Pinterest Stumbleupon Whatsapp
Ads by Google

Two-factor authentication is the smart way to protect your online accounts What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More using something you know (like a password) and something you have (like a smartphone). Also known as two-step verification, it involves entering a code when logging in on new devices, and provides an excellent level of protection.

With two-factor authentication even if your password isn’t particularly strong, your account is still relatively safe as you’ll need to authorise any log in attempts. Today we’ll be taking a look at few of the services you can lock-down with better security.

How Does It Work?

We’ve already taken a look at the intricacies of two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More , and if a service you’re reliant on offers it; you should enable it. With two-factor authentication, every new log in attempt will require you input a code sent to you – normally via text message to a standard mobile number – before letting you in.

Technically, the only way this method can be defeated is if someone else gets hold of your device, or manages to read the code over your shoulder. These codes only last a few minutes (Google’s last three at best) before you’ll need to make a new one. If you’re used to checking the “remember me on this website” buttons so that you log in automatically, your browsing habits shouldn’t be affected – you’ll only need to log in again once a month or so.

Because of the nature of two-factor authentication, occasionally one-time-use passwords need to be created for software such as email clients, making it easy to revoke access to devices at a later date should you need to do so. Two-factor authentication offers protection even when someone knows your password, though you should still choose strong passwords 5 Free Password Generators For Nearly Unhackable Passwords 5 Free Password Generators For Nearly Unhackable Passwords Read More and always be mindful of social engineering attacks What Is Social Engineering? [MakeUseOf Explains] What Is Social Engineering? [MakeUseOf Explains] You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room - but how... Read More .

Ads by Google

Google

Your Google account is your email. It’s quite possibly connected to your Android device or iPhone, syncing your Calendars and Contacts, keeping track of your location history, your Google Now data and your personal information in the form of spreadsheets and other Google docs. You simply can’t afford to lose access to this one.

While logged in head to your Google account settings, enter your password and you’ll see the page for enabling what Google refers to as “2-step verification” as well as a dashboard for handling application-specific passwords. Google offers codes via SMS or the Google Authenticator app, allows for the adding of backup phone numbers and even downloading of offline codes.

These will allow you to recover your account should you lose access to your smartphone.

Facebook

Facebook is a double-whammy in that accounts are often poorly protected with weak passwords, are often highly in-demand among “hackers” and – judging by the number of questions we get at MakeUseOf Answers – can be notoriously difficult to recover once someone’s broken in. Facebook uses a mess of email, friend verification, and photo identification to help re-connect users with their accounts, but really you could just try not losing access in the first place.

Head to Facebook’s settings and make sure you’ve added and verified a phone number under Mobile Settings. Then click the Security tab on the left and follow the instructions under Login Notifications. You can generate individual app passwords using App Passwords or head to Code Generator to cover offline use.

Apple ID

If you use iOS or OS X, your Apple ID and password is the only thing that keeps your device safe from serious harm.  Your Apple ID password is the key to your expensive devices, and using it a thief can remotely wipe your iPhone, read your iCloud mail and even take control of (and erase) your Mac if you have Back to my Mac enabled. If you use iTunes, every app, film or album you have ever purchased is tied to this account, not to mention the payment method used.

You can make changes to your Apple ID at appleid.apple.com where you must first log in then head to the Password and Security tab, which requires answers to security questions you set years ago. Once you’ve surmounted that obstacle you can enable two-step verification at the top of the page. Apple provides you with a “recovery key” which can be used in the event of your smartphone going walkies.

Do not see the two-factor authentication link on your account page? Note that as a basic security measure, Apple does not allow two-step verification setup to proceed if any significant changes have recently been made to your account information. Go to the Apple Support page and read what they have to say under — Why was I asked to wait before setting up two-step verification?

Microsoft

The fourth of the “big four” – Windows 8 was Microsoft’s first real push for a Microsoft account that wasn’t oddly branded as “Windows Live” or “.NET Passport” and provided some tangible benefits to actual PC users. But don’t forget many of us have Skype and Xbox accounts too, and these are now one and the same. Stolen Xbox passwords in particular are highly sought-after, containing whole back-catalogues of online purchases, egos and reputations.

Head to your Microsoft Account dashboard and click Security Info to find an option for setting up two-step verification. Windows Phone users can use Microsoft Authenticator, other devices can just use Google Authenticator.

