(212) 353-3310[email protected]Apple Consultants Network

IvanExpert

Superior Mac Support

Ivan’s Apple Blog

Using authenticator app codes for 2FA

Yale padlock

This is the third in a series of posts on keeping yourself safe online by protecting your accounts. Please also read the first two, where I go over the basics of two-factor authentication, and the pros and cons of using SMS (text message) with it.

To quickly recap, two-factor authentication (2FA) is when you need to provide an additional code, or approve via an extra step, in order to sign into a Web site or app. This prevents someone who has your password from getting into your account, because they still won’t have your code.

SMS (text message) is the most common method for 2FA, and on many sites the only option, but it carries risk, because it’s possible for your phone number to be stolen by a bad person, who then can reset passwords on all your accounts. So, if you’re using SMS, it’s important that you contact your carrier and ensure that you have number transfer lock enabled, so that someone who’s not you can’t trick an agent into transferring your number to their own phone.

More secure than SMS is a code that isn’t texted to you, but instead comes from an app on your phone that changes the code every 30 seconds. Generically, this code is called a “One-Time Password,” (or sometimes OTP or TOTP for short). There are several authenticator apps out there, so I’m gonna go over what I suggest.

Google Authenticator is the standard for one-time passwords. In other words, nearly every authentication app and Web site supports “Google Authenticator,” as does Apple’s own password manager, and 1Password. So, what should you use? My feeling is that while it’s ok to use the actual Google Authenticator app, it’s a nuisance, since you have to open the app and look up the code; and if you ever need to completely start over with your phone, you might find yourself without your codes, leaving you locked out of your Web sites. With that said, if you are keeping track of your passwords without a password manager (that is, on paper, or in a note), we should talk about that, but in the meantime, I suggest you use the Google Authenticator app to store your one-time passwords.

But, if you use a password manager, I’m going to instead suggest that you use the one-time password capability that’s built into that. The two password managers most of our clients use are either Apple Passwords (aka Safari Passwords/Keychain), or 1Password; though others, such as Dashlane, LastPass, and Keeper have the capability as well. Storing your one-time password in your password manager has two benefits: one is that the additional code is available on all of your devices, and the other is that it can be automatically filled in for you, saving you time. The exact method for adding it will vary, but basically you find the entry, click Edit, and then add a “one-time password” field or click a button for adding a one-time password code.

OK, but how do you set it up? What’s gonna happen is that the Web site or app will show you a QR code. If you’re on your phone, go ahead and scan it with your camera. But with a password manager, I always ignore the QR code, and find the link that says “Can’t Scan Code?” Or something equivalent. Then you’ll get a string of letters instead. I copy and paste this into the field in the One-Time Password field in the password manager.

Once saved, either by scanning a QR code or pasting in the setup string of letters, you’ll see a six-digit number that automatically changes every 30 seconds. You’ll put this in on whatever site you’re logging into after entering your password (or your password manager will fill it in for you).

One word of caution is on Microsoft’s website. They have their own proprietary one-time password app, not unlike Google Authenticator, but also not supported by any app other than their own. If you set up your Microsoft account to use an authenticator app for 2FA, you can instead jump through whatever hoops are required to get it to use the Google Authenticator standard instead, so you can use a password manager, or the Google Authenticator app itself.

In our next post, I’ll show you how to do all this, with pictures.

Image by andypowe11 courtesy Flickr Creative Commons.

Related Posts

  • Should you use SMS as your 2FA method? September 5, 2024 This is the second in a series of posts about keeping yourself safe online, which is something that, alas, is something we all need to do in 2024. Please read my previous post first - I wrote about two-factor authentication (2FA), what it is, and on which types of accounts we advise you to set it up. There are several different methods of receiving the "second factor," the additional code…
  • Secure your account with two-factor authentication August 28, 2024 Well, it sucks, but there are bad people who want to break into your accounts and steal your identity and money. I don't want that to happen to you. This is one post in a series I'll be writing on how to best protect yourself. Today's fun topic: two-factor authentication (2FA), or two-step verification (2SV). First of all: there are technical differences between these, but we are going to consider…

For two decades, we have helped our clients with their Mac, iPhone, and iPad needs using care, empathy, creativity, dedication, and great skill. Founded by a former Apple engineer, IvanExpert provides technology support with a human connection. Let us help you in your home or small business.

Need help with your Mac? Get Help

Related Posts

  • Should you use SMS as your 2FA method? September 5, 2024 This is the second in a series of posts about keeping yourself safe online, which is something that, alas, is something we all need to do in 2024. Please read my previous post first - I wrote about two-factor authentication (2FA), what it is, and on which types of accounts we advise you to set it up. There are several different methods of receiving the "second factor," the additional code…
  • Secure your account with two-factor authentication August 28, 2024 Well, it sucks, but there are bad people who want to break into your accounts and steal your identity and money. I don't want that to happen to you. This is one post in a series I'll be writing on how to best protect yourself. Today's fun topic: two-factor authentication (2FA), or two-step verification (2SV). First of all: there are technical differences between these, but we are going to consider…

Sign Up for Our Monthly Newsletter