Online security: your two-factor authorization checklist
By Ian Paul
PCWorldApr 24, 2013 10:45 am PDT
Twitter reportedly is getting ready to roll out two-factor authentication in the coming weeks—a development that comes not a moment too soon as the company’s current security efforts fall short.
Take Tuesday, when the state of Twitter’s account security was on full display as hackers took over the Associated Press Twitter account and falsely reported two explosions at the White House. The AP attack came just a few days after Twitter accounts controlled by CBS News—including ones for 60 Minutes, 48 Hours, and a network affiliate station in Denver—were taken over.
The malicious attacks would have been harder, if not impossible, to pull off had these Twitter accounts been protected with two-factor authentication. Wired reports that feature will roll out to Twitter accounts gradually in the coming weeks.
Two-factor authentication requires you to enter two login tokens before you can access an online account. The first token is your standard password (something you know), while the second is a login code randomly generated by a smartphone app or sent via SMS or email (something you have).
Two-factor authentication is becoming a common security feature for many online services you already use including Dropbox, Facebook, Google, and Microsoft. It may be a little inconvenient to deal with two-factor authentication, but anyone who’s lost control of their Facebook or email account can tell you the extra security gain is worth the minor hassle.
Here’s a quick look at how two-factor authentication currently works for the major online services you use every day.
The best account to start with if you’re new to two-factor authentication is Google, because you can use the Google Authenticator smartphone app to generate random access codes for many other services.
To set it up, visit Google’s two-step verification landing page and click the Get Started button on the top right-hand side of the window. Google will then guide you through the process for enabling two-factor authentication, which includes downloading and installing Google Authenticator for smartphone users.
The Google Authenticator app is available for Android, iOS, and BlackBerry 4.5-6.0 devices. If you don’t have a smartphone you can still use Google’s two-factor authentication by receiving access codes via SMS.
After Google’s two-factor authentication is enabled, you will have to reauthorize any other accounts and devices that access your Google account. Using Google Authenticator is pretty straightforward: You sign in to your Google account with your regular password and then you enter a randomly generated verification code created by Google Authenticator.
At sign-in, regular Google accounts can click a check box so that trusted PCs, such as your laptop at home, won’t require two-factor authentication every time you login. Google Apps users can authorize trusted devices for only 30 days at a time.
The problem with Google’s two-factor authentication is that some programs—smartphone email clients that access Gmail, for example—don’t work with it.
For these apps, you will have to use a randomly generated application-specific password instead of your regular password. These passwords bypass the need for two-factor authentication and can be revoked by you at any time. Application-specific passwords only have to be entered once per service and can be created by signing in to your Google account and clicking here.
Select Security Info from the left-hand navigation panel and click on Turn on Two-Step Verification toward the top of the page. Microsoft will then send an SMS to the phone number connected to your account with an approval code to begin using two-factor authentication.
As with Google, you can get your Microsoft login codes via SMS or you can authorize a two-step login smartphone application, including Google Authenticator.
Since we set-up Google Authenticator with our Google account, let’s use it again for Microsoft.
Start on the Security Info page you were on before and under the Authenticator App heading click Set Up. You will then be shown a QR code that you scan and register with Google Authenticator. Next, you’ll have to enter a logiin token generated by the app to make sure everything is working properly.
Two-factor authentication works with most Microsoft services including Outlook.com, SkyDrive, and Windows 8 PCs. Similar to other services, you can set devices as favorites so you don’t have to use two-factor authentication every time you want to login to your PC. Some devices don’t support the secure login method including the Xbox 360. To get around this Microsoft says will help you login to your machine with a unique app password instead.
Sign-in to your Dropbox account on the Web here and click on the Security tab. One of the first three options on this tab will be Two-Step Verification Disabled. Click on Change to enable Dropbox two-step authentication.
During the authorization process, you can choose to receive verification codes via SMS or you can authorize Google Authenticator to generate random login codes for you. Dropbox also supports other authenticator apps including AWS Virtual MFA, and Authenticator for Windows Phone.
For the most part, Dropbox’s two-factor authentication is only used when you login to the service’s website from an unknown machine. You will only have to authorize Dropbox desktop apps at installation or after setting up two-factor authentication.
The company’s mobile apps require two-factor authentication every time you sign out of the app, which might happen if your tablet or smartphone powers down or reboots.
Facebook doesn’t use Google Authenticator for its two-factor authorization, which it calls Login Approvals. Instead, you receive login codes via SMS or you generate them with the Facebook mobile app.
To get started login to Facebook and go to the Security tab. Find the heading that says Login Approvals and click Edit on the far right side of the screen. Facebook will then send a security code to your smartphone via SMS to get started with the feature.
If you are ever in an area without cell reception, you can still use Facebook’s login approvals via the Facebook mobile app for Android and iOS by opening the left-hand navigation bar and selecting Code Generator under Settings.
Facebook’s login approvals work with almost anything that connects to your Facebook account including third-party mobile apps with Facebook logins and the company’s own apps.
What other services need this?
Now you’re all set-up with two-factor authentication for several of the major online services. But there are a ton of services out there also supporting two-factor authentication including major Web hosts such as Dreamhost, Blizzard Entertainment’s Battle.net, and LastPass.
If you’re concerned about security, enabling two-factor authentication on these accounts will go a long way to making your online life more secure.