How to Turn On 2-Step Verification
The latest major trend in online account security is two-factor verification, also known as two-step authentication, a simple protocol that requires users to enter a second piece of verification along with their normal password.
Most frequently, the second piece of verification is a one-time-use numerical code, sent by the online service via text message to the user's mobile phone.
Other forms of secondary verification include one-time codes generated by Google's Authenticator smartphone app, or similar codes generated by stand-alone keychain authentication tokens such as those made by RSA Security.
Two-factor authentication makes it much more difficult for hackers to break into your account, because the process requires you to provide not only something that you know (your password) but also something that you have (a one-time code).
Following a wave of Gmail account hijackings, Google added the option of two-step verification in early 2011.
A few months later, Facebook followed suit, and later added its own stand-alone code generator for users who couldn't receive, or didn't want to wait for, texted codes. Yahoo added a two-step option by the end of 2011.
Dropbox added the feature in 2012, but the first six months of this year saw the feature go mainstream: Microsoft, Apple, Twitter, Evernote, LinkedIn and WordPress all added optional two-factor verification. (Apple's covers only iTunes Store purchases, not iCloud accounts.)
Why you need it
If you’re reading this, chances are you have at least two online accounts that offer two-factor authentication as an enhanced security feature. But it will only protect you and your private data if you turn it on.
"It’s like seat belts in the car. They work really well if you buckle up," said British independent security expert Graham Cluley. "When it’s made available to you, you should use it."
As Cluley explained, with two-factor authentication in place, it’s much more difficult for hackers to crack accounts by simply guessing a password.
To successfully capture the disposable code texted to the account holder’s phone, criminals would have to have physical access to the owner’s phone, or would have to elaborately "spoof" a fake login page to trick the account owner into giving up the details voluntarily. While it's rare, such an occurrence can happen.
"The real site sends you the code and then the bogus site will ask you to enter the code," Cluley said. "You would have what's known as a man-in-the-middle attack, where they trick you into entering your username and password. The bogus website acts as a go-between."
Most people, thankfully, don’t have to worry about such hacks. In most cases, an attack is not designed to steal state secrets; instead, it's a product of opportunity, or perpetrated for personal reasons by someone that the victim knows.
Cluley said although some people complain about the nuisance of the added step, they ultimately have to make a decision to be safe.
"How much of a nuisance is that compared to the nuisance of losing control over your Gmail account, and who knows what else?" he asked.
The inconvenience can be brief. Most online services will "remember" the devices that users have verified once through two-step verification, such as frequently used laptops and smartphones, and will only ask for the second factor when the user attempts to log on from an unfamiliar device.
That way, if someone tries to log in from a different device, that person will be asked for the second verification factor — and the real user will be alerted via email or text message.
We can’t stress it enough: If two-step verification is available, turn it on. A verified login protocol, combined with a strong password, will go a long way toward keeping unwanted intruders from gaining access to your important files and accounts.
Turn it on: Below is a guide to managing two-factor authentication across the most popular networks on the Web.
Twitter's login verification can be turned on at the Account Settings page. Check the "Require a verification code when I sign in" box, click "add phone" and follow the rest of the prompts. [See also: 10 Tips for Staying Safe on Twitter]
Next, you'll receive a text. Enter the code that Twitter sends to your phone to verify your phone number. From now on, you'll be prompted to verify your password every time you sign onto Twitter.
(This doesn't apply to third-party Twitter clients such as TweetDeck, which use different methods of accessing your Twitter account.)
Facebook calls its two-factor verification system "Login Approvals." To access it, click on the little gear icon on the top right of your Facebook page, and scroll down to "Account Settings."
On the following page, click Security in the left-hand navigation bar. Click on "Login Approvals" on the resulting menu, and check the box next to "Require a security code to access my account from unknown browsers."
Facebook will text you a one-time code when you log in from each new device or browser.
Like Google, Facebook also offers a second option for smartphone users — a code generator that will create valid one-time codes for when you can't receive text messages (such as when flying).
