Staying secure is a journey with multiple steps
In a nutshell, multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access.
Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes. However, when weighing this inconvenience against the consequences of having your identity or funds stolen because of poor security hygiene, it becomes clear what’s at stake.
Twitter was recently hacked, and it appeared to be a social engineering ploy on one of its employees. The hackers were able to reset account passwords through their administrative tools, regardless of whether MFA was enabled or not.
After hearing the news, I realized that I still have enabled SMS on Twitter and also on PayPal. It’s important to note that this method is less secure than others. With that in mind, allow me to give you instructions on adding the best kind of MFA to your accounts.
For Twitter, go to Settings and Privacy, click on Security, then click on Two-factor authentication. You should see the screen below, where you can select up to three different methods to use to protect your account:
Text messages, which is, as I mentioned, the least secure method. This is because hackers have figured out a variety of ways to neutralize the PIN transmitted in this fashion. If you are intimidated by the other methods mentioned below, then yes, SMS is better than nothing. But if you can push onwards and implement one of the other methods, you will be better protected.
Authentication app, which uses a free app on your smartphone from Authy (Google, Microsoft and many other vendors also offer one) that generates the one-time PIN. You bring up the app, you look for the particular website you want to access, and you copy the typically six-digit PIN from your phone to the login page. The PIN changes every 30 seconds, so the only issue is to make sure it hasn’t changed between the time you saw it listed and the time you needed to successfully login. If you don’t have a smartphone then you obviously can’t use this method. But otherwise it is a relatively simple process – you are prompted to re-enter your Twitter password, then you scan a QR code with your phone to link the authentication app with your Twitter account, then enter the PIN number displayed on the app back on your computer at the appropriate login prompt to verify the connection.
Security key, which is a separate physical fob that doesn’t display any PIN but has the secret PIN embedded in its hardware. Once you enable the authentication app, you can also select this option. Instead of copying the PIN code you just press a button on the fob to transmit the information at the login prompt. You probably want to have at least two keys so in case you lose one or have it in another place (such as your car and your home), because without it you can’t access your account.
If you are using a web browser, click on the small triangle on the top right-hand navigation bar for your account, then Settings & Privacy then Settings, then Security and Login, and finally click on the edit button under the Two-Factor Authentication settings. After re-entering your account password, you should end up at this page here. You will have something similar to Twitter’s three choices (authentication app, security key and text messages). Once you are finished adding the additional MFA methods, go back to the main security page and review the authorized logins from particular devices and make sure you recognize them.
Click on the small triangle on the top bar to go to your account settings, then go to Security. Under Two-factor authentication, click the check box to require it at login, and you will be prompted to enter your mobile number where you can receive the one-time PIN codes. Note that you need to enable the text MFA method before you can enable using the Authy app.
Once you have added MFA to these apps, you might be interested in seeing what else you can protect this way. The best place to find whether any of your apps use this additional protection is TwoFactor, which strives to remain current. For example, I recommend that anything that involves money (such as your bank, your insurance company and your investments), you should probably protect with MFA. Sadly, many of these sites only offer text-based MFA (such as Bank of America, TD Ameritrade and Prudential Financial), if any.
Go to your profile screen, click on the gear icon to access your settings, scroll down to Two-Factor Authentication. You’ll see the screen where you can enable the authentication app. If you have already installed an app, choose the automatic method and copy the PIN code back in the app.
One other word of advice: If you are setting up MFA on your account and you have a choice of using a web browser or an app on your phone, choose the browser. It's often easier to navigate the multiple screens there.
If this exercise has gotten you to be more careful (and perhaps more paranoid), you might want to check out this post, which shows you how to strengthen the various privacy controls available on iPhones and Androids, such as limiting location services and app permissions. As you can see, security is a journey with many steps.