well as two-step authentication to keep out snoops, be they at home or sitting right there at the NSA, CIA, and FBI (Hi, Agent Mulder!).
Setup is easy: Go into Settings > Account > Two-step Verification. Tap Enable, and WhatsApp asks you to create a six-digit PIN to register your phone number with WhatsApp. You'll also provide an email in case you ever need to do a reset—aka, turn off the verification. If you later sign out or log in with a different device, WhatsApp will text you a code, and you'll have to re-enter the PIN as well.
Twitter Login Verification
To activate Login Verification on Twitter.com on the desktop, click your profile photo on the top-right and and select Settings and privacy from the drop-down menu. In the Security section, click Set up login verification, and you'll be asked to enter your Twitter password. If you don't have a phone number associated with your account, you'll be asked to add one.
If you've upgraded to the "new twitter.com," click your profile photo on the top-right and select Settings and privacy. Under Login and Security, click Security > Login verification and follow the directions.
In the mobile app, go to the Me menu (your profile pic at the upper-left), Settings and Privacy > Account > Security > Login verification. Toggle it on (or off).
You can get your secondary verification via text, authenticator app, or security key. If you go the Text Message route, you can only associate your phone number with one account.
Twitter can generate backup codes for when you lose a device, and temporary passwords to use one time when logging in at times you also can't get a regular 2FA code. Get them via Settings > Account > Security > Login verification under Additional methods; keep them somewhere safe.
Here, you can also use the Twitter app itself as an authentication app. Click Login code generator to get a six-digit number that updates every 30 seconds, which can help when signing into third-party sites with your Twitter account credentials.
A good rule of thumb: occasionally view the full list of applications that have access to your Twitter or that use your Twitter credentials and nix any you no longer use or recognize.
Apple Two-Factor Authentication
Your Apple ID is a big part of your life if you're an iOS or Mac user. It's important for not just access, but also storage via iCloud, purchases at iTunes, Apple Books, and the App Store, and membership at Apple Music ($9.99 at iTunes) .
To activate two-factor Authentication, go to the My Apple ID page and sign in. Look for Security > Two-Factor Authentication and click "Get Started..."
You are then furnished with steps on how to set up 2FA for Apple using either an iOS device or via macOS. You can't do it via a browser on another operating system anymore. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.
You'll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it's the number already on the phone you're using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
To get a code when needed, on an iOS device go back to iCloud settings, tap your username at top (you'll likely need to enter your full Apple ID password again) > Password & Security > Get Verification Code. This sometimes enters you into a circular-logic world where you need to get a code on the very device where the code has to be entered.
Apple also supports app-specific passwords.
Turn off Apple 2FA in iCloud settings if you desire, but then you have to go back to security questions ("Who was the best man at your wedding?" etc.) to verify your ID, and no one wants that.
For more, read How to Turn on Apple Two-Factor Authentication.
Microsoft Two-Step Verification
Microsoft has done a much better job in the last few years of tying together all its services under one umbrella account. I use mine for Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 subscription, and more. Naturally, it should get some extra protection.
You sign into your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click the more security options link. Scroll down to Two-step Verification to turn it on.
Microsoft will suggest you get an app password to set up Outlook.com to sync with email on mobile devices, as well as other services that may need app passwords, which you can go in later to generate for any given app.
You can then enter the "Set up an identity verification app" section. Microsoft recommends the use of an authenticator app because it makes its own for Windows Phone, iOS, and Android, which it will push you to install. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick "other" during the setup. Scan the QR code displayed.
You can skip the authenticator. If you do, Microsoft logins will still try to get you to use an app, but provide a link to other methods for getting a 7-digit verification code: text or email. Even if you choose text, it has to go to a phone you've pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as an extra bit of confirmation.
As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn't require you to enter any codes—you'll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven't logged into in two months; just trust it again on the next login.
Amazon Two-Step Verification
Amazon added 2FA support late in 2015 and it's pretty important to turn on, as Amazon has its fingers in many pies like Comixology, Audible.com , and sites that use Amazon for payments —all tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Advanced Security Settings. Two-Step Verification is here, and offers two options. The preferred method is an authentication app (scan the QR code); phone number(s) entry is the backup method.
