Two-factor authentication done right

Plus: Windows 11's rough landing, Facebook's big outage, and free e-book tips.

  Jared Newman  |  October 5, 2021  | Read online

Ready or not, two-factor authentication is something you'll need to start thinking about.

This approach to online security, which I'll call "2FA" from here on, involves combining a regular password with a secondary numeric code, which you must enter on any device where you haven't logged in before. This extra code typically gets sent to your phone, so someone who steals your password can't get into your account unless they also have your phone (and know how to unlock it).

The added annoyance of 2FA is well worth the extra security it provides, which is why some tech companies have now started requiring it. Google began rolling out mandatory 2FA earlier this year, and announced this morning that it will auto-enroll another 150 million accounts by year-end. Amazon's Ring made 2FA mandatory last year after a string of camera hacks led to a round of bad press. I've also noticed Amazon selectively enforcing 2FA on it apps and website, sending a link to click on via text message when you login on a new device.

While these are all positive steps in my view, the smartest approach to 2FA isn't merely passive. Many of these 2FA methods work by texting a code to your phone, which is better than nothing but is susceptible to potentially-devastating SIM hijacking attacks. (The FCC is only now starting to examine that problem.) And if your phone gets lost or stolen, you'll want to have a backup 2FA method at the ready.

If you're ready to take 2FA more seriously, here are some options to consider:

Use an authenticator app

Instead of sending 2FA codes by text message, most major online services let you use an authenticator app to generate codes on your phone. The authenticator app syncs up to your online service—usually by having you scan a one-time QR code—and from then on, you use the app to look up the code when you're logging in on a new device.

While lots of companies offer these authenticator apps, I personally use Authy. It's free, and more importantly, you can install it on multiple devices at the same time. I have Authy installed on my iPhone, Android phone, iPad, Windows desktop, Windows laptop, and Mac Mini, which means my 2FA codes are never out of reach.

This convenience does come with a trade-off: Installing Authy on a new device requires an authentication code that Authy can always send via text message. But Authy mitigates this in two ways: You must also enter a password to unlock your backups on a new device, and you can always disable the ability to install Authy on new devices. Only someone with physical access to your existing Authy apps can then turn that ability back on.

I wouldn't recommend Authy if you're prone to forgetting passwords, but otherwise, its backup abilities are tough to beat.

Use email or app-based 2FA instead of text

If you've ever seen the "Are you trying to sign in?" prompt on your phone when logging into Gmail on a new device, this in itself is a form of 2FA, using an existing sign-in on one device to help you sign in on another. It's similar in principle to the way some services send you an extra verification code via email the first time you log in.

Either approach is more secure than getting codes via text message, and both can be used in addition to an authenticator app such as Authy, providing yet another backup method for getting into your account.

Use printed codes or a security key for extra backup

To make doubly sure that you can always get into your account, some services will let you print out backup codes or plug a USB security key into your device for 2FA. A couple months ago, I set up a Yubico security key with my Gmail, Microsoft, Twitter, and Stripe accounts, so if I ever need to log in on a new device, I can just plug in the key instead of using Authy. You can see which online accounts work with Yubikey here.

Sign in with Google or Apple when possible

Once you've gone through the trouble of locking down your accounts, I suggest using those accounts to log in on other sites whenever that's an option. For instance, I almost always use "Sign in with Google" on sites that offer it, as spares me from creating another password and gives that site the same level of security as my Google account.

Setting it all up

Here's where things get a little tricky: Not every app or online service works with all of the options I just described. Some, like Google and Microsoft, support authenticator apps, physical security keys, email or app-based authentication, and printed security codes. Others may only support a subset of those methods. Still others may only provide 2FA via text message or not at all.

The best you can do, then, is size up the options for each account you have, starting with the ones you care most about protecting. If those options are limited, it's all the more important to rely on strong passwords—preferably generated by a password manager.

Ready to get started? Here are quick links to setting up 2FA on Google, Microsoft, Yahoo, Amazon, Facebook, Twitter, LinkedIn, and Apple. Authy's website also has a searchable list of tutorials for setting up 2FA on other sites. And if you need more help, I'm always an email away.

Need to know

Windows 11 crash-lands: Today's the official launch day for Windows 11, Microsoft's first major operating system upgrade in more than six years. But while I was excited Windows 10—and installed it as soon as possible—Mark Hachman's Windows 11 review for PCWorld has given me pause this time around. While he praises the operating system's visual upgrades and window management features, he also describes a slew of backwards steps:

  • The taskbar removes popular customization options such as full text window names instead of icons.
  • The Start menu is no longer resizable and doesn't support sorting pinned apps into groups or folders.
  • Setting a browser other than Microsoft Edge as the default is a bigger chore than before. (This annoys me even though I like Edge.)
  • Anyone who knows the phone number or email linked to your Microsoft account can contact you via built-in Teams chat, which you cannot disable.
  • The system feels slower and less responsive than Windows 10 despite supposed performance improvements.

The upside is that Microsoft isn't forcing Windows 11 on anyone—you can stick with Windows 10 and get software updates through 2025—and the mere option to upgrade is rolling out slowly, from now through mid-2022. I'll probably upgrade my laptop when possible for the sake of experimentation, but unless Microsoft makes some big changes (or my impressions vastly differ from Mark's), I'm planning to stick with Windows 10 on my desktop PC for now.

iPhone 13 screen repair issues: Last week, iFixit accused Apple of hindering third-party screen repairs on the iPhone 13, noting that replacing the screen renders Face ID unavailable unless you go to an authorized shop. But upon closer inspection, the story isn't so clear-cut.

