Multi-Factor Authentication: Who Has It and How to Set It Up

The 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code, and our security nightmares have only gotten progressively worse in the years since.

What's the average internet user to do? Well, you should have strong passwords. Even when strong, though, passwords are a pretty laughable method of authentication, because they can be scooped up pretty easily by a variety of methods. (You can stop changing your passwords constantly unless they're in a breach.)

What you really need is a second way to verify yourself. That's why many internet services, a number of which have felt the pinch of being hacked or breached, offer multi-factor authentication (MFA). We used to call it two-factor authentication (2FA), but more factors are better. You'll find all the terms used interchangeably with "multi-step," "two-step," and "verification," depending on the marketing.

As PCMag's Lead Security Analyst Neil J. Rubenking put it, "There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options." Multi-factor means you might even use more than two.

Biometric scanners for fingerprints, retinas, or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone as a code that can be used only once.

You can get that code via SMS text message (which is not a great idea) or a specialized smartphone app called an "authenticator." Once linked to your accounts, the app displays a constantly rotating set of codes to use for logins whenever needed—it doesn't even require an internet connection. There are numerous apps, some from big names such as Microsoft and Google, as well as Twilio Authy, Duo Mobile, and LastPass Authenticator. They all do the same thing, essentially; a few add password management and other features. Here's our rundown of The Best Authenticator Apps.

The majority of popular password managers offer MFA authentication by default. The codes provided by authenticator apps sync across your accounts, so you could scan a QR code on a phone and get your six-digit access code on your browser, if supported.

Be aware that setting up MFA can actually break access on some older services. In such cases, you must rely on app passwords—a password you generate on the main website to use with a specific app. You'll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and more—all of which either are used as third-party logins or have older functions you can access from within other services. The need for app passwords is, thankfully, dwindling.

Remember this as you panic over how hard this all sounds: Being secure isn't easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it's worth the extra work to avoid theft of your identity, data, or money.

The following is not an exhaustive list of services with MFA ability, but we cover the major services everyone tends to use and walk you through the setup. Activate MFA on all of these, and you'll be more secure than ever.

Amazon Two-Step Verification

Amazon 2FA support is pretty important, as Amazon has its fingers in many pies, including Comixology, Audible.com, and sites that use Amazon for payments—all of which are tied to your credit card.

Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu, and go to Account. Click on Login & Security. On the next page, click Manage next to 2-Step Verification. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup method.

A nice option with Amazon is the ability to tell the service to skip the codes on trusted devices (or on multiple trusted web browsers on the same device). If that option doesn't work, or you've used it too many times for comfort, come back to the Two-Step Verification page and click Require OTP on all devices. OTP is an acronym for "one-time password." That's what Amazon insists on calling the authentication code.

Apple Two-Factor Authentication

If you're an iOS or Mac user, your Apple ID is a big part of your life. It's important not just for access, but also for storage via iCloud; purchases of movies, books, and apps; and subscriptions to services such as Apple Music and Apple TV+.

To activate two-factor authentication, go to the Manage Your Apple ID page and sign in. Look for Account Security > Two-Factor Authentication and click "Get Started..."

You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication. (Here are specifics on setting it up in iOS so you can literally use your iOS device as an authenticator app.)

You'll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it's the number already on the phone you're using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.

After that, signing into anything with an Apple ID should generate the code on the device used for setup. Apple also supports app-specific passwords and physical security keys.

Note that once Apple's Two-Factor Authentication is active, you can't turn it off. "Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information," Apple says.

Dropbox Two-Step Verification

Dropbox on the desktop has a tab called Security. It's where you go to check how many current sessions are logged in and devices are using the account, to change the password, and of course, to turn on two-step verification. Toggle it to on, enter your password, and you'll be asked whether you want to get security codes via SMS text messages or a mobile authenticator app.

If you choose texts, enter a phone number to get a code immediately. You also can enter a backup number and receive a 16-digit number you should save somewhere safe; it lets you deactivate two-step verification if needed. If you choose the authenticator app (and you should), you'll see a QR code onscreen to scan. Other options include the use of a hardware security key, if you've got one. Dropbox provides excellent MFA instructions.

