Custom the two-step verification (2FA) from your mobile device It's one of the best decisions you can make to protect your online accounts and your protect your mobileThese days, stealing a password is relatively easy: data breaches, malware, phishing… That's why adding a second layer of security makes a huge difference.
Throughout this guide you will learn, step by step, how to use the Use your mobile phone as your 2FA control center In services as important as Google, Microsoft, or PayPal, you can leverage authenticator applications (such as Aegis, Google Authenticator, or Microsoft Authenticator) and virtual security keys. We'll cover advanced tricks, what to do if you lose your password, and how to avoid being locked out of your own accounts. backup.
What is two-step verification (2FA) and why use mobile?
Two-step verification, also called two factor authenticationIt adds an extra requirement to the login process, in addition to your password. This is usually based on one of these factors: something you know (your password), something you have (a mobile phone, a security key), or something you are (biometrics).
In practice, when you activate 2FA, after entering your password you will have to enter a temporary code or confirm a notice that arrives on your device. Even if someone finds out your password, if they don't have your second factor they won't be able to access your account.
The mobile phone is perfect for this because we always have it with us and it allows us to centralize the verification code management with authenticator apps. Furthermore, these apps work offline, generating time-based codes (TOTP), which makes them very secure and fast.
Common 2FA methods: phone, security keys, and apps
Online services typically offer several ways to activate the two step verification. The most common are:
- Codes via SMS or callThey send you a 6-digit code to your phone number.
- Authenticating applicationsApps that generate one-time codes on your mobile phone.
- Physical security keysUSB/NFC devices that connect to the computer or mobile phone.
- Push notifications: notifications in the official app to approve or deny login.
The problem is that, in some cases, as happens with GoogleTo configure certain more secure methods, you are first required to associate a phone number or a security key. Many people prefer not to give out their number for privacy reasons, and besides, SIM cards can be vulnerable to cloning or social engineering attacks.
On the other hand, physical security keys (such as U2F, FIDO2, etc.) are very secure, but Few people use them because they involve an additional cost and somewhat more technical management. This is where a very interesting intermediate option comes into play: using the function of WebAuthn modern browsers to emulate a security key from the desktop browser itself and then transfer that 2FA to an authenticator app on your mobile.
Use WebAuthn in your browser to create a virtual security key in Google.
Google prioritizes security highly, and to activate some 2FA methods, it will usually ask you for a phone or a security keyIf you don't want to rely on a phone number and don't have a physical key, you can use your computer's WebAuthn feature to create one. virtual security key that will serve as a bridge to activate the authenticator app on your mobile.
Chromium-based browsers (Chrome, Edge, Brave, etc.) and the latest versions of Firefox include support for Web Authentication (WebAuthn)This feature allows you to simulate, in a controlled environment, the behavior of a U2F or FIDO2 key without the need for additional hardware.
From the browser's developer tools you can activate a “virtual authenticator”Configure it with the appropriate protocol and use it temporarily so Google recognizes it as a real key. Afterward, you can switch to using an authenticator app on your mobile device (such as Aegis) and finally disable the virtual key and WebAuthn in your browser to reduce risks.
Configure a virtual security key with WebAuthn on your PC
To take advantage of your desktop browser as if it were a temporary security keyFirst, you need to access the advanced options designed for developers. The specific process may vary slightly between browsers, but the general logic is similar.
Open your browser (Chrome, another modern Chromium or recent Firefox) and access the developer toolsThis is usually done from the More Tools menu, or with keyboard shortcuts like F12 or Ctrl+Shift+I. Within these tools, you need to locate the section related to WebAuthn or web authentication.
Upon entering that WebAuthn panel, you will find an option to enable a virtual authenticator environmentCheck that box to activate security device simulation. Next, you'll have the option to create a "new authenticator": this is where you define the virtual key that Google will detect as 2FA.
When creating the new authenticator, pay attention to the protocolTo ensure Google recognizes it without problems, make sure you select U2F (Universal 2nd Factor) as the primary protocol. Once configured, activate the new authenticator from the same WebAuthn panel, so that it is ready to respond to registration and login requests from the Google website.
It is important that Don't close the developer tools While performing this process: if you close the console, the virtual authenticator may stop working and Google will not correctly detect it as an available key.
Activate two-step verification on Google using the virtual key
With the virtual authenticator enabled in your desktop browser, the next step is to use it to get Google to authenticate. accept the virtual key as a two-step verification method. Then you can add an authenticator app to your mobile device from there.
From that same browser, log in to your Google account Then go to the security section, specifically the section dedicated to two-step verification or two-factor authentication. Start the 2FA setup wizard and, when asked which method you want to use, choose the option to “security key”.
Thanks to the WebAuthn you've enabled in the developer console, Google will detect your new virtual authenticator as if it were a physical security key connected to the computer. Complete the registration process by following the on-screen instructions: the browser will simulate the cryptographic operations necessary to register the key.
