he 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code, and our security nightmares have only gotten worse in the years since.
What’s the average internet user to do? Well, you should definitely change your passwords regularly. They’re a pretty laughable method of authentication and can be scooped up pretty easily by a variety of methods.
What you really need is a second way to verify yourself. That’s why many internet services, a number of which have felt the pinch of being hacked or breached, offer two-factor authentication. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing.
As PCMag’s lead security analyst Neil J. Rubenking puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple’s Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
You can get that code via text message or a specialized smartphone app called an “authenticator.” Once linked to your accounts, the app displays a constantly rotating set of codes to utilize whenever needed—it doesn’t even require a internet connection. The leader in this area is Google Authenticator (Android, iOS). Others such as Twilio Authy, Duo Mobile, and LastPass Authenticator all do the same thing on mobile and some desktop platforms. In fact, the majority of popular password managers all offer 2FA authentication by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Be aware that setting up 2FA can actually break access within some older services. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and others—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.
Amazon added 2FA support late in 2015 and it’s pretty important to turn on, as Amazon has its fingers in many pies, like Comixology, Audible.com, and sites that use Amazon for payments—all tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Two-Step Verification (2SV) Settings. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup method.
A nice option with Amazon is the ability to tell the service to skip the codes on select devices (or on multiple browsers on the same device)—say a PC to which you and you alone have access. If that option doesn’t work later, come back to the Advanced Security page and click Require codes on all devices.
Your Apple ID is a big part of your life if you’re an iOS or Mac user. It’s important for not just access, but also storage via iCloud; purchases like movies, books, and apps; and memberships like Apple Music and Apple TV+.
To activate two-factor Authentication, go to the Manage Your Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”
You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. You can’t do it via a browser on another operating system anymore. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.
You’ll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it’s the number already on the phone you’re using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
After that, signing into anything with the Apple ID should generate a code on the device used for setup. Apple also supports app-specific passwords.
Note that once Apple 2FA is activated for two weeks, you can’t turn it off. “Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information,” Apple says.
A password manager favorite, Dashlane also supports 2FA. You have to turn it on via the desktop using the software for Windows or macOS, and you’ll need a separate authenticator app on your smartphone to scan the QR code.
In the desktop program, click Tools > Preferences > Security tab. Then open the Two-Factor Authentication tab. Click Two-Factor Authentication to toggle it on. You get a prompt to download Google Auth, Duo Mobile, or Authy. You then get the standard QR code to scan. If you have an external U2F security key, Dashlane also supports that.
You can also get 2FA support for other password managers like RoboForm Everywhere and Keeper Password Manager & Vault.
Dropbox on the desktop website has a tab called Security. It’s where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, turn on two-step verification. Toggle it to on, enter a password, and you’ll be asked if you want to get security codes via SMS text message or via a mobile authenticator app.
If you choose text, enter a phone number and receive a code immediately. You also get to enter a backup number, plus receive a 16-digit number you should save somewhere safe; it will allow you to deactivate two-step verification if needed. If you choose the authenticator app, you’ll see a QR code on-screen to scan. Other options include the use of a USB or NFC security key, if you’ve got one. Dropbox provides excellent instructions.
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop you access it by going to Settings > Security and Login.
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you’d like to receive your second form of authentication: a text message, authenticator app, or physical security key.
If you select an authenticator app (which might be the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app to retrieve it.
For apps that don’t work with two-factor authentication when you log in with your Facebook credentials, Facebook offers App Passwords, a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you’ll have to generate a new, unique app password. This is necessary for older devices. Get them via Settings > Security and Logins > App passwords.
The above options require you to have access to your phone, of course. But when you activate 2FA, you can get a list of 10 recovery codes to download and use at any time, even if you don’t have your phone. Get them in the 2FA settings area and save them somewhere safe.
Facebook also supports the Universal 2nd Factor (U2F) of a hardware security key, something you plug into or put near your computer to get access.
With access to your credit card (for shopping on Google Play), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.
Google calls its system 2-Step Verification. It’s all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge with a tap that you are the one signing in. Easy.
If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, opt to register your computer so you don’t have to enter a code during every sign-in. If you have a G Suite account for business, opt to only receive a code every 30 days.
Google Authenticator—or any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text, voice calls, or email.
Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can’t get to the authenticator app.) This is also where you generate app-specific passwords.
People with particularly high-risk jobs should consider using Google’s Advanced Protection Program.
Business social network LinkedIn makes it easy to set up verification, either by SMS texts or authentication app. Go to the Me menu > Settings & Privacy > Account > Two-step verification to activate it or deactivate.
You’ll immediately get a six-digit code you have to enter to verify you’re you. You only get one phone number (no backup). You can also go here to get recovery codes that let you access the account even if you don’t have access to your phone.
Microsoft has tied together most its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 Home subscription, and much more can all use the same account. Naturally, it should get some extra protection.
Sign into your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click More security options. Two-step Verification is the second option. Microsoft will suggest you get app passwords as needed for older service or devices (like Xbox 360); go in later to generate one as needed.
Enter the Set up an identity verification app section. Microsoft makes its own authentication app (iOS, Android), which it will push you to install. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick “other” during the setup. Scan the QR code displayed.
You can skip the authenticator. If you do, Microsoft will still try to get you to use an app, but it does provide a link to a 7-digit verification code via text or email. If you choose text, it has to go to a phone you’ve pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as confirmation.
As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn’t require you to enter any codes—you’ll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven’t logged into in two months; just trust it again on the next login.
As a service dedicated to making payments, it’s best that PayPal be as secure as possible. Log in, click your name in the upper-right to access your Profile Settings > Login and security. Click “Set up” next to 2-step verification. Select whether you want to receive a text message or code via an authenticator app or using a security key. With that set up, PayPal will give you the option to add a backup to your account, such as a different number or authenticator app, for when you can’t reach your phone.
To activate Login Verification on Twitter.com on the desktop, click the More menu on the left and select Settings & Privacy > Account > Security > Two-Factor Authentication. You can then choose to get codes via phone (SMS text), authentication app, or with a physical security key (which won’t do you much good on a mobile app, so be sure to set up the authentication app). In the mobile Twitter app, the steps are much the same but you start by clicking on your profile pic.
Twitter will generate backup codes for when you lose a device, and temporary passwords to use one time when logging in at services/places/times you also can’t get a regular 2FA code.
You can also use the Twitter app itself as an authentication app. Click Login code generator to get a six-digit number that updates every 30 seconds, which can help when signing into third-party sites with your Twitter credentials.
A good rule of thumb: occasionally view the full list of applications that have access to your Twitter or that use your Twitter credentials and nix any you no longer use or recognize.
Well, I hope this helps? I want to thank the folks at PC Mag. for the info!