Your online accounts (or at least, some of them) probably have troves of personal data in them, which is why hackers are constantly looking for ways to break into them. Passwords are usually their way in, as many people re-use passwords or choose common phrases. Even sharing the same password across two or more services can lead to trouble, as publicly-accessible password dumps become more common. Two-factor authentication, or 2FA for short, adds a second step to the login process that usually involves a temporary code or physical key — which makes it much harder for hackers to gain access to your accounts.

However, it can be a bit difficult to know how to get started with 2FA. There are multiple methods of authentication, with varying levels of support and security with each, and the process can make it easier for you to lose access to your accounts if you lose/break your phone.

We won't go into detail about two-factor authentication here (this Wikipedia article is a helpful resource), but we will explain why app-based 2FA is the way to go, and how you can set up the Authy app on your devices for managing 2FA codes.

Why you should use app-based 2FA

There are a few different types of two-factor authentication, ranging from 'slightly more secure than just a password' to 'no one except you will get access.' You probably already use some services that send SMS texts with one-time access codes — that's better than no 2FA at all, but given the frequency of SIM swapping (where someone calls your carrier pretending to be you for access to your number), it's far from perfect.

An example of SMS-based two-factor authentication

On the other end of the spectrum are products like the Yubikey and Google Titan Key, which are physical devices that must be connected to your PC/phone/tablet (either over USB, Bluetooth, or NFC) for a login to work. While these are incredibly secure (as long as you don't lose them), sadly, many popular services don't support them at all.

Google's Titan Security Keys

A middle ground between these two methods is app-based authentication. Once you install an authentication app on your device, you use it to scan a QR code provided by an online service (Google, Facebook, etc). After that, every login to that service will require entering the code that appears in the app. This is safer than SMS 2FA, because the codes are generated locally on your device, rather than sent over a text or other method that could be tampered with.

While there are several authentication apps that work well, we'll focus on using Authy here. Unlike Google Authenticator and other similar apps, Authy backs up your 2FA codes to the cloud (in a secure way), which means your codes aren't lost forever if your phone breaks, and the codes can be synced across multiple devices.

How to get started with Authy

Authy is very easy to get set up. First, download the app on your platform of choice — Authy is available on iOS, Android, macOS, Windows, and Linux. You'll probably want to install it on a phone or tablet first, since scanning QR codes with a camera is the easiest way to enable 2FA on most online accounts.

Twilio Authy 2-Factor Authentication
Twilio Authy 2-Factor Authentication

To start with, Authy will ask you to create an account using a phone number. If you're thinking, "wait, how is this better than SMS codes if it's tied to my phone number anyway," don't worry. Authy will also ask you to create a backup password, which has to be entered on every device you want to use with Authy — your codes are encrypted in the cloud using this password. Even if someone gains access to your phone number, they can't do anything without the backup password.

Authy will send you a verification text to create your account.

After Authy is done setting up, you're ready to start connecting it to your online accounts. The exact steps for enabling 2FA varies by service, but if you look in the account settings of a given service, you should find an option for turning 2FA on. For example, with Google accounts, the option is in the Security section of Account settings (direct link).

Two-factor options in Google's account settings

Scan the code provided by the website with Authy, and you're done — every login after that will require a code generated by Authy. You may see some websites mention specific apps like Google Authenticator or Microsoft Authenticator, but Authy works with all codes intended for those apps.

Authy with a few accounts added

As mentioned previously, some services don't support all forms of 2FA. While many popular services do support app-based 2FA, there are some that only send SMS login codes. Twofactorauth.org is a great website that tells you which types of accounts work with what kind of 2FA methods.

Once you add a few accounts to Authy, it's probably a good idea to set the app up on at least one other device. That way, you don't have to always have your phone near you to enter login codes. I also usually keep the multi-device option in settings turned off — this prevents someone from logging into Authy on new devices until you flip the switch back on, even if they somehow know your backup password.

Turning multi-device off keeps additional devices from logging into your Authy account

Hopefully, you now know how to use Authy, and why it can help keep your accounts safe. We plan on publishing guides soon on how to enable 2FA support on popular services (using Authy, or any other authenticator app), so stay tuned for those.