Social Services

Aside from Zuk’s aforementioned social behemoth, there are a good number of other social services on which to enable two-factor authentication, particularly those that you authorise to post on your behalf. Twitter is one, and you can head to Twitter’s security settings, add and verify your phone number then choose to verify login requests using the number provided on the Security and Privacy tab. You can also opt to verify using the Twitter mobile app.

Buffer had a security incident not long ago, and social managers everywhere collectively squeezed and braced for impact. This could happen on any day of the week, so secure your Buffer account by choosing Enable 2-Step Login from Buffer’s security settings. Popular social manager HootSuite also offers protection, using Google’s Authenticator tool.

Professionally your reputation may suffer should a troublemaker get hold of your LinkedIn credentials, a service itself which has fallen victim to attacks in the past. Since then the network has introduced better security including two-factor, head to LinkedIn’s settings to enable it via the Account then Manage Security option. Last but not least, Yahoo also offers some protection via account settings.

Gaming Services

Gamers are often targets for hackers, their personal accounts full to the brim of the latest entertainment and their payment info stored neatly ready for the next purchase. Fortunately content distributors have gotten wise to the threats faced by customers and now offer better security. Steam now famously offers two-factor authentication by default, you can read all about it here.

Battle.net accounts are also highly sought-after and you can keep crooks out of your World of Warcraft by using either the Battle.net Authenticator or mobile authenticator.  Even EA added the protection to Origin’s Security settings, accessed via the Login Verification option. And if you don’t want to find yourself making the biggest pledge next time round, even the Humble Bundle supports two-step protection. If you’re an Xbox gamer, don’t forget to secure your Microsoft Account (instructions for which can be found above).

Online Storage & More

Files in your online cloud storage probably shouldn’t contain too much personal information, but protecting them against all new login attempts is a great idea anyway. Dropbox was one of the earliest services to support two-factor authentication, enable it from Account sign in under Dropbox settings. Box also offers similar levels of protection, head to Box account settings to enable it.

The thought of someone getting into my Evernote account fills me with dread, and it should be the same for you too. Enable two-step protection by logging in and changing your Evernote security settings. Two-step verification via a mobile device (SMS) requires premium, but you can still use Google Authenticator on iOS, Android or Blackberry for free.

If your favourite services aren’t yet supporting two-factor authentication, you might want to let the developers know that there is a demand for it. Personal information breaches can be as costly as your credit card credentials could be leaked, so it pays to take no chances in the world of online security. If the option is there – use it.

Evan Hahn is one blogger who has taken it upon himself to maintain a list of services that support two-factor authentication, and you should check out his list if you’re looking for particularly security-conscious services. You can recommend other services in the comments, below.

  1. alex keaton
    September 18, 2015 at 1:17 pm

    Don't delete the app, otherwise they will have to recover it and it could take up to 3-5 business days

  2. Bruce E
    May 17, 2015 at 4:17 am

    There is a list at https://twofactorauth.org/ where you can see 2FA implementation status of various sites as well as what forms of 2FA they allow. Some are listed as in progress and others have a button to mention them in a tweet showing your support for the site to implement 2FA.

    You might be surprised by some of the sites that still don't have a 2-factor implementation.

  3. ShorePatrol
    March 27, 2014 at 7:44 pm

    I have never felt safer with my tin cans and string they work even better during a lightening storm.Hack that B***H. Oh the irony!

  4. Douglas M
    March 11, 2014 at 7:12 am

    I have never felt so secured since this service has been implemented.
    Thank you for sharing this with more topic! I really enjoyed reading.

  5. Nick
    March 10, 2014 at 5:53 pm

    Two-factor authentication is good in theory, however if you happen to reside in, or are doing business in a developing country, then in many cases it is unavailable. Google's 2-factor authentication, for example, requires a phone that it can send an SMS to your mobile phone. If your country isn't on the list of countries Google will send text messages to, then you're out of luck.

    And if you set up 2-factor authentication in one of the countries Google does send texts to, and then travel to another country where this service is not available, you may not be able to get in to your account.

    • Niraj Y
      March 10, 2014 at 9:29 pm

      Wrong. Their two factor authentication does not *rely* on mobile - that is merely one way you can *implement* it. You can also use the code generator app for Android devices, and other implementations of a code generator, such as the TOTP plugin for KeePass on your computer as well.

      In addition, though they do not like you doing it, you can always use a Google Voice number, and SMS is free via Google Voice.

      So, that knocks out Google. I have 2 Google accounts and 4 Google Apps (for your Domain) accounts, each of which has between 3-6 users in the accounts, with all using TFA, and not a single one is using SMS.

