We review products independently, but we may earn affiliate commissions from buying links on this page. Terms of use.

Two-Factor Authentication: Who Has It and How to Set It Up

Don't let scammers get their hands on your sensitive information. Here's how to secure your online accounts—from Amazon and Google to Twitter and WhatsApp—with two-factor authentication (2FA).

The 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code, and our security nightmares have only gotten worse in the years since.

What's the average internet user to do? Well, you should definitely change your passwords regularly. They’re a pretty laughable method of authentication and can be scooped up pretty easily by a variety of methods.

What you really need is a second way to verify yourself. That's why many internet services, a number of which have felt the pinch of being hacked or breached, offer two-factor authentication. It's sometimes called 2FA, or used interchangeably with the terms "two-step" and "verification" depending on the marketing.

As PCMag's lead security analyst Neil J. Rubenking puts it, "there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options."

Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.

You can get that code via text message or a specialized smartphone app called an "authenticator." Once linked to your accounts, the app displays a constantly rotating set of codes to utilize whenever needed—it doesn't even require an internet connection. There are several including some from big names like Microsoft and Google with aps for both major mobile platforms. Those two are pretty basic. Others such as Twilio AuthyDuo Mobile,  and LastPass Authenticator all do the same thing, essentially, some with password management and other features. Conversely, the majority of popular password managers (like LastPass) all offer 2FA authentication by default. For more details, read The Best Authenticator Apps for 2021The Best Authenticator Apps for 2021.

The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.

Be aware that setting up 2FA can actually break access within some older services. In such cases, you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You'll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and others—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.

Remember this as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid serious theft, be it of your identity, data, or money.

The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you'll be more secure than ever.

Slack 2-Factor Authentication

Got an office Slack? Whether you can secure it with two-factor or not depends on your workspace's account settings. If you sign into Slack using your G Suite account, you'd handle two-factor through Google.

Otherwise, go to my.slack.com/account/settings and expand Two-Factor Authentication to find the Set Up Two-Factor Authentication button. After you enter your password, you get two choices: receive the code via SMS text messages, or use an app like Google Authenticator or Authy using a QR code. Even if you pick the app, you get the option to enter a backup mobile phone number.

At the end you'll have to hit Verify Code to ensure you're all set. Afterwards, you'll need to re-sign into Slack everywhere, with codes at hand to get full access. If you're accessing multiple Slack workspaces, you need to set up 2FA on each workspace individually—some may use it, some may not.

Owners/admins, go into Team Settings > Authentication to require team-wide 2FA if desired. (If you don't see the options, you've probably already got mandatory 2FA turned on.)

Backup codes are handed out the minute you sign up for 2FA, but if you don't write them down you can re-access them on the Account page.

Two-Factor Authentication Explained

Once more with feeling. Here's how to secure your online accounts with two-factor authentication (2FA).

Google 2-Step Verification

With access to your credit card (for shopping on Google Play), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.

Google calls its system 2-Step Verification2-Step Verification. It's all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge with a tap that you are the one signing in. Easy.

If that doesn't work, you'll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, opt to register your computer so you don't have to enter a code during every sign-in. If you have a G Suite account for business, opt to only receive a code every 30 days.

Google Authenticator—or any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text, voice calls, or email.

Once you've set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can't get to the authenticator app.) This is also where you generate app-specific passwords.

People with particularly high-risk jobs should consider using Google's Advanced Protection Program.

Yahoo Account Key or 2-Step Verification

To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper-right corner of any Yahoo page, and select Manage Accounts > Account Info). Click Account Security and you'll see the Two-step verification toggle. It will immediately confirm the phone number on your account, or ask for a new one and send a 5-digit verification code. It also warns you that certain apps won't work with second sign-in verification—those will require app passwords.

There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. It's very similar to Google Prompt. If you have any Yahoo app on your phone, Yahoo Account Key can send a notification to it directly. You get the notification, push a button to confirm it's you, and that's it—no codes or passwords to enter. (If you don't have a Yahoo app on your mobile device, Yahoo can text or email you an 8-letter code.) When/if you activate Yahoo Account Key, Yahoo deactivates two-step verification, and vice versa, as Account Key must be turned off to allow two-step verification.

After you set up either of the above, the Account Security list displays another option: Generate app password. When you're ready to access Yahoo services on devices without direct support, you'll go here to create the new unique password that will allow access.

Amazon Two-Step Verification

Amazon added 2FA support late in 2015 and it's pretty important to turn on, as Amazon has its fingers in many pies, like Comixology, Audible.com, and sites that use Amazon for payments—all tied to your credit card.

Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Two-Step Verification (2SV) Settings. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup method.

A nice option with Amazon is the ability to tell the service to skip the codes on select devices (or on multiple browsers on the same device)—say a PC to which you and you alone have access. If that option doesn't work later, come back to the Advanced Security page and click Require codes on all devices.

Intuit TurboTax, Turbo, and Mint.com

Worried about SIRF? That's Stolen Identity Refund Fraud, something the IRS fights so your tax refunds go to you, not scammers and crooks.

