Secondary Authentication
Two-Factor Authentication (2FA)
Two-factor authentication adds a second step to login: something you know (password) + something you have (your phone or key).
Even if your password is stolen, 2FA prevents login.
TOTP — Time-Based One-Time Passwords
TOTP generates a 6-digit code that changes every 30 seconds. Most sites support it (look for “Authenticator App” in their 2FA settings).
How it works: When you set up TOTP, the site gives you a QR code (a secret seed). Your app uses this seed + the current time to generate the same code the server generates. They match → you’re authenticated.
SMS vs Authenticator App
| SMS | Authenticator App | |
|---|---|---|
| Convenience | Easy | Slightly more setup |
| Security | Weak — SIM swap attacks | Strong |
| Works offline | No | Yes |
| Backup | Via carrier (risky) | Via seed backup |
Use an authenticator app, not SMS, for important accounts.
andOTP (Android)
andOTP is an open-source TOTP app for Android.
- Encrypted backup feature
- Supports TOTP and HOTP
- Can back up to encrypted file (store separately from phone)
Google Authenticator
Google Authenticator works on Android and iOS. Simple, reliable.
Downsides:
- Google-controlled
- Until recently, no backup feature (now supports Google account sync)
Aegis (Recommended Android App)
Aegis Authenticator — open source, encrypted backups, beautiful UI.
Hardware Keys (Best Security)
YubiKey and similar FIDO2/WebAuthn hardware keys provide phishing-resistant 2FA.
- Physical key required for login
- Cannot be phished (unlike TOTP codes)
- Works with Google, GitHub, Microsoft, and many others
Backup Codes
When you enable 2FA, most sites provide one-time backup codes. Print these and store them safely — they let you recover access if you lose your phone.