Facebook Two-Factor Authentication

Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop, you access it by going to your avatar menu at the upper right and selecting Settings & privacy > Settings > Security and Login.

Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you'd like to receive your second form of authentication: a text message, authenticator app, or physical security key, which is something you plug into or put near your computer to get access; for more info, read The Best Security Keys for Multi-Factor Authentication.

If you select an authenticator app (the best option), Facebook produces a QR code on the desktop screen. Open your authenticator app on your smartphone, select Add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app to retrieve it.

The above options require you to have access to your phone, of course. But when you activate MFA, you can get a list of 10 recovery codes to download and use at any time, even if you don't have your phone. Get them in the Two-Factor Authentication Settings area, and save them somewhere safe.

Google 2-Step Verification

With access to your credit card (for shopping on Google Play or paying via Google Pay), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well protected. Thankfully, the company has been offering MFA since 2010.

You can visit the Google Safety Center to find 2-Step Verification. Simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, go to the phone and acknowledge with a tap that you are the one signing in.

If that doesn't work, you'll need to enter an extra code. That code is sent to your phone via SMS text, via a voice call, or by using an authenticator app. Google Authenticator—or any authenticator app—can generate the verification code for you, no internet required. On your personal account, opt to register your trusted computer so you don't have to enter a code during every sign-in.

Once you've set up Google 2-Step Verification, access it again by visiting your Google account security settings. Use that to select optional phone numbers or emails that can receive codes, switch to using an authenticator app, and generate app-specific passwords.

Instagram Two-Factor Authentication

Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile in the mobile app (with the icon at the lower right), then tap the hamburger menu on the top-right. Tap Settings > Security > Two-Factor Authentication.

There you can choose how you'd like to get your authentication code. Options include an authentication app (recommended), using WhatsApp, or text message (include the country code, because Instagram is everywhere). If you go with an authentication app, Instagram walks you through the steps to set it up, since you can't exactly scan a QR code from your mobile phone while using the app on your mobile phone.

The app also offers a list of five backup codes for use when you can't get codes via the authentication app or SMS. Tell the app to send you notifications of log-in requests to your account so you get an extra chance to approve them.

Intuit TurboTax, Turbo, and Mint.com

Worried about SIRF? That's Stolen Identity Refund Fraud, something the IRS fights so your tax refunds go to you, not to scammers and crooks.

Help yourself by turning on MFA when you use e-filing software and services. Intuit TurboTax is a PCMag Editors' Choice winner for tax preparation software. Once you've signed in via the desktop browser click Intuit Account > Sign in & Security, and click the link next to Two-Step Verification. If you've already entered a phone number, it should appear here so you can verify by text or voice call. Once that's on, the option to Turn on Authenticator App appears. The phone number remains in the system for fallback.

This login also works for Intuit's online personal finance tracker, Mint.

LinkedIn Two-Step Verification

Business social network LinkedIn makes it easy to set up MFA verification, either by SMS text or an authentication app. Go to the Me menu > Settings & Privacy > Sign in & Security > Two-step verification.

You'll immediately get a six-digit code to enter to verify you're you. You get only one phone number (no backup). You can also go here to get recovery codes that let you access the account even when you don't have access to your phone.

Microsoft Two-Step Verification

Microsoft has tied together most of its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office subscription, the Windows operating system itself, and much more can all use the same account. Naturally, it should get some extra protection.

Recommended by Our Editors

The Best VPN Services for 2024

The Best Password Managers for 2024

How to Completely Disappear From the Internet

In fact, Microsoft said in 2021 that it won't even require a password on accounts—as long as you use one of its MFA-style methods to log in. That means using either the Microsoft Authenticator app on iOS or Android or the Windows Hello biometric sign-in. But you can stick with using a password and getting a security key or verification code, if you prefer.

Sign in to your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click Advanced security options. You'll see a link called Add a new way to sign in or verify, and you can enter lots of info here, such as email addresses and phone numbers that can be used to get a code—also, you can set up Enter a code from an authenticator app. Under that, you'll see options for Passwordless account and Two-Step Verification.