Help yourself by turning on 2FA if you use e-filing software/services. Intuit TurboTax is a PCMag Editors' Choice for tax preparation software. Once you've signed in via the desktop browser click Intuit AccountSign in & Security and click the link next to Two-Step verification. If you've already entered a phone number, it should appear here so you can verify by text or voice call. Click Turn On.

Once that's on, the option to Turn on Authenticator App appears. Get to the QR code to scan, or use a manual entry code if needed. Once you enter it in the authenticator app, put the 6-digit verification code back into TurboTax and you're set. The phone number remains in the system for fallback.

This login also works for Intuit Turbo, the company's one-stop financial snapshot service, and for personal finance tracker Mint.

Reddit Two-Factor Authentication

On a desktop, log in and go to User Settings. Find the tab Safety & Privacy; select enable under Use two-factor authentication. Follow the steps to set up a third-party authentication app—such apps are the only way to get a Reddit 6-digit verification code.

Reddit will also supply some backup codes to save for the few times your smartphone isn't available. Make sure you register an email with Reddit; it's the only way to reset your account if necessary.

Square 2-Step Verification

This implementation of 2FA by Square is strictly for the online Square Dashboard. Thankfully you don't need this kind of thing for the credit card transactions, which are encrypted end-to-end, with no data stored locally on your mobile device/terminal.

Navigate to Account & Settings and click Activate Up 2-Step Verification. Add your mobile number for receiving SMS text messages or set up an authenticator app. Click Verify and you're done.

Once a master account has 2FA activated, you can set it to force all team members to also use 2-Step Verification, or you can allow them to skip the process. If it's required, they'll get emailed instructions on how to proceed. New employees will be asked to set it up when they first access the dash.

Click the Remember this Device for 30 days option so you don't have to enter the 2FA code every time you have to sign in.

WhatsApp Two-Step Verification

WhatsApp introduced end-to-end encryption as well as two-step authentication to keep out snoops, be they at home or sitting right there at the NSA, CIA, and FBI (Hi, Agent Mulder!).

Setup is easy: Go into Settings > Account > Two-step Verification. Tap Enable, and WhatsApp asks you to create a six-digit PIN to register your phone number with WhatsApp. You'll also provide an email in case you ever need to do a reset—aka, turn off the verification. If you later sign out or log in with a different device, WhatsApp will text you a code, and you'll have to re-enter the PIN as well. You can go in to the app to change the PIN or your email any time.

Dashlane Two-Factor Authentication

A password manager favorite, Dashlane also supports 2FA. You have to turn it on via the desktop using the software for Windows or macOS, and you'll need a separate authenticator app on your smartphone to scan the QR code.

In the desktop program, click Tools > Preferences > Security tab. Then open the Two-Factor Authentication tab. Click Two-Factor Authentication to toggle it on. You get a prompt to download Google Auth, Duo Mobile, or Authy. You then get the standard QR code to scan. If you have an external U2F security key, Dashlane also supports that.

You can also get 2FA support for other password managers like RoboForm Everywhere and Keeper Password Manager & Vault.

Instagram Two-Factor Authentication

Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile and tap the hamburger menu on the top-right. Tap Settings > Security > Two-Factor Authentication. There you can choose how you'd like to get your authentication code.

Option one: turn on Text Message and add your phone number (include the country code, because Instagram is everywhere). You'll get a confirmation code via SMS text message. Enter it. Option two: turn on Authentication App. The app will walk you through the steps to set it up (since you can't exactly scan a QR code from your mobile phone while using the app on your mobile phone.)

The app also offers a list of five recovery codes for use in the future to turn off 2FA or get access via other devices. It even offers to take a screenshot of them to add to your camera roll; you can always re-access them in the app as well.

Twitter Two-Factor Authentication

To activate Login Verification on Twitter.com on the desktop, click the More menu on the left and select Settings & Privacy > Account > Security > Two-Factor Authentication. You can then choose to get codes via phone (SMS text), authentication app, or with a physical security key (which won't do you much good on a mobile app, so be sure to set up the authentication app). In the mobile Twitter app, the steps are much the same but you start by clicking on your profile pic.

Twitter will generate backup codes for when you lose a device, and temporary passwords to use one time when logging in at services/places/times you also can't get a regular 2FA code.

You can also use the Twitter app itself as an authentication app. Click Login code generator to get a six-digit number that updates every 30 seconds, which can help when signing into third-party sites with your Twitter credentials.

A good rule of thumb: occasionally view the full list of applications that have access to your Twitter or that use your Twitter credentials and nix any you no longer use or recognize.

PayPal 2-Step Verification

As a service dedicated to making payments, it's best that PayPal be as secure as possible. Log in, click your name in the upper-right to access your Profile Settings > Login and security. Click "Set up" next to 2-step verification. Select whether you want to receive a text message or code via an authenticator app or using a security key. With that set up, PayPal will give you the option to add a backup to your account, such as a different number or authenticator app, for when you can't reach your phone.

