Skip to main content

How to Turn On 2-Step Verification

An extra security layer

The latest major trend in online account security is two-factor verification, also known as two-step authentication, a simple protocol that requires users to enter a second piece of verification along with their normal password.

Most frequently, the second piece of verification is a one-time-use numerical code, sent by the online service via text message to the user's mobile phone.

Other forms of secondary verification include one-time codes generated by Google's Authenticator smartphone app, or similar codes generated by stand-alone keychain authentication tokens such as those made by RSA Security.

Two-factor authentication makes it much more difficult for hackers to break into your account, because the process requires you to provide not only something that you know (your password) but also something that you have (a one-time code).

Two-factor trend-setting

Following a wave of Gmail account hijackings, Google added the option of two-step verification in early 2011.

A few months later, Facebook followed suit, and later added its own stand-alone code generator for users who couldn't receive, or didn't want to wait for, texted codes. Yahoo added a two-step option by the end of 2011.

Dropbox added the feature in 2012, but the first six months of this year saw the feature go mainstream: Microsoft, Apple, Twitter, Evernote, LinkedIn and WordPress all added optional two-factor verification. (Apple's covers only iTunes Store purchases, not iCloud accounts.)

Why you need it

If you’re reading this, chances are you have at least two online accounts that offer two-factor authentication as an enhanced security feature. But it will only protect you and your private data if you turn it on.

"It’s like seat belts in the car. They work really well if you buckle up," said British independent security expert Graham Cluley. "When it’s made available to you, you should use it."

As Cluley explained, with two-factor authentication in place, it’s much more difficult for hackers to crack accounts by simply guessing a password.

To successfully capture the disposable code texted to the account holder’s phone, criminals would have to have physical access to the owner’s phone, or would have to elaborately "spoof" a fake login page to trick the account owner into giving up the details voluntarily. While it's rare, such an occurrence can happen.

"The real site sends you the code and then the bogus site will ask you to enter the code," Cluley said. "You would have what's known as a man-in-the-middle attack, where they trick you into entering your username and password. The bogus website acts as a go-between."

Most people, thankfully, don’t have to worry about such hacks. In most cases, an attack is not designed to steal state secrets; instead, it's a product of opportunity, or perpetrated for personal reasons by someone that the victim knows.

Cluley said although some people complain about the nuisance of the added step, they ultimately have to make a decision to be safe.

"How much of a nuisance is that compared to the nuisance of losing control over your Gmail account, and who knows what else?" he asked.

The inconvenience can be brief. Most online services will "remember" the devices that users have verified once through two-step verification, such as frequently used laptops and smartphones, and will only ask for the second factor when the user attempts to log on from an unfamiliar device. 

That way, if someone tries to log in from a different device, that person will be asked for the second verification factor — and the real user will be alerted via email or text message.

We can’t stress it enough: If two-step verification is available, turn it on. A verified login protocol, combined with a strong password, will go a long way toward keeping unwanted intruders from gaining access to your important files and accounts.

Read on to learn how to manage two-factor authentication across the most popular networks on the Web.