To turn on Facebook's Code Generator, click "Enable Code Generator in the Facebook app on Android or iOS" from the Security tab in the Account Settings page mentioned above, then open the Facebook app on your smartphone or tablet and tap Code Generator near the bottom of the menu to activate.
Alternately, you can access Code Generator directly from the mobile app and simply activate it there.
Enter the code displayed on your mobile device into the browser to complete the setup. Codes change every 30 seconds.
For branded — i.e., corporate — accounts, Facebook makes users log in from their personal accounts, creating an intermediate step and solving the problem of requiring multiple users' access to the same device. (Twitter has yet to address this problem.)
From your Google Accounts page, click Security and then click Edit under "2-step verification."
From the "Signing in with 2-step verification" page, click Start Setup. Google will prompt you for your phone number and then send a numeric code to your mobile device via SMS.
Once you receive the code, enter it. Google will ask if you want to "trust this computer." Leave the box checked if it is a personal device that only you use; uncheck the box if it is a public or shared computer.
From this point forward, you'll be asked for a verification code whenever you attempt to log in to Gmail, YouTube, Google+ or any other Google account.
For some applications that work outside of the browser, users may need to create application-specific passwords. These include some Android apps including Gmail, the Google Voice app on iOS, mail clients like Microsoft Outlook and chat services like AIM and Google Talk.
To create passwords, return to the Security page of Google Accounts. Under "2-step verification," click on "Manage your application-specific passwords."
You'll be prompted to re-enter your Google password. After that, you'll be taken to a page that lists the applications and services that have access to your Google account. The page also has a tool to generate new passwords for more applications and services.
To use the tool, name the device, app or service for which the password is being created, and let the tool generate the password.
Here's the tricky part. When you next log into Google from that device, app or service, don't use your regular Google password — use the application-specific password instead.
You'll need to do this only once for each new service. [See also: The 10 Best Google Labs Innovations]
From the Yahoo profile page, click on the link that says, "Setup your second sign-in verification." On the following page, check the box that prompts you to turn on the added security feature.
Enter your mobile number and then input the security code Yahoo sends to your mobile phone. When signing on from unfamiliar devices, you will now be prompted to verify the login with a texted code.
Apple ID users can turn on two-step verification by going to the Apple ID website at http://appleid.apple.com/ and selecting the Password and Security section from the left-hand menu bar.
On the following page (you may have to answer some security questions first), click "Get started" under the "Two-Step Verification" header.
On the next page, read the instructions and then click "Continue." Enter a mobile phone number, then enter the code texted to that phone number.
From that point on, you will be asked to enter a texted code when logging in from a new device, resetting your password or making other account changes.
It's important to note that Apple's two-step authentication does not protect users' iCloud accounts, which, in our opinion, leaves a big hole in Apple's security.
If a user's iCloud account were to become compromised, such as through a cracked or guessed password, the attacker could use the Find My Phone feature or iCloud Mail to take over the corresponding iTunes account.
Dropbox users can enable two-step verification by first signing into the Dropbox website, and then clicking on their name on the upper right.
On the resulting drop-down menu, click Settings, and then the Security tab.
Under "Account sign in," there will be a line reading "Two-step verification." Click "enable," and re-enter your password.
From there, enter your mobile phone number. As with the other services, you'll have to input the code texted to that number for the device you're currently using, and for every new device thereafter.
To enable LinkedIn's two-step verification, users of the business-networking service should click on their headshot in the upper right corner of their profile page. Scroll down to "Privacy and Settings" and click "Review."
On the following page, scroll down to the bottom and click the "Account" tab. Click "Manage security settings."
From there, you'll be taken to a page entitled "Security Settings," with a section called "Two-step verification for sign-in." Click "Turn on."
On the next page, you'll be asked to provide a mobile phone number. Do so, then click "Send code."
You'll receive a six-digit code in a text message. Enter the code into the required field in your Web browser.
As with the other services, you'll have to do this for every new device from which you access LinkedIn.