A nice option with Amazon is the ability to tell the service to skip the codes on select devices—say a PC to which you and you alone have access. If that option doesn't work later, come back to the Advanced Security page and click "Require codes on all devices."
Yahoo Account Key or 2-Step Verification
To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper-right of any Yahoo page, and select Account Info). Click Account Security and you'll see the Two-step verification toggle, making it incredibly easy to turn on and off with the flip of a virtual switch. It will immediately confirm the phone number on your account, or ask for a new one and send a 5-digit verification code. It also warns you that certain apps won't work with second sign-in verification, including Outlook and the mail apps on iOS and Android—those will require App Passwords.
There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. If you have the Yahoo app on your phone, Yahoo Account Key can send a notification to it. You get the notification, push a button to confirm it's you, and that's it—no codes to enter. It's very similar to Google Prompt. You can try a sample prompt to see how it works. If you activate it, Yahoo deactivates two-step verifications.
After you set up two-step verification, the Sign-in and Security list gets another option: "Generate app password." When you're ready to access Yahoo services on devices like iPhone, Android phones, or via Outlook, you'll go here to create the new unique password that will hook you up.
Snapchat Two-Factor Authentication
Snapchat is a mobile-only service, so the only way to set up 2FA is via the mobile app. Open it up and tap your avatar at the top-left. Tap the gear icon () on the upper-right to access Settings and tap Two-Factor Authentication.
Snapchat warns you that if you lose access to your way to generate a login code (aka, your phone), you could get locked out of your Snapchat account. If you're okay with that, proceed with setup, and select whether you want to receive a code via text or an authenticator app (you can have both the authentication app and SMS text verification active simultaneously).
If you choose authenticator, you get three options—the first is to Set Up Automatically, which worked like a charm to set up in Authy (my preferred app). It instantly gave me a six-digit code to go back to the Snapchat app and enter. If you Set Up Manually, you get a QR code—but you can't exactly scan it on the same screen. Instead, it provides a 32-digit code for you to copy—by hand. Ugh. That's the kind of thing that prevents people from setting up better security. But thankfully the automatic setup worked just fine. You can have both the authentication app and SMS text verification active simultaneously.
Once you're set up, Snapchat will generate a Recovery Code you can use if you can't get a text or code from the authenticator app. Take a screenshot and store it somewhere safe.
Reddit Two-Factor Authentication
Pinterest Two-Factor Authentication
Slack 2-Factor Authentication
Got an office Slack? Whether you can secure it with two-factor or not depends on if your workspace's account settings. If you sign into Slack using your G Suite account, you'd handle two-factor through Google.
Otherwise, go to my.slack.com/account/settings and expand Two-Factor Authentication to find the setup button. After you enter your password, you get two choices: receive the code via SMS text messages, or use an app like Google Authenticator or Authy using a QR code. Even if you pick the app, you get the option to enter a backup mobile phone number. At the end you'll have to hit Verify Code to ensure you're all set. After, you'll need to re-sign into Slack everywhere, with codes at hand to get full access. If you're accessing multiple Slack workspaces, you need to set up 2FA on each workspace individually—so some may use it, some may not.
Owners/admins, go into Team Settings > Authentication to require team-wide 2FA if desired. (If you don't see the options, you've probably already got mandatory 2FA turned on.)
Backup codes are handed out the minute you sign up for 2FA, but if you don't write them down you can re-access them on the Account page.
Dropbox Two-Step Verification
Dropbox on the desktop website has a tab called Security. It's where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, turn on two-step verification. Toggle it to on, enter a password, and you'll be asked if you want to get security codes via SMS text message or via a mobile authenticator app.
If you choose text, enter a phone number and receive a code immediately; you also get to enter a backup number, plus receive a 16-digit number you should save somewhere safe; it will allow you to deactivate two-step verification if needed. If you choose the authenticator app, you'll see a QR code on-screen to scan. Other options include the use of a USB or NFC security key, if you've got one. Dropbox provides excellent instructions.
