As the always-online world has continued to become an ever more dangerous place, the need for user authentication methods other than the old, not-so-reliable username/password combo has become evident.
Logins via the long-accepted username and password method have grown increasingly insecure. Unfortunately, many users make use of the same username and password or rotate through a small number of login combinations. This makes it easier for hackers who might have gained access to user data in the data breaches we seem to hear about almost daily.
Once a bad guy has your login to one website or online service, they consider it a good possibility that you may have used that same login information on other sites and services. Hackers can then try to use the login information to gain access to a user’s account on multiple websites, including banking, credit card, and shopping sites.
Due to this problem, many websites, social networks, computer, and mobile device makers have begun requiring users to use two-factor authentication to log in to their services, networks, and devices.
In this article, I’ll explain what two-factor authentication is, how it works, how it increases the level of security for logins, what the drawbacks are, and why you should use it if it’s available.
I’ll also discuss some of the companies and popular online services that use two-factor authentication to protect their customers’ logins and associated personal information.
What is Two-Factor Authentication?
Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), is a method of authorizing a login using two pieces of authentication. The two pieces are usually defined as something the user has, and something the user knows.
Perhaps the best way to explain two-factor authentication is to use a situation most of my readers will be familiar with: withdrawing money from an Automatic Teller Machine (ATM).
Two things are required for an ATM withdrawal to be approved by your bank: your valid credit or debit card (what you have), and your 4-digit Personal Identification Number (PIN) (what you know).
Two-Factor Authentication can be made up of various factors, and it varies widely among organizations. Each method has its own advantages and disadvantages.
Mobile Device Two-Factor Authentication
In order to use 2FA with your mobile device when you attempt to log in, the website or service in question will send a 4-digit or greater code to your smartphone or tablet via a text message. In some cases, you might be required to log into a passcode-generation app on your device to complete the login process.
This method uses two factors: the user’s access to their personal device, and the one-time temporary code that is furnished to them via a text message, notification or the passcode-generating app installed on the device.
This method carries with it a large number of both advantages and disadvantages.
- No need to carry a token generator, as the process uses the user’s mobile device.
- The passcodes are generated on the fly, making them more secure than static passwords.
- A maximum number of passcode entries can be set, limiting the risk of passcode guessing.
- The process is user-friendly.
- The mobile device could be stolen, lost, or damaged.
- If the user is out of range of their carrier’s cellular network, the passcode message might not be received.
- It requires sharing a user’s mobile phone number. This reduces the user’s personal privacy.
- SIM cloning could give hackers access to the user’s mobile connection, allowing them to spoof their device.
Token Generator Two-Factor Authentication
Other companies supply a key fob-like or credit card-like token generator the user can keep in their pocket, briefcase or purse.
The device flashes a new token number every 60 seconds, providing a one-time passcode as needed. This eliminates the need for a mobile device to receive a passcode. However, it does introduce its own unique issues.
While two-factor authentication certainly adds a much-needed layer of security to the login process, 2FA is not immune from hackers. In 2011, security company RSA revealed that its SecurID system, which makes use of authentication tokens, had been hacked.
- It doesn’t rely on the use of a mobile or other internet-connected device.
- It’s portable and can be kept in the user’s pocket, purse, or briefcase.
- It’s easy to use.
- The token refreshes after a set amount of time – no permanent passcode to steal.
- It’s easily lost or stolen from the user’s pocket, purse, or briefcase.
- It could be vulnerable to man-in-the-middle attacks.
Services That Use Two-Factor Authentication
In this section, we will be looking at some of the online services and other companies that use two-factor authentication (TFA) to verify the identities of their users when they log in.
We’ll be taking a look at how Facebook, Twitter, Google, Apple, and Microsoft make use of TFA. They each use the process a little differently from each other. For each company, we will look at how you can set up 2FA for use with the services, and how it works for logins.
When you set up two-factor authentication for your Facebook account, you’ll be asked to enter a special security code or confirm your attempt to log in each time you (or someone else) tries to access your Facebook account on a computer or mobile device that Facebook doesn’t recognize.