In a press release separate from its actual teardown, iFixit cited an Apple-licensed repair tech who said this might just a software bug that Apple plans to fix. The UK-based repair shop iCorrect made a similar claim, and also managed to replace an iPhone 13 screen with Face ID intact, albeit with a greater degree of difficulty. Locking out third-party screen repair would be a bold move in the face of potential right-to-repair regulation, so it's worth keeping an eye on the issue to see how it plays out.

Facebook's big outage: Facebook, Instagram, and WhatsApp were all unavailable for about six hours on Monday due to a faulty configuration of the company's routing system. As Dave Troy neatly explained, Facebook essentially sent an update that temporarily erased its servers from the internet, including the DNS servers that tell your browser where to go when you type "facebook.com" into the address bar. Compounding the matter was the fact that Facebook runs its own internal tools and communications through those same servers, hindering the company's ability to quickly correct its mistake.

I don't buy the conspiracy theory that this was all a way to distract from broader Facebook scrutiny, but I do think the outage shows that even the biggest tech companies can fail to have proper backup plans in place. (It also reminded me how little I'd care if Facebook ceased to exist for more than half the workday.)

Apple Watch updates: So much for all that speculation about the Apple Watch Series 7 being nowhere close to shipping. It's launching on October 15, with pre-orders starting this Friday. (Still weird, though: The Series 7 doesn't yet appear in Apple's comparison page, and Apple hasn't disclosed the CPU inside, though it's probably the same as the Series 6.)

In related news, the iPhone 13's Apple Watch unlock bug should be fixed now with the latest update to iOS 15.

Tip of the moment

Get more out of Libby: As part of my never-ending attempts to spend less time on social media, I've been trying to read more books lately, and Libby has been a huge help. The free app lets you borrow e-books and audiobooks from your local library, and you can optionally read them through Amazon's Kindle e-readers and mobile apps as well. All you need is a library card.

Libby's been around for a while—it's a more user-friendly version of what used to be known as OverDrive—so I'm guessing a bunch of you know about it already. But whether you're a new Libby user or not, here are some tips to make it even more useful:

  • Use the web version: If you're at a computer or just don't want to install another mobile app, head to libbyapp.com for a version that works in any web browser.
  • Save your search options: On the search results page, tap the "Preferences" button to change your default search filters. Use this to avoid seeing audiobooks, for instance, or to only show books that are available to borrow.
  • Name your devices: In Amazon's Kindle app, head to More > Settings > Device Name, and give your phone or tablet a recognizable name. That way, you can more easily send books to the correct device after borrowing them.
  • Find in-demand books: Not sure what to read next? Tap the search bar, then hit the "skip the line" filter button. This will display any non-reservable copies of popular books that your library has available, so you can check them out without sitting on a waitlist.
  • Return books early: Once you're done reading, help out your fellow librarygoers by releasing the book from your collection. Hit the book icon in the Libby app, select "Manage Loan," then select "Return Early."

Now try this

Another neat weather app: Back in July, I wrote about an iOS weather app called Weather Strip, which presents the temperature, chance of rain, cloudiness, and UV levels as a set of easy-to-read line graphs, with data from the National Weather Service. Lately I've seen been using a close Android equivalent called NOAA Weather Unofficial, which offers a similar timeline view under its "Hourly" tab. (You can also set this tab as the default in the app's settings menu.)

The presentation isn't as pretty as Weather Strip, but it supports more data types and doesn't require a subscription. Instead, you can hide the app's bottom banner ad with an optional $2 upgrade. I also like that it lets you view up to three days of past weather data. (Thanks for the tip on this one, Steve G.!)

Bend websites to your will: If you're on the tech savvy side and don't mind mucking around with a light amount of code, you'll want to check out PixieBrix. The browser extension, which is free for personal use, lets you modify practically any website by hiding certain elements and adding new ones. After setting it up last week, I was able to declutter Amazon's awful product pages, add custom search shortcut buttons to Brave Search, and make my Tweek to-do list viewable from inside of Gmail.

It's an extremely cool tool, but not exactly the most user-friendly one. Before getting started, I'd suggest glancing through PixieBrix's "Build a Workflow" guide to see whether it's within your comfort zone. You can also read my Fast Company story for more on what PixieBrix is hoping to accomplish.

Around the web

Spend wisely

Want a couple of battery packs that you can fit in your pocket? MorningSave is offering a two-pack of 6,000 mAh Mophie PowerStation batteries with built-in Lightning and Micro-USB cables for $16 when choose $8.99 Flat Shipping and use the code MOPHREE at checkout. You can also get a pair of 4,000 mAh batteries with USB-C cables for $10. (Again, choose $8.99 flat shipping, then use the code MOPHREE to waive the shipping costs.)

Other notable deals:

  • Verizon has Apple's official iPhone 12 Pro Max cases in leather ($30), silicone ($25), and clear ($25).
  • You can still grab the new iPad in silver for $299, down from $329.
  • Adorama has the Apple TV 4K for $159, down from $179.
  • Lenovo's Flex 5 Chromebook is on sale for $300. (My review's here.)
  • Anker's MagSafe-style iPhone charger is half off at $10 with the code 93XRZ87.
  • Get a 70-inch 4K HDR Dolby Vision Android TV for $550.

Thanks for your support!

This week's feature topic was inspired in part by my backup plan piece from a few weeks ago, in which I breezed through the notion of two-factor authentication backups without diving into the details. Please let me know if this kind of explainer is helpful, and if you want more (or less) of it. And as always, send me an email or drop into the Advisorator chat room on Slack for further discussion of any tech topic.

Until next week,

Jared

This has been Advisorator, written by Jared Newman and made possible by readers like you. Manage your subscription by clicking here, or reply to this email with "unsubscribe" in the subject to cancel your membership.