Evernote Two-Step Verification
Following a hack that forced the reset of over 50 million user passwords in 2013, Evernote rolled out two-factor authentication.
To set it up, sign in with a desktop browser, click your account icon on the bottom-left, and select Settings. Click the Security Summary link, and then "enable" under two-step verification.
Evernote supports authenticator apps—but it only supports text messages if you have a paid Evernote premium account. That's right, you pay to get the less secure option! You'll need to verify the email and the phone numbers (you can have two) on the account. It also provides four backup codes for you to write down and save—in fact, you need to enter one to finish the setup. Don't store these codes in Evernote—you'll need them when you can't get access.
Finally, Evernote will point out all the third-party apps you use with its service that may now require a verification code, which includes mobile apps, browser extensions, and even IFTTT if you use it. But thankfully they won't need app passwords. To manage or generate backup codes or even app passwords, go into the Security Summary and click Managed Settings.
When you sign up, you have to verify your account via a phone number; you can't use Venmo without it. You can also verify an email. Once a device is verified, Venmo remembers it and you shouldn't need to verify again. But you can always remove saved devices ( > Settings > Security > Remembered Devices)—handy if you log in with a public PC or give up an old phone with access.
PayPal 2-Step Verification
IFTTT Two-Step Verification
IFTTT is the amazingly powerful and useful service that links together other web-based services. To turn on 2FA, go to the desktop and enter your IFTTT Preferences. There's a big blue button that says Enable Two-Step Verification to make it easy on you.
Your options: use an authenticator app like Authy, or get codes via text message. The former gives you a QR code to scan. The latter starts sending SMS messages to your mobile phone. Like the rest, you get a backup code option—copy it down someplace safe in case you get locked out of IFTTT.
LastPass Multifactor Authentication
LastPass is one of PCMag's picks for Best Password Managers. But could a password manager be even more secure? Of course it could, if you haven't yet turned on 2FA.
As befits a heavy-duty security option, LastPass touts its support for a slew of authentication apps, including Google Authenticator, Authy, and Duo, as well as its own LastPass Authenticator (Free at Apple.com) . It also works with third-party hardware like smart cards or USB drives. LastPass has separate instructions available for all of them; some only work with the premium version of LastPass. Codes via SMS text are not an option.
In keeping with other services that use authenticator apps, here's what you do: Log in to LastPass on a desktop browser, and click Account Settings on the bottom left. In the pop-up menu, click the Multifactor Options tab. Scroll to the Google Authenticator option (even if you're using another authenticator app). You'll get the usual QR code to scan into the app with your smartphone.
Dashlane Two-Factor Authentication
Another favorite password manager is Dashlane ($59.99 at Dashlane) , and it also supports 2FA. You have to turn it on via the desktop using the software for Windows or macOS, and you'll need an authenticator app on your smartphone to scan the QR code.
In the desktop program, go to Tools > Preferences (or Dashlane > Preferences on Mac), open the Security tab, and click Two-Factor Authentication to toggle it on. You get the option to only use codes when adding a new device or every time you log in. (You can't go back and forth between these options later without turning 2FA off and then back on; choose wisely.) You then get the standard QR code to scan, or a key to enter in the app; when you do, enter the new code generated by the authenticator app back into Dashlane. Put in the fallback phone number as backup, and print out the backup codes in case you need them.
Nest's 2FA doesn't work with authenticator apps; it only sends texts codes for logging in. Log in to the Nest mobile app on your smartphone or tablet. Tap the hamburger menu () and select Account > Manage Account > Account Security, where you'll find a 2-step verification option. Re-enter the password, give them your mobile phone number, and tap "send code." Enter the six-digit code you get via SMS text and you're set. You can turn off 2FA any time by going back to this menu, but don't do that.
TeamViewer is a great way to take remote control of another person's computer (it's our Editors' Choice)—and that's a good reason to make sure it's secure. Log in to your TeamViewer account on the web at login.teamviewer.com. You'll see a list of the other computers with which you can usually connect. Your name should appear at the upper-right as the header for a drop-down menu. From that menu, select Edit Profile.
