Two-factor authentication may not be as sexy as the latest Android phone, but the technology is capturing news headlines, and deservedly so. Last week, Microsoft began rolling out this security tool for its some 700 million Microsoft Account users. Tuesday Wired reported Twitter is working on two-factor authentication as well.
It's a security feature that could have stopped hackers at the gate before they seized control of the Associated Press Twitter account, and it's something you should be using to protect your own online accounts, wherever it's available.
So how does two-factor authentication work? In a nutshell, it requires not one but two pieces of privileged information before granting access to an online account.
Let's say you've already set up two-factor authentication for your Google account, and now a hacker halfway around the world is trying to break into your Gmail. He has your email address and even your password, but he doesn't have the second element of the authentication process. In the case of Google accounts, the second element is a unique security code that's sent directly to your cell phone via text messaging.
In essence, two-factor authentication requires something you've committed to memory (your password) and something you have in your pocket (your phone).
If two-factor authentication sounds like kind of a pain, well, it is. Turning on this feature is a really easy way to make life harder for yourself, as you’ll need to spend extra time to prove your identity every time you log into a protected account from a new piece of hardware. Nonetheless, this level of authentication makes it much harder for hackers to seize control of your accounts.
Getting started also requires a little legwork on your part. Most major sites and services offer two-factor authentication as an optional security feature, so you need to log into your various accounts and dig around in the security settings to find it.
Google and Facebook have offered two-factor authentication as an optional security measure since 2011. Dropbox started offering it last year, and Apple iCloud got two-factor authentication in March. Microsoft is late to the party but now has it, and Twitter's version of the technology can't come soon enough.
For the sake of brevity I'm going to run down the two-factor set-up process for the Big Three social networks as well as my favorite remote storage services. But you should duplicate this process across every site and service you use that offers two-factor authentication. And if it seems like a lot of different systems to manage, don't worry—there's an app for that.
Start with Google
Google makes two-factor authentication simple enough, but it can be very frustrating to configure if you log into Google across multiple devices. To get started, log into your Google account and navigate to the Security section of your Account Settings page.
Pop down to the 2-step verification section and flip it on by clicking the big Settings button and following Google’s step-by-step guide to link your account with the number of a cell phone or land line. Google will either text or robocall you at that number to provide a six-digit code every time you try to log into your Google Account from an "untrusted" device, so make sure you use the number of a phone you keep close at hand.
You can also generate one-time use codes that you can write down and save for times when you want to log into Google in the absence of cell service. Generate five or ten of these codes, and keep them in your wallet for emergencies. Also consider downloading the Google Authenticator app for iOS and Android if you don’t want Google sending you text messages every time you check your mail from a new computer.
It's simple to use, and can generate codes for any authentication service that employs the TOTP (Time-based One-Time Password) algorithm, including Facebook and Dropbox. I recommend setting it up to do so if you're going to be enabling two-factor authentication on other services, but be aware that this will make it very difficult for you to log into those services without your phone. If your phone is lost or stolen—or if you just accidentally delete the authenticator app—it's possible to download a fresh version and re-authenticate across every service you use, but it's a real pain.
Facebook is easy by comparison
Facebook was a little late to the two-factor party, but at least it took the extra time to smooth out the setup process. Enabling two-factor authentication for your Facebook account is a snap. Just log into Facebook and click on the blue gear icon in the top-right corner, then click on your Account Settings menu.
Next, select the Security section from the navigation bar on the left-hand side of the screen, and switch on the Login Approvals feature (Facebook's term for two-factor authentication) by clicking the appropriate checkbox. Facebook will walk you through the process from here, explaining how to receive and type in a unique alphanumeric code every time you want to access your account.
To get that code you’ll need to either download a mobile authenticator app that generates codes every time you log in, or give Facebook your cellphone number so it can send you authentication codes via SMS. I recommend going the authenticator app route. It’s simple to use, and you don’t have to wait for Facebook’s servers to text you your code. Plus, you can also add a cellphone number as an additional backup if the app fails to work.
In its mobile app, Facebook built in a neat Code Generator feature that generates TOTP codes for your account, but you can use any old TOTP authenticator app if you’re willing to subvert Facebook’s setup process. If you’re using Google’s mobile authenticator app to manage two-factor authentication across multiple services, for example—which is a great idea—you can set it up to provide authenticator codes for your Facebook account too.
Simply start the Code Generator setup process—click the Set up Code Generator link under Login Approvals in your Facebook security settings—and when the time comes to open the Facebook mobile app, click the Having trouble? link. Facebook will ask you to click a big blue Get Key button and enter the provided 16-character key into your Facebook mobile app, but you can enter it into almost any authenticator app—including Google’s—and it will still work.
Microsoft is finally catching up
Your Microsoft account covers your Outlook inbox, your Xbox Live profile, your Windows Phone, and more. Improve security across the board by switching on two-factor authentication in the security section of your Microsoft Account summary page. You can set it up so Microsoft will send security codes to either an alternate email address or your smartphone via SMS, unless you prefer to download an authenticator app that will generate security codes for you. Windows Phone users can download Microsoft’s own authenticator app from the Windows Store, but everyone else can just use any authenticator app that supports the One-Time Password algorithm.
For simplicity’s sake, I recommend using the aforementioned Google Authenticator app on iOS and Android. Use the app to scan the barcode that Microsoft provides you during the two-factor authentication process and it will generate codes for your Microsoft account as well.
And you don't need to stop there—I expect Twitter will have its two-factor authentication system in place before summer rolls around, and there are plenty of other sites and services that already offer similar security systems. Dropbox, LastPass, Box, and even Amazon Web Services support two-factor, as do many banking services. Locking these accounts up with two-factor authentication adds another layer of security to your digital life, one that can be unlocked only with the smartphone in your pocket.