If you want to keep your online accounts safe, adding two-factor authentication (2FA) is the single most important step you can take. While no security measure is 100 percent hackproof, 2FA is going to go a long way to locking down access to your important accounts.
As the name suggests, 2FA adds another level of authentication to the login process. It means you need something besides your username and password to get into your account—and with swaths of login credentials regularly published online, it’s in your best interests to put that additional step in place.
We’ve discussed 2FA before, but there have been some useful updates since then. Here we’ll outline exactly what two-factor authentication is, how it works, and how you can set it up. It doesn’t take long to put 2FA in place, and the next time someone else tries to access your account with a stolen set of login details, you’ll be glad you did.
How Two-Factor Authentication Works
Logging into your accounts with an email address and password is fine, up to a point, but these details can get lost, stolen, guessed, or teased out of you with some clever social engineering. Two-factor authentication adds another access barrier for unauthorized visitors who have gotten hold of your primary login credentials.
Two-factor authentication—and the similar two-step authentication, which is sometimes treated as a different mechanism and sometimes not—means you need another bit of information besides your password and email address. Most commonly in most consumer apps, it’s either an SMS code sent to your phone, or a code generated by a dedicated authenticator app.
When you’re setting up 2FA, you’re asked to prove that you’re the owner of your phone and the associated cell number, and that gives you the authorization to generate and receive codes. Unless hackers get access to your phone as well your email address and password, they won’t be able to log in. 2FA codes are sometimes sent via email as well, and in some cases can be replaced by a physical object like a USB key, which you’ll need to get into your account (Google offers this as an option).
For most services and accounts, this extra code isn’t required every single time you open the app or site—that would get tedious very quickly. Instead, 2FA jumps into action when you try to log in on a new device that you haven’t used before or haven’t accessed in a long time, like a new phone or a laptop that hasn’t been associated with your account in the past.
An authenticator app is one of the best 2FA options, as there’s no way for shady characters to intercept the codes without physical access to your phone. (This is a risk with SMS and email.) You have a choice of apps, and the best support the most popular services: Authy is just about the best in the business, while Google and Microsoft offer very competent apps too. Some popular password management apps include an authenticator app, including Dashlane and LastPass.
We’re seeing a growing use of biometric information like a fingerprint or a face as that second authentication step, which should make two-factor authentication even more secure and convenient in the future, provided the technology continues to evolve. Adding 2FA is a quick and simple process most of the time, and there’s really no excuse not to set it up if you have the option—just remember that it should be used as part of overall good security hygiene, not in isolation.
How to Add Two-Factor Authentication to Your Accounts
Many apps and services offer 2FA now, especially those that store important and sensitive data: emails, financial information, files, social media, contact details, and so on. Most of the accounts that don’t have a 2FA option, such as Netflix, for example, aren’t at such high risk from attack—hackers usually aren’t so interested in binge-watching Netflix Originals and messing with your recommendations.
Every service uses 2FA slightly differently, but the option shouldn’t be too hard to find. For Google accounts (which cover Gmail, Google Drive, YouTube, and more), head to your Google account page on the web and then click on Security to find the two-factor option—as the second step of authentication, you can use an authenticator app, have prompts appear on your registered phone, or have SMS codes sent to your cell number.
In the case of Apple accounts, your best option is to use an iPhone or a Mac to switch 2FA on. On iOS, from Settings, tap on your name, then select Password & Security and Turn On Two-Factor Authentication. On macOS, you need to start from System Preferences and then choose Apple ID, Password & Security, and Turn On Two-Factor Authentication. Verification codes can be sent via SMS, and they will appear on other devices using the same Apple ID that you have previously registered with 2FA.
Microsoft has two-factor authentication protection on its accounts as well. If you head to the Security page inside your Microsoft account portal on the web, you can pick More security options and then Set up two-step verification to begin the process of turning it on. To get your secondary code when you sign in on a new device, you can use a phone number, an email address, or an authenticator app.
Most social media apps also have 2FA available to protect your account: You can find the instructions online for Facebook, Instagram, Twitter, Tumblr, Snapchat, and even LinkedIn, for example. The steps involved and the methods of authentication vary a little between these services, but the result is the same—even if someone else gets your username and password, they won’t be able to log in.
You’ll find two-factor authentication in plenty of other places too: File management apps such as Dropbox and Box, organizational apps such as Evernote and Trello, chat apps such as Signal and WhatsApp, and many more. You can also use 2FA to protect your accounts on Xbox, PlayStation, Steam, and Nintendo Switch. If your favorite apps don’t support two-factor authentication, ask the developers why not.
How to Keep Your Accounts Protected Beyond 2FA
There’s no absolutely foolproof way to make sure your online accounts are never going to be accessed without authorization, but 2FA is one of the best ways to reduce that risk to the lowest it can be. Just remember that nothing’s perfect, so don’t let your guard down.
Most online services will have backup access methods available should you lose your phone and not be able to validate 2FA requests. These methods vary but aren’t widely publicized, for obvious reasons: If it’s common knowledge how the big tech companies perform account resets, then it’s easier for unauthorized parties to try to circumvent them.
Google, for example, provides backup codes that you should write down and keep in a safe place. Apple will ask you for various pieces of information to prove you are who you say you are before it will let you back into your account—these could be, but aren’t necessarily, which model of iPhone you most recently had and which Apple services you’re currently subscribed to (anything that an imposter might not know).
We like the account recovery methods Facebook puts in place: You can nominate trusted friends to verify your identity if you ever get locked out of your account. It would be very easy for you, but very difficult for a hacker, to get three of your closest friends to independently confirm that you are who you say you are and that you need to be let back into your account.
The point is that you should make yourself familiar with these various alternative modes of access and account recovery, set them up where needed, and then keep them as well protected as you do your usernames and passwords. In other words, don’t keep your Google account backup codes on a sticky note next to your laptop.
Even with 2FA in place, your accounts are only as strong as their weakest point: If you’ve set up two-factor authentication on your Microsoft account, for example, but not on the alternative email address that you use to recover access to your Microsoft account, then that’s a potential route in for someone else.