The pop-up that appears will show two-factor authentication as the third choice on the General tab. Click Start Activation. TeamViewer only allows 2FA through authenticator apps—no texting or other codes sent to your phone. In fact, you'll have to use the app to get a code from the app immediately to verify your 2FA; TeamViewer throws up a 16-digit backup code for you to copy and save right after.
You might not expect Tumblr to need much security, but hey, you don't want someone else posting animated GIFs on your account! Or, you know, looking at porn. Plus, Tumblr had a serious breach back in 2013, so better safe than sorry.
Simply sign on and visit your Settings/Account page. Find the toggle for two-factor authentication. Activate it and you're immediately asked to verify your phone number, which you should have already set up to make audio posts. If not, do it. Request a verification code and enter it fast, as it expires after two minutes. You can also use an authenticator app, but can't activate it until after you set up the phone number for texting. Once that's all set, you have the option to generate 16-character mobile app passwords, if needed.
WordPress.com—where you host a blog—offers up 2FA support by way of SMS text messages, and use of an authenticator app. Log in on the desktop and click your gravatar icon in the upper-right, then click Security > Two-Step Authentication.
On the next page, pick a country, enter a phone number for an SMS-capable phone, then pick either Verify via SMS or Verify via App. The latter brings up the QR code for your authenticator app to scan.
Next, you'll get a 7-digit code to enter and confirm it all. When WordPress asks you to print out or keep your backup codes, don't skip it. You may need them in the future if you forget a password or lose the phone with the authenticator app. WordPress also supports app passwords as needed. Click Connected Applications in the security settings to see which apps are connected to your WordPress account, and delete those you don't need or recognize.
GoDaddy 2-Step Authentication
GoDaddy ($5.99/Month at GoDaddy) is a leader among web hosts and domain name registries. If you have a very important domain or two in your possession, make sure you double up on security so they don't get stolen.
Log into the GoDaddy Account Manager and click Login & PIN. Look for Two-Step Authentication and click Set Up. You can use an SMS-enabled phone, to which GoDaddy will send a code for you to validate your 2FA setup. Add a second phone number as a backup, if you like. Or set up an authenticator app with a quick QR code scan.
You can go to the same spot to disable 2FA (not that you ever would) or to change your phone information. GoDaddy doesn't supply any backup codes or app passwords. If you click on the edit button in the 2-Step Verification box, there's one other nice option: ask for verification for every login or "high-risk transactions only."
Square 2-Step Verification
This implementation of 2FA by Square is strictly for the online Square Dashboard. Thankfully you don't need this kind of thing for the credit card transactions, which are encrypted end-to-end, with no data stored locally on your mobile device/terminal.
Navigate to Square Account & Settings and click "Set Up 2-Step Verification." Add your mobile number for receiving SMS text messages—the only option—then enter the code when you receive one. Click Verify and you're done.
Once a master account has 2FA activated, all employees will need to set up 2-Step Verification; once they log into the shared dashboard, they'll get emailed instructions on how to proceed. New employees will be asked to set it up when they first access the dash. Click the "Remember this Device for 30 days" option so you don't have to enter the 2FA code Every. Single. Time.
(Read about The Best Mobile Credit Card Readers.)
Dreamhost Multifactor Authentication
Dreamhost (2.59 Per Month at DreamHost) is one of PCMag's top-rated Web Hosting Services. Thankfully, it's embraced some extra security for its users, beyond the username and password, settling on a 2FA scheme that requires an authenticator app (it recommends Google Authenticator since it's ubiquitous across all smartphones and third-party services).
Once signed in, navigate via the control panel to Billing & Account > Security, and go to the second section entitled Multifactor Authentication. Re-enter your password and in the menu, select either "Google Authenticator, Time-Based (recommended)" or "Google Authenticator, counter-based." The former is the way to go; the latter requires manual refreshes. You'll get a QR code to scan plus a 16-digit secret key—but you know the drill, just scan the code with your smartphone camera while in the authenticator app of your choice. Enter the 6-digit passcode that comes up on the phone in the field on Dreamhost and activate. Don't forget to save your backup codes for offline use when you need to access Dreamhost sans phone.
