In 2014, the Heartbleed exploit left everyone’s login information potentially up for grabs thanks to one itty-bitty piece of code, and in the past few years our security nightmares have only gotten worse. In fact, more data was leaked in the first half of 2017 than in all of 2016 combined.
Things aren’t getting any easier in 2018, so what is the average internet user afraid for their security to do? Well, you should definitely change your passwords—regularly! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authentication.
What you really need is a second factor of authentication. That’s why many internet services, a number of which have felt the pinch of being hacked, have embraced two-factor authentication for their users. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing. Even the White House once had a campaign asking you to #TurnOn2FA. But what is it exactly?
As PCMag’s lead security analyst Neil J. Rubenking put it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as the iPhone X’s Face ID and Windows Hello, but we are still far from ubiquity. In most cases, including 2FA for your Google account and other popular services, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
Many services support a specialized app on the phone called an “authenticator,” which will do that same job. The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a connection. The arguable leader in this area is Google Authenticator (free on Android and iOS). Twilio Authy, Duo Mobile, and LastPass Authenticator among others all do the same thing on mobile and some desktop platforms, and the majority of popular password managers all have 2FA by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Here’s a video Google made about two-step verification basics, which provides a good idea of what’s involved.
Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that’s great—until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA on accounts will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.