Two-factor authentication is the smart way to protect your online accounts using something you know (like a password) and something you have (like a smartphone). Also known as two-step verification, it involves entering a code when logging in on new devices, and provides an excellent level of protection.
With two-factor authentication even if your password isn’t particularly strong, your account is still relatively safe as you’ll need to authorise any log in attempts. Today we’ll be taking a look at few of the services you can lock-down with better security.
How Does It Work?
We’ve already taken a look at the intricacies of two-factor authentication, and if a service you’re reliant on offers it; you should enable it. With two-factor authentication, every new log in attempt will require you input a code sent to you – normally via text message to a standard mobile number – before letting you in.
Technically, the only way this method can be defeated is if someone else gets hold of your device, or manages to read the code over your shoulder. These codes only last a few minutes (Google’s last three at best) before you’ll need to make a new one. If you’re used to checking the “remember me on this website” buttons so that you log in automatically, your browsing habits shouldn’t be affected – you’ll only need to log in again once a month or so.
Because of the nature of two-factor authentication, occasionally one-time-use passwords need to be created for software such as email clients, making it easy to revoke access to devices at a later date should you need to do so. Two-factor authentication offers protection even when someone knows your password, though you should still choose strong passwords and always be mindful of social engineering attacks.
Your Google account is your email. It’s quite possibly connected to your Android device or iPhone, syncing your Calendars and Contacts, keeping track of your location history, your Google Now data and your personal information in the form of spreadsheets and other Google docs. You simply can’t afford to lose access to this one.
While logged in head to your Google account settings, enter your password and you’ll see the page for enabling what Google refers to as “2-step verification” as well as a dashboard for handling application-specific passwords. Google offers codes via SMS or the Google Authenticator app, allows for the adding of backup phone numbers and even downloading of offline codes.
These will allow you to recover your account should you lose access to your smartphone.
Facebook is a double-whammy in that accounts are often poorly protected with weak passwords, are often highly in-demand among “hackers” and can be notoriously difficult to recover once someone’s broken in. Facebook uses a mess of email, friend verification, and photo identification to help re-connect users with their accounts, but really you could just try not losing access in the first place.
Head to Facebook’s settings and make sure you’ve added and verified a phone number under Mobile Settings. Then click the Security tab on the left and follow the instructions under Login Notifications. You can generate individual app passwords using App Passwords or head to Code Generator to cover offline use.
If you use iOS or OS X, your Apple ID and password is the only thing that keeps your device safe from serious harm. Your Apple ID password is the key to your expensive devices, and using it a thief can remotely wipe your iPhone, read your iCloud mail and even take control of (and erase) your Mac if you have Back to my Mac enabled. If you use iTunes, every app, film or album you have ever purchased is tied to this account, not to mention the payment method used.
You can make changes to your Apple ID at appleid.apple.com where you must first log in then head to the Password and Security tab, which requires answers to security questions you set years ago. Once you’ve surmounted that obstacle you can enable two-step verification at the top of the page. Apple provides you with a “recovery key” which can be used in the event of your smartphone going walkies.
Do not see the two-factor authentication link on your account page? Note that as a basic security measure, Apple does not allow two-step verification setup to proceed if any significant changes have recently been made to your account information. Go to the Apple Support page and read what they have to say under — Why was I asked to wait before setting up two-step verification?
The fourth of the “big four” – Windows 8 was Microsoft’s first real push for a Microsoft account that wasn’t oddly branded as “Windows Live” or “.NET Passport” and provided some tangible benefits to actual PC users. But don’t forget many of us have Skype and Xbox accounts too, and these are now one and the same. Stolen Xbox passwords in particular are highly sought-after, containing whole back-catalogues of online purchases, egos and reputations.
Head to your Microsoft Account dashboard and click Security Info to find an option for setting up two-step verification. Windows Phone users can use Microsoft Authenticator, other devices can just use Google Authenticator.
Aside from Zuk’s aforementioned social behemoth, there are a good number of other social services on which to enable two-factor authentication, particularly those that you authorise to post on your behalf. Twitter is one, and you can head to Twitter’s security settings, add and verify your phone number then choose to verify login requests using the number provided on the Security and Privacy tab. You can also opt to verify using the Twitter mobile app.
Buffer had a security incident not long ago, and social managers everywhere collectively squeezed and braced for impact. This could happen on any day of the week, so secure your Buffer account by choosing Enable 2-Step Login from Buffer’s security settings. Popular social manager HootSuite also offers protection, using Google’s Authenticator tool.
Professionally your reputation may suffer should a troublemaker get hold of your LinkedIn credentials, a service itself which has fallen victim to attacks in the past. Since then the network has introduced better security including two-factor, head to LinkedIn’s settings to enable it via the Account then Manage Security option. Last but not least, Yahoo also offers some protection via account settings.
Gamers are often targets for hackers, their personal accounts full to the brim of the latest entertainment and their payment info stored neatly ready for the next purchase. Fortunately content distributors have gotten wise to the threats faced by customers and now offer better security. Steam now famously offers two-factor authentication by default, you can read all about it here.
Battle.net accounts are also highly sought-after and you can keep crooks out of your World of Warcraft by using either the Battle.net Authenticator or mobile authenticator. Even EA added the protection to Origin’s Security settings, accessed via the Login Verification option. And if you don’t want to find yourself making the biggest pledge next time round, even the Humble Bundle supports two-step protection. If you’re an Xbox gamer, don’t forget to secure your Microsoft Account (instructions for which can be found above).
Online Storage & More
Files in your online cloud storage probably shouldn’t contain too much personal information, but protecting them against all new login attempts is a great idea anyway. Dropbox was one of the earliest services to support two-factor authentication, enable it from Account sign in under Dropbox settings. Box also offers similar levels of protection, head to Box account settings to enable it.
The thought of someone getting into my Evernote account fills me with dread, and it should be the same for you too. Enable two-step protection by logging in and changing your Evernote security settings. Two-step verification via a mobile device (SMS) requires premium, but you can still use Google Authenticator on iOS, Android or Blackberry for free.
If your favourite services aren’t yet supporting two-factor authentication, you might want to let the developers know that there is a demand for it. Personal information breaches can be as costly as your credit card credentials could be leaked, so it pays to take no chances in the world of online security. If the option is there – use it.
Evan Hahn is one blogger who has taken it upon himself to maintain a list of services that support two-factor authentication, and you should check out his list if you’re looking for particularly security-conscious services. You can recommend other services in the comments, below.