    • Nick
      March 11, 2014 at 3:35 am

      Sorry Niraj,
      Google Voice is only available in the USA, and requires a US mobile number. From the Voice sign-up page:
      "Please note that Google Voice is only available in the U.S.
      You will be required to verify an existing U.S. phone number to get a Google Voice number."

      I don't have an Android phone, and I don't use Keepass... so my point stands.

    • Tim B
      March 12, 2014 at 10:44 pm

      Hi Nick,

      It's unfortunate that Google doesn't support more countries, and it's unfortunate that Google Voice isn't available outside of the US. However, I have used the SMS method (and continue to do so) when travelling in the past, and found that the codes still managed to arrive in a timely fashion. Most recently I was in South Africa, and managed to login using a 2FA code sent to my Australian phone number. I could then add my temporary South African number (I'd always recommend this step while travelling) as a backup phone.

      I'm not sure why SMS wouldn't work in most countries, particularly as my Google codes often seem to originate from US numbers.

      Lastly there's always Google Authenticator for iPhone, Android and Blackberry and a bunch of third party ones too. WindowsPhone also has a few auth apps. These don't require SMS or phone numbers be set up, but not every service supports them. For really important accounts (like email) you should always travel with a print-out of any backup codes you might need.

      Tim

  6. Bud
    March 10, 2014 at 4:42 pm

    Get a mobile ? If I needed a mobile, I'd have been born with one attached to me ear!!!

    That's the problem with those damned devices, chat with someone and the rudeness begins as those with mobiles THINK their mobile/cell phone call is more important than you!

    For emergencies? Yeh ! All else? NO, as we've seriously lost the art of personal interactions, and we did just fine before the advent of these pieces of interferences.

    Now it's the plethora of "selfies!"

    • Tim B
      March 12, 2014 at 10:36 pm

      Ok Bud, but you're the one complaining about how bad mobile phones are for society on an article that champions them as being the most secure way of locking down your most vulnerable online accounts.

      Just a thought.

  7. prasad
    March 10, 2014 at 4:26 pm

    I lost my mobile and now I am not able to unlock my wordpress account

    • Tim B
      March 12, 2014 at 10:15 pm

      You should have backup codes for a situation such as this, or at the least a means of verifying your other details. Is it a premium WordPress.com account? They should really be falling over themselves to help you if so...

  8. righteous indignation
    March 10, 2014 at 4:10 pm

    Funny how everybody misses the point here. This type of security opens up another hole in your security, as in you are even less anonymous online than you were before. Now they have your phone number to go with all of the other data on you they have collected. Wise up people! Quit being sheeple!!

    • Niraj Y
      March 10, 2014 at 9:13 pm

      Not all TFA systems rely on any sort of a phone number.

      Secondly, those that do, such as the ones all listed here, I used with a Google Voice number - so yeah, they have my Google Voice number, not my actual numbers.

      Instead of calling other people sheeple, maybe you should do a bit more research instead.

    • Niraj Y
      March 10, 2014 at 9:15 pm

      Facebook also allows you to use third party apps instead of relying only SMS or their inbuilt code generator. I'm using 2 FB accounts, and with both I am using the Google Code Generator app for Android *AND* also using the TOTP plugin for KeePass on my computer.

    • Tim B
      March 12, 2014 at 10:33 pm

      As Niraj has pointed out, you don't need to use your own personal number – but why wouldn't I? It's my personal Gmail account, with my name splashed all over it, connected to my Google+ and also linked to Google Authorship which means my actual ugly face shows up next to articles in search results.

      And they... have my phone number?

      I guess the point I'm making here is if you need to really remain anonymous online but want the benefits of two-factor auth then maybe a Google account isn't for you. And if it is, Niraj's advice is spot-on.

    • Tim B
      March 12, 2014 at 10:34 pm

      Oh and lastly, not all of the above require a phone number. At least Twitter allows you to verify using their mobile app, and Google does support landline/voice calling for non-SMS-friendly devices.

  9. rflulling
    March 8, 2014 at 2:17 pm

    great for signing up with mobile devices, but this is nothing and a hacker would ignore this mess altogether by passing the user accounts and going directly to the root, or gaining access to an admin account. This stuff helps us to feel safer, but even encrypted data is no longer secure.

