Two-Factor Authentication: Who Has It and How to Set It Up
In 2014, the Heartbleed exploit left everyone’s login information potentially up for grabs thanks to one itty-bitty piece of code, and in the past few years our security nightmares have only gotten worse.
What’s the average internet user to do? Well, you should definitely change your passwords—regularly! Passwords are a pretty laughable method of authentication and can be scooped up by scammers pretty easily, from sheer brute force to simple phishing
What you really need is a second way to verify yourself. That’s why many internet services, a number of which have felt the pinch of being hacked, offer two-factor authentication. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing. Even the White House once had a campaign asking you to #TurnOn2FA. But what is it exactly?
As PCMag’s lead security analyst Neil J. Rubenking puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple’s Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
You can get that code via text message or a specialized smartphone app called an “authenticator.” Once linked to your accounts, the app displays a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a internet connection. The arguable leader in this area is Google Authenticator (free on Android and iOS). Twilio Authy, Duo Mobile, SAASPASS, and LastPass Authenticatoramong others all do the same thing on mobile and some desktop platforms, and the majority of popular password managers all have 2FA by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Here’s a video Google made about two-step verification basics, which provides a good idea of what’s involved.
Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that’s great—until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.
Google 2-Step Verification
With access to your credit card (for shopping on Google Play), important messages and documents, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.
Google calls its system 2-Step Verification. It’s all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge with a tap that you are the one signing in. Easy.
If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, opt to register your computer so you don’t have to enter a code during every sign-in. If you have a G Suite account for business, you can opt to only receive a code every 30 days.
Google Authenticator—actually, any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text, voice calls, or email.
Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can’t get to the authenticator app.)
This is also where you generate app-specific passwords. Let’s say you want to use your Google account with a service or software that doesn’t use the standard Google login (I ran into this with Trillian on iOS). You typically get shut out of such a service if you’ve got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.
People with particularly high-risk jobs should consider using Google’s Advanced Protection Program.
Facebook Two-Factor Authentication
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop you access it by going to Settings > Security and Login.
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you’d like to receive your second form of authentication: a text message, authenticator app, or physical security key.
If you select an authenticator app (which might be the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app and retrieve it there.
For apps that don’t work with two-factor authentication when you log in with your Facebook credentials (Xbox, Spotify, Skype), Facebook offers App Passwords, a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you’ll have to generate a new, unique app password. This is necessary for older devices. Get them via Settings > Security and Logins > App passwords > Generate app passwords.
The above options require you to have access to your phone, of course. But when you activate 2FA, you can get a list of 10 recovery codes you can download and use at any time, even if you don’t have your phone. Get them in the 2FA settings area and save them somewhere safe.
Instagram Two-Factor Authentication
Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile and tap the hamburger menu () on the top-right. Tap Settings > Privacy and Security > Two-Factor Authentication, where you can choose how you’d like to get your authentication code.
Option one: turn on Text Message and add your phone number (include the country code, because Instagram is everywhere) You’ll get a confirmation code via SMS text message. Enter it. Option two: turn on Authentication App. The app will walk you through the steps to set it up (since you can’t exactly scan a QR code from your mobile phone while using the app on your mobile phone.)
The app also offers a list of five recovery codes for use in the future to turn off 2FA or get access via other devices. It even offers to take a screenshot of them to add to your camera roll; you can always re-access them in the app as well.
WhatsApp Two-Step Verification
WhatsApp introduced end-to-end encryption as well as two-step authentication to keep out snoops, be they at home or sitting right there at the NSA, CIA, and FBI (Hi, Agent Mulder!).
Setup is easy: Go into Settings > Account > Two-step Verification. Tap Enable, and WhatsApp asks you to create a six-digit PIN to register your phone number with WhatsApp. You’ll also provide an email in case you ever need to do a reset—aka, turn off the verification. If you later sign out or log in with a different device, WhatsApp will text you a code, and you’ll have to re-enter the PIN as well.
Twitter Login Verification
To activate Login Verification on Twitter.com on the desktop, click your profile photo on the top-right and and select Settings and privacy from the drop-down menu. In the Security section, click Set up login verification, and you’ll be asked to enter your Twitter password. If you don’t have a phone number associated with your account, you’ll be asked to add one.
If you’ve upgraded to the “new twitter.com,” click your profile photo on the top-right and select Settings and privacy. Under Login and Security, click Security > Login verification and follow the directions.
In the mobile app, go to the Me menu (your profile pic at the upper-left), Settings and Privacy > Account > Security > Login verification. Toggle it on (or off).
You can get your secondary verification via text, authenticator app, or security key. If you go the Text Message route, you can only associate your phone number with one account.
Twitter can generate backup codes for when you lose a device, and temporary passwords to use one time when logging in at times you also can’t get a regular 2FA code. Get them via Settings > Account > Security > Login verification under Additional methods; keep them somewhere safe.
Here, you can also use the Twitter app itself as an authentication app. Click Login code generator to get a six-digit number that updates every 30 seconds, which can help when signing into third-party sites with your Twitter account credentials.
A good rule of thumb: occasionally view the full list of applications that have access to your Twitter or that use your Twitter credentials and nix any you no longer use or recognize.
