Hopefully by now you’ve heeded the repeated warnings from your friends and loved ones (and friendly, beloved internet writers) to use two-factor authentication to secure your digital accounts. That’s where access to Facebook or Twitter or your online bank—anything that supports it, really—requires not just a password but also a special code. Not all two-factor is created equal, however. For better protection, you’re going to want an authenticator app.

Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside. Specifically, it leaves you exposed if someone hijacks your smartphone’s SIM, a longtime problem that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts.

“Unfortunately, it isn’t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number—either with a phone call to customer support or walking into a phone store,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.

Instagram, in particular, has seen a surge of troubling SIM attacks, largely because it only supports text-based two-factor for now. The company confirmed that it’s working on the obvious solution: Letting you use an authenticator app instead.

“Authenticator apps are not vulnerable to this problem” of SIM hijacking, says Cranor. “They’re a more secure way to do two-factor verification.”

The good news? Most of the sensitive accounts you use today already offer stronger 2FA. And there’s no shortage of third-party authenticator apps that’ll enable it for you. Here’s how to get set up, and make your sign-ins that much more stress-free.

The Basics

The most popular authenticator apps are Google Authenticator and Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you're heavy into Microsoft's ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use.

Rather than send you an SMS, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device, rather than your phone number, extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.

'They’re a more secure way to do two-factor verification.' Lorrie Cranor, CMU

Most services you would want to secure offer this type of token-based 2FA; Instagram is more of the exception than the rule at this point. You can see a comprehensive list for yourself here. As for which app to use, Google Authenticator offers a barebones experience backed by a company with a sterling security record, while Authy offers more features, like being able to pull codes from not just your smartphone but your desktop or tablet. It also lets you back up your codes to the cloud, enabling a seamless migration when you inevitably upgrade your smartphone. With Google Authenticator, when you switch your main device, you have to sync your accounts over again.

For that reason, we’ll use Authy for a quick walkthrough of how to actually use a more secure 2FA app. The steps are basically the same on Google Authenticator, but it covers a little more ground.

Lock It Down

Step one: Download the app. See? This is easy. No sweat.