Once this is done, your Google account's 2FA settings will show the security key as default verification methodAt that point, within the security panel, you will also see that you are offered other additional second verification options, including the well-known “Google Authenticator app” and application-based code alternatives.
Choose an authenticator app on your mobile device: Google Authenticator, Microsoft Authenticator, Aegis, and more
Even though Google offers you its own app directly, you are not obligated to use it. Google AuthenticatorAny app that works with the TOTP (Time-based One-Time Password) standard and scans QR configuration codes will work perfectly.
One very interesting option is Aegis, an open-source authenticator app for Android. Its main advantage is that no need to connect to the internet To generate the codes, it stores the password-encrypted keys and allows you to make encrypted local backups, giving you a lot of control and privacy.
You can also use other widely used apps such as Microsoft AuthenticatorAuthy, Bitwarden Authenticator, or Google Authenticator itself. The important thing is that the application is compatible with TOTP codes and allows you to add accounts by scanning a QR code or manually entering a secret key.
The authenticator app will thus become the central piece of your 2FA strategy: from your On your mobile you will be able to see and use the codes These are necessary to securely access Google, Microsoft, PayPal, and many other services that support two-step authentication. If you want tools to keep your phone secure, see what they are. the most recommended apps.
Link your Google account to Aegis or another authenticator app
With the virtual security key already set up in Google, it's time to activate the authenticator app option and link it to your mobile phone. First, install and open Aegis (or another authenticator app of your choice) on your phone.
Return to the PC browser where you have your security settings open. Google account and locate the option to set up an Authenticator app. Selecting it will generate a QR code for configuration which contains the secret key needed for your app to generate temporary codes.
On your mobile device, within Aegis, tap the icon of “+” to add a new accountSelect the option to scan a QR code and point your camera at the pattern displayed on your PC screen. The app will read the information and add your Google account as a new entry in the list.
Once scanned, Aegis will begin generating 6-digit verification codes which are automatically renewed every few seconds. In your browser, click the button to continue the setup and, when prompted, enter one of the active codes that Aegis displays to confirm that everything is working correctly.
After validating the code, Google will register your authenticator app as second valid factor To log in. From that moment on, you can use the app on your mobile phone instead of relying on SMS or calls and, if you wish, deactivate methods that you are not interested in, such as the phone number.
Disable virtual key and WebAuthn in your browser for security reasons
Use the browser as emulated security key It's very practical for transitioning to an authenticator app, but it's not a secure long-term solution. A browser can be compromised by malware, malicious extensions, or scripts injected into web pages; enabling the advanced protection mode helps mitigate risks.
Therefore, once your Google account is correctly linked with Aegis or another authenticator app on mobileIt's recommended to remove the virtual key. From your Google account security settings, go to the two-step verification section and locate the security key you created with WebAuthnDelete or deactivate it so that it no longer appears as a valid method.
Similarly, return to your browser's developer tools and disables WebAuthn or the virtual authenticator environment you previously activated. This way, you close the door to potential abuse of that functionality if malicious code were to run in your browser in the future.
Finally, make sure to set the Authenticator application as primary 2FA method within your Google settings. This ensures that the system always prioritizes the use of your mobile app's codes and won't attempt to use the virtual key or phone-based methods you no longer wish to maintain.
Remove phone number from Google account
One of the goals of this strategy is to depend as little as possible on your phone number For authentication, both for privacy and security. Once you've verified that you can log in with your password and the codes generated by Aegis (or another app) without problems, you can consider removing the phone associated with 2FA.
Go back to the security section of your Google account and review the list of available verification methods. If your phone number is being used as an authentication factor, disable or remove it, provided you have at least your authenticator app fully operational and, if possible, saved backup codes.
If you are setting up a new accountYou can avoid having your phone number permanently required from the start, provided you follow these activation steps using the virtual key and the authenticator app. In any case, before deleting the number or security key, check that you are able to Log in using only the mobile app and that you have an alternative way of regain access if any problems arise.
Two-step verification on Microsoft accounts
Microsoft accounts also support two step verificationThis can be done with authenticator apps and other methods. Activating it strengthens access to services like Outlook, OneDrive, Microsoft 365, and signing in to Windows devices with your Microsoft account.
If you have 2FA enabled and at some point Forgot your password?Microsoft offers a recovery process provided it can verify your identity with at least two different contact methodsThese contacts are usually recovery phone numbers or alternate email addresses that you set up when you activated two-step verification.
Depending on the security information associated with your account, the system may ask you to enter a code generated by the authenticator app And, in addition, another code sent to your alternate email or recovery phone number. The idea is that the attacker would need simultaneous access to multiple channels to bypass the process.
To reset your password, you must follow the usual steps in the “Reset your Microsoft account password"from the official support page. Unlike a recovery flow without 2FA, here instead of receiving a single security code, Microsoft can send you two verification codes which you will need to provide to prove that you are indeed the account holder.
Manage alternate phone numbers and email addresses in Microsoft
In addition to the authenticator app on your mobile phone, Microsoft uses what it calls “security information”: phone numbers, alternative email addresses and other data used to confirm your identity or send you codes when necessary.
