Everyone is concerned about online safety these days. Keep your services secure with two-factor authentication.
Several years ago, the Heartbleed exploit had us all scared, given that one itty bitty piece of code left everyone’s log-in information potentially up for grabs. (Here’s an explanation of what it does, courtesty of XKCD. If you’re afraid a site you visit might still have the exploit, run its URL though LastPass’s Heartbleed Checker.)
What is a person afraid for their security to do? Well, you should definitely change your passwords on sites—regularly! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authenticating who you are (or are not, as the case may be).
What you really need is a second factor of authentication.
That’s why many Internet services, a number of which have felt the pinch of being hacked, have embraced two-factor authentication for their users.
It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing.
Even the White House has a campaign asking you #TurnOn2FA.
But exactly what is it?
As PCMag’s lead security analyst Neil J. Rubenking puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint).
Two-factor means the system is using two of these options.” You can read more about how 2FA can work for you in Jill Duffy’s Get Organized column.
The problem is, we are far from ubiquity on having biometric scanners for fingerprints and retinas as that second factor.
In most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
More and more services support a specialized app on the phone called an “authenticator,” which will do that same job.
The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a connection.
The arguable leader in this area is Google Authenticator (free on Android, iOS, and BlackBerry). Twilio Authy (free on iOS including Apple Watch, Android, BlackBerry, MacOS, Windows, and Chrome browser) and Duo Mobile (on iOS, Android, BlackBerry, and Windows Phone) do the same thing, and with far more color and style; both make Google’s app look washed out and ancient. Password manager LastPass launched a 2FA authenticator for iOS and Android recently as well.
The codes in authenticator apps sync across your accounts, so you can scan a QR code on a phone, and get your six-digit access code on your browser, if supported.
Here’s a video Google made about 2-Step Verification basics a couple years ago.
It will give you a good idea of what’s involved.
Be aware that setting up 2FA can actually break the access within some other services.
For example, if you have 2FA set up with Microsoft, that’s great—until you try to log into Xbox Live on the Xbox 360.
That interface has no facility to accept the second code.
In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services.
This is, thankfully, getting better with the passage of time.
Remember as you panic over how hard this all sounds: being secure isn’t easy.
That’s exactly what the bad guys count on: that you’ll be lax in protecting yourself.
Implementing 2FA on your accounts will mean it takes a little longer to log in each time, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
What we have here isn’t an exhaustive list of services with 2FA ability—for that, check out Two Factor Auth, a list of just about every site or service offering two-factor sign-ins, and those that need it.
In this article, we cover the major services everyone tends to use, and walk you through the setup.
Activate 2FA on all of these and you’ll be more secure than ever.
And read about some of the new tech coming soon to the world of 2FA, including standards like U2F (Universal Two-Factor) which could even take your smartphone out of the equation—eventually.
To keep up with all the latest security news check out PCMag’s SecurityWatch.