Apple Two-Factor Authentication
Your Apple ID is a big part of your life if you’re an iOS or Mac user. It’s important for not just access, but also storage via iCloud, purchases at iTunes, Apple Books, and the App Store, and membership at Apple Music$9.99 at Apple.
To activate two-factor Authentication, go to the My Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”
You are then furnished with steps on how to set up 2FA for Apple using either an iOS device or via macOS. You can’t do it via a browser on another operating system anymore. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.
You’ll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it’s the number already on the phone you’re using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
To get a code when needed, on an iOS device go back to iCloud settings, tap your username at top (you’ll likely need to enter your full Apple ID password again) > Password & Security > Get Verification Code. This sometimes enters you into a circular-logic world where you need to get a code on the very device where the code has to be entered.
Apple also supports app-specific passwords.
Turn off Apple 2FA in iCloud settings if you desire, but then you have to go back to security questions (“Who was the best man at your wedding?” etc.) to verify your ID, and no one wants that.
For more, read How to Turn on Apple Two-Factor Authentication.
Microsoft Two-Step Verification
Microsoft has done a much better job in the last few years of tying together all its services under one umbrella account. I use mine for Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 subscription, and more. Naturally, it should get some extra protection.
You sign into your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click the more security options link. Scroll down to Two-step Verification to turn it on.
Microsoft will suggest you get an app password to set up Outlook.com to sync with email on mobile devices, as well as other services that may need app passwords, which you can go in later to generate for any given app.
You can then enter the “Set up an identity verification app” section. Microsoft recommends the use of an authenticator app because it makes its own for Windows Phone, iOS, and Android, which it will push you to install. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick “other” during the setup. Scan the QR code displayed.
You can skip the authenticator. If you do, Microsoft logins will still try to get you to use an app, but provide a link to other methods for getting a 7-digit verification code: text or email. Even if you choose text, it has to go to a phone you’ve pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as an extra bit of confirmation.
As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn’t require you to enter any codes—you’ll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven’t logged into in two months; just trust it again on the next login.
Amazon Two-Step Verification
Amazon added 2FA support late in 2015 and it’s pretty important to turn on, as Amazon has its fingers in many pies like Comixology, Audible.com, and sites that use Amazon for payments —all tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Advanced Security Settings. Two-Step Verification is here, and offers two options. The preferred method is an authentication app (scan the QR code); phone number(s) entry is the backup method.
A nice option with Amazon is the ability to tell the service to skip the codes on select devices—say a PC to which you and you alone have access. If that option doesn’t work later, come back to the Advanced Security page and click “Require codes on all devices.”
Yahoo Account Key or 2-Step Verification
To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper-right of any Yahoo page, and select Account Info). Click Account Security and you’ll see the Two-step verification toggle, making it incredibly easy to turn on and off with the flip of a virtual switch. It will immediately confirm the phone number on your account, or ask for a new one and send a 5-digit verification code. It also warns you that certain apps won’t work with second sign-in verification, including Outlook and the mail apps on iOS and Android—those will require App Passwords.
There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. If you have the Yahoo app on your phone, Yahoo Account Key can send a notification to it. You get the notification, push a button to confirm it’s you, and that’s it—no codes to enter. It’s very similar to Google Prompt. You can try a sample prompt to see how it works. If you activate it, Yahoo deactivates two-step verifications.
After you set up two-step verification, the Sign-in and Security list gets another option: “Generate app password.” When you’re ready to access Yahoo services on devices like iPhone, Android phones, or via Outlook, you’ll go here to create the new unique password that will hook you up
Snapchat Two-Factor Authentication
Snapchat is a mobile-only service, so the only way to set up 2FA is via the mobile app. Open it up and tap your avatar at the top-left. Tap the gear icon () on the upper-right to access Settings and tap Two-Factor Authentication.
Snapchat warns you that if you lose access to your way to generate a login code (aka, your phone), you could get locked out of your Snapchat account. If you’re okay with that, proceed with setup, and select whether you want to receive a code via text or an authenticator app (you can have both the authentication app and SMS text verification active simultaneously).
If you choose authenticator, you get three options—the first is to Set Up Automatically, which worked like a charm to set up in Authy (my preferred app). It instantly gave me a six-digit code to go back to the Snapchat app and enter. If you Set Up Manually,you get a QR code—but you can’t exactly scan it on the same screen. Instead, it provides a 32-digit code for you to copy—by hand. Ugh. That’s the kind of thing that prevents people from setting up better security. But thankfully the automatic setup worked just fine. You can have both the authentication app and SMS text verification active simultaneously.
Once you’re set up, Snapchat will generate a Recovery Code you can use if you can’t get a text or code from the authenticator app. Take a screenshot and store it somewhere safe.
Reddit Two-Factor Authentication
Reddit said in 2018 that 2FA was its users’ most requested feature, and now it’s here. On a desktop, log in and go to Preferences. Find the tab that says “password/email,” and under two-factor authentication select “enable.” Follow the steps to set up a third-party authentication app like Authy—such apps are the only way to get a Reddit 6-digit verification code. (It will also supply some backup codes to store away for the few times your smartphone isn’t available). Make sure you register an email with Reddit; it’s the only way to reset your account if necessary.
Tech Savvy and Enthusiast, Android Lover … Can help on Tech-related issue because is a passion to me