To turn on two-factor authentication, do the following:
- Go to the Security and Login Settings page by clicking the little down arrow in the upper-right hand corner of your Facebook page. Then click “Settings” -> “Security and Login.”
- Scroll down the page until you see “Use two-factor authentication” and click “Edit.”
- Select the authentication method you prefer to use and then follow the on-screen prompts.
- Click “Enable” to turn on your selected method of authentication.
Available authentication methods include:
- Text messages sent to your smartphone
- Security codes created via Code Generator
- Tapping your security key on a compatible device
- Security codes created by a third-party app
- Approving a login attempt from an unrecognized device
- Using a printed recovery code
Facebook says users can use as many authentication methods as they’d like, but at least text message codes need to be enabled, or you need to have both a security key and Code Generator enabled.
When you enable “login verification” for your Twitter account, you’ll be required to enter both a password and a code which will be sent to your smartphone when you attempt to log in to Twitter. By default, the 6-digit code will be sent via SMS text message. You can also use a third-party app for verification.
To turn on login verification for Twitter, do the following on Twitter.com:
- In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”
- Click on your Account settings and then click “Set up login verification.”
- Read the instructions there, if you wish, and then click “Start.”
- Enter your password and then click “Verify.”
- Click the “Send Code” button to add your mobile phone number. (If you already have a phone number connected to your account, Twitter will send a text to that number to confirm it.)
- Once the code is sent to your phone, enter the code and click “Submit.”
- Last, but certainly not least, click “Get Backup Code” to view a code you can use to access your account if you lose your smartphone or change your phone number. (Twitter recommends you take a screenshot for future reference.)
To use a third-party app for Twitter login verification, do the following on Twitter.com:
- In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”
- Click on the “Account” tab.
- Look under “Security,” next to Login verification, and click on the “Review your login verification methods” button.
- Enter your password and click the “Confirm” button.
- Click “Set up,” which is next to “Mobile security app.”
- Read the instructions there, if that’s your thing, and then click “Start.”
- You may be asked to enter your password. If so, enter it and click “Verify.”
- A pop-up window will appear with a QR Code in it. Follow the instructions you’ll see there.
- You will be required to scan the QR code to set up the third-party authentication app. You will then be provided with a 6-digit numeric code.
- Enter the code in the “Security code” text field in the pop-up window.
- Click “Done.”
Once you enable login verification for your account on the web, you’ll be required to use a temporary password when you attempt to log in to Twitter on other devices, or in applications that require your Twitter password.
When Twitter detects that you need one, a temporary password will be sent via SMS text message. You can also generate your own temporary password.
When you enable 2-Step Verification for your Google account, you’ll log in using your usual password, but will also be required to enter a security code that will be sent to your smartphone.
To turn on login verification for Google, do the following on Google.com:
- Visit the “Google 2-Step Verification” page.
- Click the “Get Started” button near the top-right area of the page.
- The next page offers a short explanation of how 2-Step Verification works. Read this if you wish. Click the “GET STARTED” button.
- Log in.
- Google will then ask you what phone number you’d like verification codes sent to. Verify the phone number if one is already filled in and edit it as needed. Select whether to receive the codes via text message or a voice call, then click “Send code.”
- When you receive the 6-digit code, enter it and click the “Verify” button.
- You will then be asked if you are using a “trusted computer.” If you’re on your home computer or on a work machine that only you use, check the box next to “Trust this computer” and click “Next.”
- Turn on 2-Step Verification for your Google account by clicking “Confirm.”
With Apple’s “Two-Factor Authentication” enabled for your Apple ID, your account can only be accessed on trusted devices. These can include your iPhone, iPad, or Mac. When you sign in to a new device for the first time, you’ll need to provide your password and a 6-digit verification code that will be displayed on your already-trusted devices.
To enable Two-Factor Authentication for your Apple ID, do the following:
If you’re using iOS 10.3 or later:
- Go to “Settings” -> “[your name]” -> “Password & Security.”
