Two-Factor Authentication: Who Has It and How to Set It Up

Two-Factor Authentication: Who Has It and How to Set It Up

Everyone is concerned about online safety. Whether you use Google and Twitter or TeamViewer and Dreamhost, keep your services secure with two-factor authentication.

Written by Eric Griffith / Courtesy of PCMag

In 2014, the Heartbleed exploit left everyone’s log-in information potentially up for grabs thanks to one itty-bitty piece of code. But what is a person afraid for their security to do? Well, you should definitely change your passwords—regularly! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authentication.

What you really need is a second factor of authentication. That’s why many internet services, a number of which have felt the pinch of being hacked, have embraced two-factor authentication for their users. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing. Even the White House has a campaign asking you #TurnOn2FA.

But exactly what is it?

As PCMag’s lead security analyst Neil J. Rubenking puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”

The problem is, we are far from ubiquity on having biometric scanners for fingerprints and retinas as that second factor. In most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.

More and more services support a specialized app on the phone called an “authenticator,” which will do that same job. The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a connection. The arguable leader in this area is Google Authenticator (free on Android, iOS, and BlackBerry). Twilio Authy (free on iOS including Apple Watch, Android, BlackBerry, macOS, Windows, and the Chrome browser) and Duo Mobile (on iOS, Android, BlackBerry, and Windows Phone) do the same thing, and with far more color and style; both make Google’s app look washed out and ancient. Password manager LastPass launched a 2FA authenticator for iOS and Android as well. The codes in authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.

Here’s a video Google made about two-step verification basics; it provides a good idea of what’s involved.

Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that’s great—until you try to log into Xbox Live on the Xbox 360. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.

Remember as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA on accounts will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.

The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.

Google 2-Step Verification

With access to your credit card (for shopping on Google Play), important messages and documents, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.

Google calls its system 2-Step Verification. It’s all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge that you were the one signing in. Easy.

If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, you can opt to register your computer so you don’t have to enter a code during every sign-in. If you have a G Suite account for business, you can opt to only receive a code every 30 days.

Google Authenticator—actually, any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text or voice calls or email. Authenticator apps also work with other services, like LastPass, WordPress, Facebook, Evernote, Microsoft, IFTTT, Dropbox, Amazon, and Slack.

Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access your 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can’t get to the authenticator app.)

This is also where you generate app-specific passwords. Let’s say you want to use your Google account with a service or software that doesn’t use the standard Google login (I ran into this with Trillian on iOS). You typically get shut out of such a service if you’ve got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.

Continue reading the entire original article over at PCMag.