An increasing number of websites require or encourage users to enable two-factor authentication (2FA) or two-step verification. After entering username and password, this system generally provides a temporary 6-digit number that enables the user to complete their login.
Enabling this feature increases the security of the user’s account because, after entering a password (the first factor), a hacker would need access to the device or app associated with the second factor.
Many such sites still send their verification codes via text message (SMS), which itself can be spoofed, so I recommend using an authenticator app to generate the code instead. However, since not all sites support app-based 2FA, it’s worth learning how to efficiently enter the code sent.
Authenticator App
Passkeys are just starting to come into use on websites. These entirely replace passwords and use biometrics (finger, face, etc.) to authenticate instead. The next best alternative, still not even that widespread, is to use an authenticator app to generate a one-time password (OTP).
Google, Microsoft, and some others provide authenticator apps that generate OTPs and their functionality can be integrated in password managers like 1Password. This leads to a choice between security and convenience: To provide an OTP, do you use a second application (security) or your existing password manager (convenience). The decision is up to you.
When possible, I prefer to use my password manager, 1Password. Since I use 1Password to log into a website, it can usually fill in the generated OTP on the next screen. And when it fails, I use 1Password’s Quick Access (Shift+Command+Space) to look up the login and copy the OTP (Command+Option+C), which I can usually paste in the provided field.
To set up 1Password for 2FA with a website, review Use 2FA With 1Password and Up Your Security.
Device Shows Code on Keyboard
If you use Safari to sign into a website that sends a verification code by text message, your device can usually pull the verification code from your Messages and make it available at your fingertips. No need to manually type the code; just tap it right there on the keyboard.
Apple has developed a fancy way to accomplish this, which also works with many iPhone and iPad apps. However, for this to work on iPad or Mac, you must have Text Message Forwarding enabled for each device.
Bonus: As of iOS 17, iPadOS 17, and macOS 14, your device can also pull verification codes from email. Plus, if you wish, the email or text message containing the code can be automatically deleted after use. You can toggle your preference in Settings > Passwords > Password Options > Delete After Use.
Open Message for Code
If you don’t use Safari to sign into a website that sends a verification code by text message, or the code arrives by email, you probably have to reference it manually.
If you see the text or email message notification appear on your device, you may be able to read and remember the code in the short time it’s visible. If that’s unlikely, tap the notification to jump directly to the message.
After you copy or memorize the code, use the application switcher to switch back to the browser/app and enter/paste the code. If you read your email in the same web browser, consider using keyboard shortcuts to switch between windows (Command+`) or tabs (Shift+Command+[ or Shift+Command+]) for an efficient experience.
Bonus: You might notice that I have verification codes from several providers in a single message thread above. If you receive codes repeatedly from various providers, I recommend adding all senders’ numbers to a single contact. Mine is called 2FA, so all messages are aggregated in this unified conversation, keeping my list clean.
Remember: These verification codes are temporary. Authenticator apps refresh their one-time passwords every 30 seconds. Those sent by email or text message often expire after 5–15 minutes.
Therefore, there’s no reason to save a code after you’ve used it. You can safely delete a message containing a verification code. (Don’t share it with anyone else either, especially most customer support reps or people purporting to be them.)
Reply or comment on this