You don't need to use Microsoft Authenticator if you're only setting up MFA access with a password. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick "other" during the setup. Or you can get the codes sent via text message or email.

To use the Passwordless account option, Microsoft Authenticator is required on your smartphone. But you may not even have to enter a code—the app will pop up when you try to sign in somewhere, and after you log into the phone, you click a couple of boxes to authenticate, easy-peasy. (Some might say too easy—since all anyone needs to access your Microsoft account now is to steal your phone.)

Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways).

PayPal 2-Step Verification

As a service dedicated to making payments, it's best that PayPal be as secure as possible.

When you log in, click your name at the upper-right and access Profile Settings > Login and Security. Next to 2-Step verification, click Set Up. You can receive a text message or code via an authenticator app; for the latter, you scan a QR code with the app. Pick one option to be the primary method.

You can optionally add a backup MFA method to your account, such as a different number or even another authenticator app, for times when you can't reach your phone. Go back into Login and Security and click Update to add methods, or to turn MFA off completely. You can also skip the MFA on select devices as you log into them, so you won't be asked for a code on that device/browser again.

The steps for this are slightly different depending on whether you have a personal or business account, but ultimately, you just have to find your way to Settings to get to 2-Step verification.

Slack 2-Factor Authentication

Got an office Slack? Whether you can secure it with two-factor depends on your workspace's account settings. If you sign into Slack using your G Suite account, you'll handle two-factor through Google. If you're accessing multiple Slack workspaces, you need to set up MFA on each workspace individually—some may use it, some may not.

Otherwise, go to Account > Settings > Two-Factor Authentication (usually at [workspace name].slack.com/account/settings) to find the Set Up Two-Factor Authentication button. (If you don't see it, that means it's not an option for you.) After you enter your password, you get two choices: receive the code via SMS text messages, or use an authenticator app. If you pick the app, you still get the option to enter a backup mobile phone number.

Owners/admins can go into Workspace Settings & Permissions > Authentication to require workspace-wide two-factor authentication if desired.

Twitter Two-Factor Authentication

Elon may change this on a whim, but here you go: To activate Login Verification on Twitter.com on the desktop, click the More menu on the left and select Settings And Support > Settings And privacy > Security and account access > Security > Two-Factor Authentication. Choose to get codes via phone (SMS text), via authentication app, or with a physical security key (or any combination of the three). In the mobile Twitter app, the steps are much the same, but you start by clicking on your profile pic. Twitter will generate backup codes for when you lose a device or for when logging in at services/places/times when you can't get a regular MFA code.

You could also use the Twitter app itself as an authentication app. Following that same path above, go to Login code generator to view a six-digit number that updates every 30 seconds, exactly like an authenticator app. This can help when you're signing into third-party sites with your Twitter credentials.

Yahoo Account Key or 2-Step Verification

To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper-right corner of any Yahoo page, and select Add or Manage Accounts > Account Info). Click Account Security, and you'll see many options under Account Access. Top among them are Account Key, password, or app password for 3rd-party accounts.

There is no option to use a third-party authenticator app. But the Yahoo Account Key is the next best thing. It expects you to have at least one Yahoo-made app on your phone, such as Yahoo Mail. When you try to sign in, you have to launch the app, then Yahoo Account Key gets a notification. You push a button to confirm it's you, and that's it—no codes or passwords to enter. If this doesn't work, or you don't have a Yahoo app on your mobile device, Yahoo can text or email you an MFA code.

After you set up either of the above, the Account Security list displays that Generate app password option. When you're ready to access Yahoo services on devices without direct support, go here to create a new, unique password that allows access.

All the Sites With MFA

The list above covers the biggest tech companies and some that have important access to your data. But if you need a comprehensive listing of just about every site or service that offers multi-factor authentication, complete with instructions for each, there's an option: The 2FA Directory has a list of sites that support it and what method they use to send codes (they call an authenticator app a "software token" on the site.) It also provides links to the documentation on each site/service for how to set up MFA.

It's Surprisingly Easy to Be More Secure Online