How to Set Up 2FA: TOTP vs Push vs Security Keys
Learn how to set up two-factor authentication. Compare TOTP apps, push notifications, and security keys to protect your accounts.
Summary
Security keys (hardware) offer the strongest protection against phishing. TOTP apps provide good security and are widely supported. Push notifications are convenient but less secure. For most users, TOTP apps offer the best balance of security and convenience.
Why 2FA Matters
Passwords alone aren’t enough because: - Passwords can be stolen or guessed - Data breaches expose passwords - Phishing attacks trick you into revealing passwords - Weak passwords are easily cracked
2FA adds a second factor (something you have) beyond your password (something you know), making accounts much harder to compromise.
Types of 2FA
1. TOTP (Time-Based One-Time Password)
How it works: App generates 6-digit codes that change every 30 seconds.
Pros: - Works offline - Widely supported - Good security - Free to use - No phone number needed
Cons: - Can be phished (if you enter code on fake site) - Requires app installation - Codes expire quickly
Best for: Most users, good balance of security and convenience
2. Push Notifications
How it works: Service sends notification to your phone, you approve or deny.
Pros: - Very convenient - No codes to enter - Fast approval - User-friendly
Cons: - Less secure (can be approved accidentally) - Requires internet connection - Phone can be compromised - Some services charge for it
Best for: Convenience-focused users, low-risk accounts
3. Security Keys (Hardware)
How it works: Physical device you plug in or tap to authenticate.
Pros: - Strongest security - Phishing-resistant - Works offline - Fast authentication
Cons: - Requires hardware purchase - Can be lost - Not all services support - More expensive
Best for: High-security needs, maximum protection
Setting Up TOTP
Step 1: Choose an Authenticator App
Recommended apps: - Aegis (Android): Open source, free - Raivo OTP (iOS): Open source, free - Bitwarden: Built into password manager - Authy: Convenient, multi-device
Step 2: Enable 2FA on Account
- Go to account settings
- Find “Security” or “Two-Factor Authentication”
- Select “Authenticator App” or “TOTP”
- Scan QR code with your app
- Enter verification code
- Save backup codes
Step 3: Test It
- Log out of account
- Log back in with password
- Enter code from authenticator app
- Verify it works
Setting Up Push Notifications
Step 1: Install App
- Download service’s mobile app
- Log in to your account
- Enable push notifications
Step 2: Enable 2FA
- Go to account settings
- Enable “Push Notifications” or “App-based 2FA”
- Approve from your phone
- Test by logging out and back in
Setting Up Security Keys
Step 1: Buy a Security Key
Recommended keys: - YubiKey 5: Most compatible, $50+ - SoloKey: Open source, $25+ - NitroKey: Privacy-focused, $30+
Step 2: Register Key
- Go to account settings
- Find “Security Keys” or “Hardware Security Keys”
- Click “Add Security Key”
- Plug in or tap your key
- Follow on-screen instructions
- Register backup key (recommended)
Step 3: Test It
- Log out
- Log back in
- When prompted, plug in or tap key
- Verify authentication works
Comparison Table
| Method | Security | Convenience | Cost | Phishing Resistance |
|---|---|---|---|---|
| TOTP | ⭐⭐⭐⭐ | ⭐⭐⭐ | Free | ⭐⭐⭐ |
| Push | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | Free | ⭐⭐ |
| Security Keys | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | $25-50 | ⭐⭐⭐⭐⭐ |
Best Practices
For TOTP:
- Use open source apps (Aegis, Raivo)
- Backup codes securely
- Don’t share QR codes
- Use separate app from password manager (optional)
- Keep app updated
For Push:
- Only approve from trusted devices
- Review notifications carefully
- Don’t approve suspicious requests
- Keep phone secure
- Use for low-risk accounts
For Security Keys:
- Buy from reputable manufacturers
- Register backup keys
- Store keys securely
- Test regularly
- Use for high-risk accounts
Which Method Should You Use?
For Most Accounts (TOTP Recommended):
- Email accounts
- Social media
- Banking (if supported)
- Cloud storage
- General online accounts
For High-Security Accounts (Security Keys):
- Email (primary account)
- Banking
- Cryptocurrency
- Work accounts
- Administrative accounts
For Convenience (Push):
- Low-risk accounts
- Services you use frequently
- Accounts with limited sensitive data
Common Mistakes
- Not backing up codes: Lose access if phone is lost
- Using SMS 2FA: Less secure, avoid if possible
- Sharing QR codes: Compromises security
- Not testing: May not work when needed
- Using same app for everything: Single point of failure
Recovery Options
Backup Codes
- Save securely (password manager, encrypted storage)
- Don’t store in same place as password
- Generate new codes if compromised
- Test recovery process
Recovery Methods
- Backup codes (best)
- Recovery email (less secure)
- Security questions (weak)
- Account recovery (varies by service)
Services That Support 2FA
TOTP Support:
- Google, Microsoft, Apple
- GitHub, GitLab
- Most banks
- Cloud storage (Dropbox, Google Drive)
- Social media (Twitter, Facebook)
Security Key Support:
- Google, Microsoft
- GitHub, GitLab
- Some banks
- Cloud providers
- Enterprise services
Conclusion
2FA significantly improves account security. For most users, TOTP apps offer the best balance of security and convenience. Security keys provide maximum protection for high-risk accounts. Push notifications are convenient but less secure.
Start with TOTP for most accounts, then add security keys for your most important accounts. Always backup your recovery codes and test your 2FA setup regularly.
Remember: 2FA is essential for account security. Enable it on all important accounts, starting with email, banking, and cloud storage.