If you would like to change, delete or update To update your phone number where you receive security codes, or to modify an outdated alternate email address, you must go to the security section of your account, where you will find the "Security Information and Verification Codes" section. From there you can update each item, add new data or completely replace the recovery information using the "Replace your Microsoft account security information" option.
It's important to keep that information up to date, especially if you're relying on the 2FA. mobile as primary deviceKeep in mind that even if you use an authenticator app, Microsoft may in some cases require an additional code sent via SMS or an alternative email address, so it's best to ensure these channels are secure and under your control.
Two-step verification on PayPal from your browser
In the case of PayPal, two-factor authentication (also called two step verification2FA is key to protecting an account that, after all, is linked to money transactions. Activating 2FA on PayPal adds an extra layer of security when logging in and greatly reduces the risk of fraudulent use of your balance or linked cards.
There's one important detail: the process for setting up two-step verification on PayPal It can only be done from a web browsernot from the official mobile app. Although the goal is to eventually use your mobile phone as an authenticator, you will necessarily have to access it first via a browser (on a PC or on your mobile phone using the browser in desktop mode).
When you log into your account via the web, you will see an icon of Settings (usually next to “Log out”)Click there, then go to the Security Center section, which will appear at the top or within a security menu. In that panel, look for the specific "Two-Step Verification" section. On the right, you should see a button or option that says "Set Up."
By clicking on “Set up”, PayPal will allow you to choose how you want obtain the security codesIf your intention is to control everything from your mobile phone with an authenticator app (like Google's or Microsoft's), select the "Use an authenticator app" option.
Activate 2FA on PayPal with an authenticator app
After selecting the “Use an authenticator app” option, PayPal will guide you through a short setup wizard. It will display a unit’s QR code which you will need to scan with your authenticator app, whether it's Google Authenticator, Microsoft Authenticator, or any other app compatible with TOTP.
On your mobile device, open the authenticator app and select the option to add a new accountYou'll usually see an option to "Scan QR code" or something similar. Point your phone's camera at the QR code displayed on the PayPal website so the app can import the secret key from that account.
The app will immediately begin generating temporary numeric codes associated with your PayPal account. Then return to the PayPal settings page in your browser and, when prompted, enter one of the codes you see in the app. If the code is correct, the 2FA setup in PayPal will be complete and your mobile will become the verification device.
From that moment on, every time you access your PayPal account from a new device or additional verification is required, the system will ask you for the authenticator app codeThis makes it virtually impossible for someone to log in even if they obtain your password, without also having physical access to your phone.
Disable two-step verification on PayPal
It may happen that at some point you want to disable two-step verification In PayPal, for example, if you're going to change your authenticator app, if you've lost your phone and are using alternative methods, or if you temporarily prefer to simplify access (although it's not the most recommended).
To do this, log back into your PayPal account from a web browser and access it again. ConfigurationWithin the panel, go to the Security section and look for the line that refers to "Two-Step Verification." On the right, there should be an "Update" option or something similar.
Click on “Update” and, on the next screen, locate the option to "Deactivate" along with your active two-step verification method. When you tap it, PayPal will ask for final confirmation; select the "Deactivate" button to complete the process. From that moment on, your account will no longer ask for additional codes when you log in.
It is crucial to keep in mind one relevant limitation: if you are one of the users who have Two-step verification via text message has been activated If you decide to deactivate it, PayPal indicates that you won't be able to reactivate that same method later. You would have to use other methods, such as an authenticator app, if you want to reactivate any type of 2FA in the future.
Best practices when using your mobile phone as the hub of your 2FA
Centralize all your Two-step authentication on mobile It's very convenient, but it also means you have to take extra care of it. Don't forget that if someone steals your unlocked phone and also knows or gets your password, they could access your accounts.
The first thing is to have a secure locking method On your mobile phone: PIN, complex pattern, fingerprint, or reliable facial recognition. Avoid leaving your device unlocked or with obvious codes. It's also recommended to encrypt your phone's storage and keep it updated, something that is already active by default on most recent mobile phones.
Secondly, it protects access to your authenticator appSome allow you to set an internal password, PIN, or biometric lock independent of the phone's lock screen. Aegis, for example, encrypts keys and requires a master password to open the app, adding an extra layer of protection against prying eyes. You can also supplement this with security solutions like those explained in the guide. Avast for Android.
Finally, consider the scenario of losing or having your phone stolen: many platforms, such as Google or Microsoft, offer recovery codes You can print them out or save them in a very safe place (preferably offline). Having a set of these codes can save you from being locked out of your accounts if something happens to your phone.
Having the properly configured two-step verificationUsing your mobile phone and authenticator apps as the main hub gives you a powerful balance between security and convenience. By leveraging techniques like the virtual key with WebAuthn for Google, careful management of security information in Microsoft, and browser-based 2FA activation in PayPal, you can drastically reduce the risk of unauthorized access without overly complicating your daily life.
