How to use two-factor authentication without a phone

Martin Brinkmann
Mar 4, 2023
Updated • Mar 4, 2023
Security
|
17

Two-factor authentication is a powerful security feature that improves the security of online accounts significantly when set up. It will be replaced with passkeys eventually, but this is not going to happen overnight.

Two-factor authentication adds a second security layer to the sign-in process. Users receive or generate a code, which they enter on the site or in the app.

Several of the most popular two-factor authentication methods require a mobile device. There is the option to receive text messages with the code or authenticator apps, which users need to install and set up on their mobile devices.

While most Internet users do have access to a smartphone for that, there are situations where using a phone may not be an option.

  • The smartphone is not available, e.g., it has been misplaced or was stolen.
  • Regulations may require "more secure" methods.

Using 2FA without a mobile device

There are two main options when it comes to using two-factor authentication without mobile devices. Assuming that a computer is used, as two-factor authentication without a mobile device and computer would make little sense, the following two options are available:

  • Installing an authenticator app directly on the desktop computer or notebook.
  • Using a security key.

The selection of authenticator apps for desktop operating systems is limited when compared to the abundance of authenticator apps for mobile devices. Still, there are some that users may install.

There is a selection of Authenticator apps available on the Microsoft Store, and several password managers, like Bitwarden, include authenticator support, which may be used as well.

Most solutions target businesses and not individual users,  though.

The second option that is available is provided via security keys.  These are physical devices that are either connected to the device directly, e.g., via USB, or via methods such as NFC or Bluetooth.

Yubico's Yubikey 5 series alone comes in several different flavors, from basic options that are connected to a device using USB to devices that support multiple connection options and work on desktop and mobile devices alike. The company has a short quiz on its website that suggests a product based on a few answers.

Yubico is not the only manufacturer of security key solutions. Google has its Titan Security Keys, which also come in different flavors, and Thetis maintains a range of security key solutions as well.

Security keys for individuals come at a cost, while authenticator apps are free to use. Most security keys offer more options than authenticator apps, as they may support more services and protocols besides creating one-time passwords for services.

Closing Words

Whether a desktop authenticator app or a security key is the right choice depends on individual requirements. It depends on the operating system, the number of devices, and several other factors.

If just a desktop or notebook is used, authenticator apps may be fully sufficient when it comes to two-factor authentication. Security keys are the sophisticated solution, they may be carried around, and support additional protocols and options, including the ability to use them with smartphones.

Now You: authenticator apps or security keys, which do you use and why?

Summary
Article Name
How to use two-factor authentication without a phone
Description
Find out how to use the security feature two-factor authentication without a smartphone.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Rob said on July 25, 2023 at 1:40 am
    Reply

    Bitwarden does not support TOTP on the free tier (for third party websites) but you can authenticate to bitwarden itself with 2FA on the free tier.

    Authy sign up requires a phone number – this is problematic for someone without a phone.

  2. Dave said on March 6, 2023 at 9:46 pm
    Reply

    Yubico has their own authenticator app. I have two keys on order. 5cNFC primary and spare for the safe. Linux, Mac, Windows, Android, IOS etc.
    The TOTP code is stored on the key. Currently I use the freebie Google Authenticator. Stolen phone, that goes with it. I’m locking down with keys, to the degree possible.

  3. Teezee said on March 5, 2023 at 11:27 am
    Reply

    Two factors on one device? Totally dumb idea. Just like fixing circuit breaker with wire.

  4. boudeman said on March 5, 2023 at 7:40 am
    Reply

    The EU requires 2FA by law.
    As a user I want to have 2FA as simple as possible. What do I experience? The 6 or so organizations, which require 2FA all use a different method. For most (often elderly) people a disaster.
    The easiest method for the user (not mentioned here) is browser recognition (used by one of my banks) and PC profiling (used by a well-known internet shop).

  5. yanta said on March 5, 2023 at 12:33 am
    Reply

    Easy dont use it all.
    There are thousands of articles on the net on how easy it is to compromise and bypass. How to get peoples personal details, but I won’t link to them here as that would probably violate the terms.
    Suffice it to say, 2FA is all hype. It has been compromised many times recently and is NOT secure and never will be because big tech wants it that way. It’s not about security. It’s about collecting more personal information.

  6. Marti Martz said on March 4, 2023 at 7:22 pm
    Reply

    @Martin … you read my mind from a few weeks back. Thanks for having this article.

    Some issues that I can see with hardware passkey keys is the lack of ability to update the firmware (this is similar to TPM if they decided to upgrade that and the system/module is End Of Life’d)… have to love that planned obsolescence before it’s slapped on a lunch box.

    Additionally some sites, like GitHub, require you to have an “idiot phone” THEN you can add a hardware key. This is really inept IMHO… but then they are now owned by Microsoft. ;) Enabling “Big Brother” with your cell metadata.

    The main problem is that all cryptography can be broken in some form given enough time. The planned obsolescence is ripe for this “work-around” technology being ready for the general public even before it’s generally “accepted”.

  7. Someone said on March 4, 2023 at 12:27 pm
    Reply

    Keepass is good for 2FA. But, some years before, I got messed with a online games hosting service and lost my unique passwords, that I got, and after all I dont use it anymore. I prefer Google password manager, keepass database, and my memory at least.

  8. ECJ said on March 4, 2023 at 12:11 pm
    Reply

    Are you sure Microsoft Authenticator is available on the Microsoft Store? I’m not seeing it on Windows 10.

    1. Martin Brinkmann said on March 4, 2023 at 12:51 pm
      Reply

      You are right. I changed the info, thank you!

  9. ard said on March 4, 2023 at 10:27 am
    Reply

    I do use Authy both on my phone, on desktop and on notebook. the advantage is that this one app, works on all 3 of my device types. Google, I don’t trust so there auth. app is out, MS well do I have to say something more ?
    Must investigate KeepassXC, (see it above) that I do use, for the 2FA though

  10. guest said on March 4, 2023 at 10:02 am
    Reply

    Some password managers like KeePassXC offer 2FA support as well.

  11. syno said on March 4, 2023 at 9:54 am
    Reply

    On Windows 10+, 2fast (Store app) is a pretty good alternative to Microsoft Authenticator.

  12. Andy Prough said on March 4, 2023 at 9:20 am
    Reply

    On GNU/Linux desktops, you can make your own 2FA authenticator into the terminal emulator (command line), using the “pass” password manager program. Just search on the Odysee video website for ‘luke smith pass two factor’ and you’ll find a video with clear instructions.

    1. Marti Martz said on March 4, 2023 at 7:26 pm
      Reply

      Thanks @Andy Prough.

      I’ll have to give that a try. Hope it works better than LUKS with storage media.

      1. Marti Martz said on March 12, 2023 at 9:14 am
        Reply

        And an update. pass works very well all the times I’ve tried it. Thank you again! At least I didn’t have to use a burner phone.

        As far as the security keys go… most of them are WAY overpriced. I’m still very concerned with an attack vector that may break a certain keys firmware revision and make current in use one obsolete and force everyone to buy new ones _(think TPM 1.2)_.

        The ones that I did investigate don’t actually advertise what the current version is on their web sites that I could find… that’s not good business even if one can’t easily update it _(they have to write them before packaging so it is possible given the right additional hokey pokey dance)_

  13. Anonymous said on March 4, 2023 at 8:53 am
    Reply

    @Martin. is Yubico a sponsor or pay cash for comment?

    1. Martin Brinkmann said on March 4, 2023 at 10:07 am
      Reply

      Neither.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.