Kickstarter Two-Factor Authentication
Kickstarter is the top place to crowdfund projects, but if your credentials get stolen you don't want crooks going hog-wild pledging your support for a lot of the crap you don't like.
On Kickstarter.com, click your avatar on the top-right. Under the Settings tab, click "Set up two-factor authentication." Kickstarter supports SMS texts and authenticator apps, as well as getting codes via voice calls. Even if you use the authenticator app (scanning a QR code), you still have to enter a phone number as a fallback recovery method of getting codes.
Kickstarter doesn't offer app passwords or backup codes, but that generally indicates they're not really needed.
Sony PlayStation 2-Step Verification
For PlayStation, activate 2FA by visiting the Sony 2-Step Verification page and clicking the "Activate now" button. Sign in again with your Sony PS credentials, click Edit (it's next to the Status field), enter your phone number, then enter the code Sony texts to that same number. You should sign out then, and on all your active PlayStation sessions so you can log back in everywhere with full 2FA security.
You can also do it from the PlayStation 4 itself. Go to Accounts > Security > 2-Step Verification. Click Set Up Now, verify your number, and you'll get a text with the code. MonkeyFlop provides an entire video on the setup above.
Sony doesn't support any authentication app. However, it does provide backup codes for you to save for later. And, Sony absolutely requires app passwords—you'll need them to sign in on devices like the PlayStation 4.
Intuit Turbo and TurboTax
You can help yourself by turning on 2FA if you use e-filing software/services. Intuit TurboTax ($40.00 at TurboTax) is a PCMag Editors' Choice for tax preparation software. Once you've signed in on the desktop browser—which in my case required a code texted to me even before I turned on 2FA—click My Account at the top and enter Account Settings. Click security and the link to turn it on next to Two-Step verification. If you've already entered a phone number, it should appear here so you can verify by text or voice call.
Once that's on, the option to Turn on Authenticator App appears below it. Click the button and, for some reason, it asks what kind of smartphone you use; iPhone, Android, or BlackBerry are the choices. It doesn't matter, as the QR code comes up next, plus a manual entry code if needed. Once you enter it in the app, put the 6-digit verification code back into TurboTax and you're set. The phone number remains in the system for fallback.
Much like how Facebook and Twitter require their own apps for people to authenticate their accounts, Steam authentication codes for its 2FA —dubbed Steam Guard—come in via the Steam mobile apps for iOS and Android. (You have the option to get codes by email, but that's as secure as leaving your front windows open year round.)
The account settings on the desktop make it look like you can sign up for Steam Guard, but it will send you to the mobile app to do the setup. From the hamburger menu (), log into your account settings and select Steam Guard > Settings. Here you can turn it off, get codes by email, or get "codes on my phone."
Steam makes you put in your phone number, to which it will send a code to set up the authentication and a recover code you should write down. After that, the only way to log into Steam anew is to have that app with you to get the authentication code; it'll appear right at the top of the screen when you go into the Steam Guard section in the future.
Etsy Two-Factor Authentication
MailChimp Two-Factor Authentication
Fortnite Two-Factor Authentication
The free battle-royale game's parent company supports 2FA and will actually give you a freebie for setting it up: the Boggiedown Emote, plus the following items in Save the World: 50 armory slots, 10 backup slots, and 1 Legendary Troll Stash Llama.
You can set up an authenticator app or get codes via email (not via text message). Sign into your Epic Games account > Password & Security > Two-Factor Authentication. Click either Enable Authenticator App or Enable Email Authentication. After that, use the codes and expect to re-enter them every 30 days. This is more about keeping your online account safe than worrying about security during gameplay, but it comes with freebies, so go for it.
Two-Factor Authentication Explained
- How to Temporarily Disable Face ID on Your iPhone
- How to Protect Your Smart Home From Hackers
- How to Encrypt a Document Stored on Google Drive
- How to Protect Your Front Door Deliveries
- More in SecurityWatch
- More in Security
- Avast SecureLine VPN
- Avast BreachGuard
- Bitdefender Digital Identity Protection
- Sticky Password