- Tap “Turn on Two-Factor Authentication.”
- Tap “Continue.”
If you’re using iOS 10.2 or earlier:
- Go to “Settings” -> “iCloud.”
- Tap your Apple ID -> “Password & Security.”
- Tap “Turn on Two-Factor Authentication.”
- Tap “Continue.”
On your Mac computer, with Mac OS X El Capitan or later, do the following:
- Click on the Apple logo in the upper-left-hand corner of your Mac’s Desktop.
- In the pull-down menu that appears, click “System Preferences.”
- In the System Preferences, click the “iCloud” icon.
- On the iCloud screen, click “Account Details.”
- Click “Security.”
- Click “Turn On Two-Factor Authentication.”
If you enable the Two-Step Verification process on your Microsoft account, you’ll be required to enter your password and a security code that you’ll receive via an email address, a phone number or an authenticator app.
To enable Two-Step Verification for your Microsoft account, do the following:
- Go to the Microsoft Security Basics website and sign in using your Microsoft account information.
- Click the “more security options” link.
- Under “Two-step verification,” click “Set up two-step verification.”
- Continue with the setup process until you reach the finish line, then click “Done.” You may be asked to provide a verification code, which you will receive either via SMS or an alternate email address. Once the signup is complete, you’ll receive an email confirmation from Microsoft, which will be sent to your alternate email address.
What Else Do I Need to Know About Two-Factor Authentication?
Always Use Two-Factor Authentication on Your Email Accounts
So, which of your email accounts is the “most important account” that you should enable two-factor authentication on?
Answer: it’s any and all of them. Whether you use your email account for business or pleasure, it doesn’t matter. Hackers can cause you all kinds of grief if they can take control of your email account.
Think about it: how many websites or services have you signed up for over the years that ask you for your email address? Now, how many of those websites use your email account as your username? The mind boggles.
Even websites that don’t use your email for login purposes still use it as a contact method to reset your password if you forget it.
BAM! With your email under their control, hackers can start resetting the passwords that protect your important accounts. Accounts like the ones you have on your bank’s website, your credit card issuers, your favorite online merchants…
UGH! And believe me, it isn’t any fun to try and get a mess like that sorted out if it happens!
Protect Your Financial Accounts
Check with your bank or credit card issuer to find out if they offer two-factor authentication for when you’re logging into your account.
While not all banks or credit card companies currently offer 2FA, many do. Chase, Bank of America, Barclays US, Ally Bank, and Capital One come to mind as financial institutions that offer 2FA to their customers.
If you’d like to quickly check on whether your financial institution provides two-factor authentication to protect your account, visit the Two Factor Auth website.
There, you can check their list to see whether or not your firm protects you with 2FA, and if they do, what types of authentication they offer. The website offers lists covering backup providers, banks, cloud computing providers, communication firms, and cryptocurrency websites.
One Password to Rule Them All
Perhaps the most important password you’ll ever use is the one that unlocks the encrypted vault that holds all of the passwords you’ve saved in your password manager app. Make sure your password app supports two-factor authentication
Never Mark Your Device or Computer as “Trusted”
Many of the websites that you’ll log into via two-factor authentication allow you to mark your computer or mobile device as “trusted.” This disables two-factor authentication on the device, allowing you to log in using only your password.
Do not do this! Marking a computer or device as “trusted” defeats the purpose of two-factor authentication, which is to protect you and your personal and financial information.
While going the trusted way might make future logins a bit easier, it also makes it easier for the bad guys to access your login-protected info if they’re ever able to get their hands on your device.
Of course, you don’t have to worry about that, right? No one ever loses their laptop or mobile device, or ever has one of them stolen, right? Right? (Now ends the “sarcasm” portion of our program.)
What Happens if I Lock Myself Out?
If you use your smartphone for the second factor in your two-factor authentication logins, it’s logical that you might worry about losing your mobile device and getting locked out of your accounts. Luckily, most modern 2FA systems allow you to add a second phone number or even a second email address for just this reason.