    • pceasies
      March 8, 2014 at 6:05 pm

      Unless you get keylogged. Two factor authentication helps confirm identity since typically only the real person is in control of the device generating the codes. If a hacker steals your password through a keylogged, a few seconds later the 2 factor code also stolen will be worthless and they still won't be able to get in. For a reasonably secure service (Google, Facebook, Twitter), having 2-factor enabled will keep your account secure. Read the recent articles about how the @N Twitter username was stolen. Two-factor could have helped in that case.

    • Tim B
      March 8, 2014 at 10:33 pm

      Sorry but what you just wrote doesn't make any sense. Two factor auth is virtually bullet proof, it's physically impossible for someone to access your account unless they are in possession of the mobile device the codes are sent to.

      No manner of "hackers" or admin access will circumvent this. Its infallible without both pieces of information – the password and the temporary code.

    • rflulling
      March 10, 2014 at 9:32 am

      Tim, if an admin has no access to the accounts they over see, then no one can help you no mater how much you beg, or offer to pay when you have troubles, though they can likely erase the whole thing with the stroke of one key.

      I use a two factor service with a game, it has its own stand alone generator. I know it makes it very hard to access directly from the outside. But if you some how find your way past the clam shell it's all soft meat on the inside. Just ask the Starfish.

      By the way, two factor has been broken long before it was fashionable to be used as a social media accessory for your cell phone.

      The only way to Truly securely access a service is to NOT use the INTERNET to do it. The only way to insure a device is never hacked is to insure that it is 100% standalone. Your phone, is a revolving door. Feed it some malware and we can make it stand up and do tricks for the puppet master.

  10. Jorge Bascur
    March 8, 2014 at 10:21 am

    Steam also offers 2-Factor authentication, called Steam Guard. It sends a code to the registered email of your account, and then you enter it on the Steam apps (desktop or mobile) or the Website. Just so you know.

    • Tim B
      March 8, 2014 at 10:34 pm

      I came across it while writing the article but didn't really mention it because it's actually not optional – it's enabled by default on all Steam accounts.

      But thanks for the mention!

  11. Colin
    March 8, 2014 at 2:34 am

    What about the people who don't have mobile devices, only landlines?

    • Tim B
      March 8, 2014 at 10:38 pm

      Certain services – Apple and Twitter, notably – allow for verification using a device itself or an app (in this case the Twitter app) which would only require an Internet connection, rather than a cellular one.

      It's probably worth noting that I don't actually know anyone without a mobile phone. This is a security system designed to use two parts – a part you know, and a part you possess. I'd say to those without a mobile: get a mobile. It's a very small price to pay for such a dependable security measure.

    • Pam R
      March 10, 2014 at 2:28 pm

      And what about couples who only have one mobile phone? I can't use 2 factor ID because I don't always have access to the phone. And the snarky comment that Tim B doesn't know anyone without a mobile phone, he needs to get out more.

    • RonW
      March 10, 2014 at 5:25 pm

      Google's service has the option to give you the access code via a phone call or you can use a code from the offline list

    • Godel
      March 11, 2014 at 12:35 am

      @RonW: That could be an extremely useful feature for people who travel internationally and need to access their web mail from internet kiosks and such. Even if your password is key logged, they still can't access your account. In addition, change your password before you leave on your trip and change it back when you get home.

    • Tim B
      March 12, 2014 at 10:29 pm

      @Pam R: Nothing sarky intended, genuinely even my not-very-techie parents both use smartphones, and they're pretty slow on the tech uptake.

      It's worth noting that a mobile phone is a personal communication device – personal to one person. It's registered to one person, and in many countries (including my own) requires personal identification in the form of a passport to register. By sharing a mobile you're forgoing the benefit of a portable device that's always accessible.

      Though this really isn't a great option, you can opt to use a landline and have Google call you (it's automated) with a code. This basically means you need to be at home whenever signing into your account from a new location (lol) or service, which is the least practical thing ever and I'd probably say just choose a really solid password instead.

      Also this security feature basically only exists because mobile telephony became so ubiquitous in our day to day lives, so to complain that you can't use it because you don't have your own mobile phone is a bit short sighted.

  12. Johann
    March 7, 2014 at 10:09 pm

    Android users: Check out the app 'Authy'.

    It implements proprietary 2FA codes (as used by Cloudflare, for example) as well as the common 'Google Authenticator' ones you generate on most sites. It will also sync them between multiple devices and can restore the codes to a new deivce if you lose an old one. Nice interface too.

    It's better than any other 2FA app I've found.

Leave a Reply

Your email address will not be published. Required fields are marked *