It’s where you log into a website or app and, once you type in your password, you’re prompted to do something else, like enter a six-digit code or tap a pop-up on your phone. It’s not as if phone accounts are unsecured, but they can be vulnerable to “social engineering,” formerly known as con artistry: A panicked person turns up at the carrier’s store without phone or ID, asking to shut down a “stolen” phone and activate a new one, for instance. If you log into the Google search app on your smartphone, it starts working as your second factor: When you try signing on to Google on a new computer, you’ll get a message on your phone. If you log in on a new device or browser, it will direct you to the code generator inside the Facebook app on your phone. Launch one of the authentication apps just mentioned, scan the code, and that app will provide you with ever-changing codes for your Amazon logins. Text messages by default appear on your locked screen—but with apps, you have to unlock the phone to make the two-factor work.