string of six numbers) is only good for 30 seconds to a
minute, after which another code is generated.Of these methods, the TOTP app approach is best.
A single good 2FA code app can be used for lots of
services at once, and it’s more secure than having
codes sent to your email (if your email login is what
has been hacked, you’re in trouble) or via SMS (a
process called SIM-jacking can enable scammers to
transfer your phone number to a new SIM card and
intercept your text messages).
TOTP apps are not as convenient as text messages.
You have to load an app onto your phone, open it,
and check for codes whenever you log in from a
new computer, browser, or device. But it’s the best
blend of convenience, ubiquity, and security, so it’s
the method that we recommend. Our favourite TOTP
app is Authy (fave.co/39K7QXL), but you should also
check out LastPass Authenticator (fave.co/3aotX5x),
Microsoft Authenticator (fave.co/32TmAR8) and Google
Authenticator (fave.co/2TqlyZP).
Unfortunately, some sites and services only offer
2FA through email or SMS. If that’s the case, take
what you can get. It’s still a lot more secure than not
enabling 2FA at all.What about hardware keys?
A hardware security key device is probably the most
secure means of locking down your account. Someone
would have to physically steal the hardware key fob
from you in order to get in. The best option for Mac and
iPhone users is probably the YubiKey 5Ci, which hasstringofsixnumbers)isonlygoodfor 30 secondstoa
minute,afterwhichanothercodeisgenerated.
Ofthesemethods,theTOTPappapproachisbest.
Asinglegood2FAcodeappcanbeusedforlotsof
servicesatonce,andit’smoresecurethanhaving
codessenttoyouremail(ifyouremailloginiswhat
has beenhacked,you’reintrouble)orviaSMS(a
processcalledSIM-jackingcanenablescammersto
transferyourphonenumbertoanewSIMcardand
interceptyourtextmessages).
TOTPappsarenotasconvenientastextmessages.
Youhavetoloadanappontoyourphone,openit,
andcheckforcodeswheneveryouloginfroma
newcomputer,browser,ordevice.Butit’sthebest
blendofconvenience,ubiquity,andsecurity,soit’s
themethodthatwerecommend.OurfavouriteTOTP
appisAuthy(fave.co/39K7QXL),butyoushouldalso
checkoutLastPassAuthenticator(fave.co/3aotX5x),
MicrosoftAuthenticator(fave.co/32TmAR8)andGoogle
Authenticator(fave.co/2TqlyZP).
Unfortunately,somesitesandservicesonlyoffer
2FA throughemailorSMS.Ifthat’sthecase,take
what youcanget.It’sstillalotmoresecurethannot
enabling2FAatall.
What abouthardwarekeys?
Ahardwaresecuritykeydeviceisprobablythemost
securemeansoflockingdownyouraccount.Someone
wouldhavetophysicallystealthehardwarekeyfob
fromyouinordertogetin.ThebestoptionforMacand
iPhoneusersisprobablytheYubiKey5Ci,whichhas