Even if you lose your smartphone or other mobile device you use for authentication, you can usually get a security code via a voice call to your landline or second phone, or to an alternate email address.
An alternative method of protection against getting locked out that some companies provide is a special code that can be printed out and kept in a safe place. While this sounds old-fashioned, a piece of paper could save you a lot of hassle someday. (Don’t just copy the code and save it to your device. Think about it for a moment, and you’ll understand why you shouldn’t.)
How Do I Find Out if a Website Supports Two-Factor Authentication?
While we’ve covered the fact that many financial, social and cloud storage websites and services offer 2FA, there are also many websites connected to other industries that also offer protection to their users.
Authy, while its guide lists websites and services that work with its 2FA app, the list also indicates sites and services that will work with other 2FA authentication methods.
Check Our Most Popular VPN Comparisons:
Two-Factor Authentication is a great way to help ensure that your online accounts remain secure, keeping your personal and business information away from the bad guys. With just a few steps, any user can make it tougher for hackers to steal their accounts.
Turn on Two-Factor Authentication When Possible
If any website, service, email provider or anything else you access online offers Two-Factor Authentication (2FA), enable it. Two-Factor Authentication ensures that even if another party learns your login information, they will not have enough information to access your accounts.
By requiring a second action on the user’s part to log in (a login code sent via email, text message or a code from a token generator), 2FA makes it much more difficult for unauthorized parties to access your accounts.
Your Favorite Social Network, Cloud Provider, or Financial Site Likely Offers 2FA
Facebook, Twitter, Apple, Google, Microsoft, and many other social networks and online service providers now offer some form of two-factor authentication. In addition, many banking, credit card and shopping sites also offer the protection to their customers.
In most cases, it only takes a few moments to set up 2FA, and the benefits will easily outweigh the value of the time it takes you to get this protection in place.
Use a Password Manager That Supports Two-Factor Authentication
If you’re not using a password manager to protect and keep track of your online logins, get one now!
Many password managers are compatible with 2FA, making them a great way to easily log in to your favorite websites and other services while also protecting that valuable login and its associated personal and business information.
Never Click the “Mark This Device as Trusted” Box on a Website
While going the “trusted browser” route might make future logins easier for you, it also makes them easier for anyone who might find or steal your laptop or mobile device. This basically defeats the purpose of 2FA, which is to protect your logins and your information.
Lock Yourself Out of a Website? You Can Fix That!
It’s understandable that you might worry about getting locked out of a website if you use two-factor authentication. What happens if you lose your mobile device and can’t receive the 2FA code?
Most 2FA systems allow users to add a second phone number or a supplemental email address for just this type of situation. Even if the second phone number is a landline that’s not text message-compatible, many two-factor authentication systems can supply an authentication code via a voice message.
Many services can also provide a special code that can be printed out and saved in a safe place. Sure, it’s old school, but you’ll appreciate it if you need it. As I’ve mentioned before, don’t just copy and paste the code to your device’s notes app. If you lose the device, then you’ve lost the code.
Check to See if Your Favorite Website or Service Supports 2FA
While not all websites and other online services provide a two-factor authentication option to their users, more of them are adding the option all of the time. If you’re curious whether or not your favorite website offers 2FA, you can visit Turn It On.
Turn It On allows you to search for information on whether or not a particular website or other online service offers the extra layer of security. In addition, the website provides step-by-step instructions for enabling 2FA on websites that offer it.
Double Up on Your Protection
Two-Factor Authentication provides the additional layer of protection for your online accounts that makes a real difference when keeping your valuable personal and business information safe from prying eyes.
By taking just a few moments on each website, you can easily add another wall between your information and the bad actors that would love to get their hands on it.
Two-Factor Authentication FAQs
How Does Two-Factor Authentication Increase Security?
Two-factor authentication requires users to not only enter a username and password to log in to their account, but also a passcode that is sent to a confirmed email address or phone number, or that is generated by a trusted authentication app.