LinkedIn Two-Step Verification

Business social network LinkedIn makes it easy to set up verification, either by SMS texts or authentication app. Go to the Me menu > Settings & Privacy > AccountAccount > Two-step verification to activate it or deactivate.

You'll immediately get a six-digit code you have to enter to verify you're you. You only get one phone number (no backup). You can also go here to get recovery codes that let you access the account even if you don't have access to your phone.

LastPass Multifactor Authentication

LogMeIn's LastPass is one of PCMag's regular picks for Best Password Manager. But could a password manager be even more secure? Of course it could, if you haven't yet turned on 2FA.

As befits a heavy-duty security option, LastPass touts its support for a slew of authentication apps, including Google Authenticator, Authy, and Duo, as well as its own free LastPass Authenticator. It works with third-party hardware like smart cards or USB drives. LastPass has separate instructions available for all of them; some only work with the premium version of LastPass. Codes via SMS text are not an option.

In keeping with other services that use authenticator apps, here's what you do: Log in to LastPass on a desktop browser, and click Account Settings on the left. Select the Multifactor Options tab. Scroll to the Google Authenticator option (even if you're using another authenticator app). You'll get the usual QR code to scan into the app with your smartphone.

Microsoft Two-Step Verification

Microsoft has tied together most its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 Home subscription, and much more can all use the same account. Naturally, it should get some extra protection.

Sign into your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click More security options. Two-step Verification is the second option. Microsoft will suggest you get app passwords as needed for older service or devices (like Xbox 360); go in later to generate one as needed.

Enter the Set up an identity verification app section. Microsoft makes its own authentication app (iOSAndroid), which it will push you to install. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick "other" during the setup. Scan the QR code displayed.

You can skip the authenticator. If you do, Microsoft will still try to get you to use an app, but it does provide a link to a 7-digit verification code via text or email. If you choose text, it has to go to a phone you've pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as confirmation.

As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn't require you to enter any codes—you'll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven't logged into in two months; just trust it again on the next login.

Apple Two-Factor Authentication

Your Apple ID is a big part of your life if you're an iOS or Mac user. It's important for not just access, but also storage via iCloud; purchases like movies, books, and apps; and memberships like Apple Music and Apple TV+.

To activate two-factor Authentication, go to the Manage Your Apple ID page and sign in. Look for Security > Two-Factor Authentication and click "Get Started..."

You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. You can't do it via a browser on another operating system anymore. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.

You'll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it's the number already on the phone you're using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.

After that, signing into any thing with the Apple ID should generate a code on the device used for setup. Apple also supports app-specific passwords.

Note that once Apple 2FA is activated for two weeks, you can't turn it off. "Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information," Apple says.

Dropbox Two-Step Verification

Dropbox on the desktop website has a tab called SecuritySecurity. It's where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, turn on two-step verification. Toggle it to on, enter a password, and you'll be asked if you want to get security codes via SMS text message or via a mobile authenticator app.

If you choose text, enter a phone number and receive a code immediately. You also get to enter a backup number, plus receive a 16-digit number you should save somewhere safe; it will allow you to deactivate two-step verification if needed. If you choose the authenticator app, you'll see a QR code on-screen to scan. Other options include the use of a USB or NFC security key, if you've got one. Dropbox provides excellent instructions.

Facebook Two-Factor Authentication

Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop you access it by going to Settings > Security and LoginSecurity and Login.

Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you'd like to receive your second form of authentication: a text message, authenticator app, or physical security key.

If you select an authenticator app (which might be the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app to retrieve it.

For apps that don't work with two-factor authentication when you log in with your Facebook credentials, Facebook offers App Passwords, a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you'll have to generate a new, unique app password. This is necessary for older devices. Get them via Settings > Security and Logins > App passwords.

The above options require you to have access to your phone, of course. But when you activate 2FA, you can get a list of 10 recovery codes to download and use at any time, even if you don't have your phone. Get them in the 2FA settings area and save them somewhere safe.

Facebook also supports the Universal 2nd Factor (U2F) of a hardware security key, something you plug into or put near your computer to get access.

Snapchat Two-Factor Authentication

Snapchat is a mobile-only service, so the only way to set up 2FA is via the mobile app. Open it up and tap your avatar at the top left. Tap the gear icon on the upper right and select Two-Factor Authentication.

Snapchat warns you that if you lose access to your method for generating a login code (aka, your phone), you could get locked out of your Snapchat account. If you're okay with that, proceed with setup, and select whether you want to receive a code via text or an authenticator app (you can have both active simultaneously).

If you choose authenticator, you get three options—the first is to Set Up Automatically, which worked like a charm to set up in Authy (my preferred app). It instantly gave me a six-digit code to enter in the Snapchat app. If you Set Up Manually, you get a QR code—but you can't exactly scan it on the same screen. Instead, it provides a 32-digit code for you to copy and paste.

Once you're set up, Snapchat will generate a Recovery Code you can use if you can't get a text or code from the authenticator app. Store it somewhere safe.

About Eric Griffith