How to make two-factor authentication less of a pain
By Joe Kissell, MacworldJUN 30, 2014 9:00 pm PDT
probably know by now that you should never use the same password in more than one place, and that each of your passwords should be strong enough to resist an automated attack. Perhaps you use
iCloud Keychain, or a third-party password manager such as
LastPass to generate random passwords, store them, and fill them in automatically. But all that may not be enough if a site suffers a security breach that reveals its users passwords to an attacker—sadly, a frequent occurrence.
At the moment, the best defense against such attacks is two-factor (or two-step) authentication, in which you need more than just a username and password to log in on an untrusted device. You also need a second element, which often takes the form of a numeric string sent by SMS and so foils any attacker who has your password but not your phone. Most major Internet companies offer two-factor authentication as an option—you can read how to set this up for your
Apple ID (which now applies to the iCloud website as well),
Twitter, for example.
The problem with two-factor authentication is that it’s a bother, requiring an extra, manual step. Usually you have to do this only once per device or app, after which point ordinary logins work, but even so, it’s a pain. Here are a couple of ways to reduce that inconvenience.
Use an authenticator app
Many services that use two-factor authentication let you use an iOS app—in lieu of SMS—to obtain that secondary authorization code. (This option is handy because SMS isn’t always reliable or prompt, it’s useless in locations where you have no cellular signal, and won’t help you if you’re using an iPad rather than an iPhone.) In some cases, two-factor authentication uses the service’s own app. For example, in the Facebook iOS app, you tap More > Code Generator to see the current code. Similarly, Apple can now use the Find My iPhone app to deliver codes (such as when you’re logging in to iCloud.com) via a push notification, as an alternative to SMS. And Twitter has a unique approach: you can set it up to use its iOS app for two-factor authentication without requiring a code at all.
But most services use a free, third-party iOS app such as
Google Authenticator to generate the codes. You start by logging in to a service’s website and finding its two-factor authentication settings page. There you’ll typically find either a QR code or an alphanumeric key. Open your authenticator app, add a new account, and either scan the QR code with your camera or type in the key. From then on, the app generates the secondary codes, for each of your accounts, every 30 seconds.
An alternative to Google Authenticator is a free app called
Authy. It works with all the same sites as Google Authenticator, but it has a cool extra capability: it can sync accounts across all of your iOS devices automatically, and (with a free
companion Mac app, which works on newer Macs with Bluetooth 4.0 support) can even send codes to your Mac and enter them for you automatically—although this doesn’t work as often as I’d like.
Use one-time verification codes
When you set up two-factor authentication, there’s always the worry that you could lose the iOS device you use for that second factor, thus making it impossible for you to access your own account. So most companies supply you with an extra code of some sort (Apple calls it a recovery key; Dropbox and Twitter refer to it as a backup code) during the setup process. You should either print this out and keep it in a safe place, or put it in a secure digital location (such as your password manager). If you ever need to get into your account without your secondary device, this code can save the day.
But some companies take this concept a step further. Evernote, Facebook, and Google, for example, supply you with a list of codes that you can use whenever you like, in place of SMS or a code from an authenticator app. Each code can be used only once, however; if you run out of codes, you have to go back to the appropriate page in the Settings portion of each site and generate another list. Again, keep this list in a safe place—and take it with you when traveling, just in case.