Recently, it was announced that Twitter would only offer SMS-based two-factor authentication (2FA) to its Twitter Blue members (those who are willing to pay $8 a month on Android or $11 a month on iOS). To tell you the truth, my first reaction was: just as well. If you want to use 2FA to secure your social media or another account, using text messaging is not the way to go. You’re much better off using either a third-party authenticator app or a hardware security key.
Security keys, such as the ones sold by Yubico, are the safest method to use. They can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s YubiKey 5C Nano, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access (which prevents you from accidentally logging in to a phishing site). The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, and others. The best thing to do is check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
But while physical security keys are the safest method, they are not the most convenient. If you don’t want to carry around (and possibly lose) a physical key, using an authentication app on your phone is the best way to go.
Authentication apps generate one-time numerical passcodes that change approximately every minute. When you log in to your service or app, it will ask for your authenticator code; you just open up the app to find the randomly generated code required to get past security.
Popular options include Authy, Google Authenticator, and Microsoft Authenticator. These apps mostly follow the same procedure when you’re adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.
Here is how to set up 2FA on some of the more popular online accounts. Not all of them allow for authenticator apps; in that case, we list what is available. (If you’re just interested in using an authenticator app for your Twitter account, you can go directly to this article, which gives you all the steps needed — however, just to be convenient, we’ve included Twitter with the others here.)
Note: most of the following directions are for websites; if you can use a mobile app, directions will be given for that as well.