Your password habits stink. You need to turn on multi-factor authentication. This will add a much-needed layer of security to your online accounts, and it’s a lot easier than you think.
How do you get two-factor authentication?
First, download & install a trusted two-factor authentication smartphone app. Then, visit each of your online accounts (especially the important ones) and turn on the option offered by the website or app. After confirming setup, safely store your backup codes.
Don’t worry. This is all free of charge and only takes a few minutes. Let’s jump right into more detailed steps. Later, I’ll go over more important information about two-step or two-factor authentication (2FA).
How To Get Two-Factor Authentication
1. Choose an App
Two-factor authentication consists of something you know and something you have. While your password is the something-you-know part, we’ll use your smartphone as the thing you have.
Several apps that provide 2FA functionality. Here is an ordered list of my suggestions:
- FreeOTP+: open-source, export/backup capability
- Aegis Authenticator: open-source, better-looking
- Authy: most-trusted commercial app
Try to avoid using a 2FA app from the big tech companies.
Install one of the above options to your smartphone then play with it. Get familiar with the list, menu options, settings, etc.
2. Visit Your Accounts & Find the Setting
Let’s start with one of your less-important accounts to get familiar with the process.
As an example, I’ll use my account on forum site Reddit. I only occasionally log in to the service and it’s not as important as say my email account or banking site.
Hang in there with me. Sometimes websites bury this setting a bit.
First, we find User Settings listed in the main menu.
Under the Privacy & Security, we click the Two-factor authentication option.
There’s a “click to enable” at the bottom of the page. (Yup, pretty buried; Twitter’s worse)
3. Scan the QR code
A QR code appears on the screen. We use our two-factor authentication app to scan it.
Reddit is added to the list of accounts in our app. A time-based, 6-digit number is displayed which changes every 30 seconds or sometimes faster.
4. Test your generated code
We enter these digits into the text box and click the Enable Two-Factor button.
This is a verification step that confirms that our smartphone app is set up correctly as the authenticator for the account.
Reddit displays a message on screen confirming the process is complete.
5. Save your backup codes
Before we head off to the next account, we need a back up in case our smartphone dies, the 2FA app is erased, or something else prevents us from being able to generate new 6-digit codes.
In the Reddit example as in most websites, we’re given an option to “generate” and record backup codes.
Write your backup codes in a notebook and store them securely.
Rinse and repeat
Now that we’re familiar with how this works, repeat steps 2 through 5 for your email account.
For example, Gmail users will enable 2FA on your Google Account page.
iCloud email users can find great instructions on Apple’s support page which will guide you through the process.
The methods for enabling 2FA will vary from service to service. It’s impractical to list every service here. Generally, you’ll find your two-factor authentication option in the website/app’s Settings or Profile area under a Security section.
Note: Using an authenticator app is more secure than using an SMS/text message for this feature. If your site, service, or app offers only the SMS method, then use that option. It’s better than using only a password.
You’re all set up and so much more secure than with just a password.
What Two-Factor Authentication Does For You
You’re probably wondering what two-factor authentication actually does for us?
In our Reddit example, the site will ask us for a temporary code from our authenticator app each time we log in.
As I accused you at the beginning of the article, most of us are using passwords that are insecure, have been reused, or are potentially already cracked. Two-factor authentication gives us a second layer of protection on our accounts.
A hacker now needs to have your phone even if they’ve stolen your username and password for a site.
Remember that adding two-step authentication does not make your account bullet-proof. It makes it significantly more difficult for an attacker.
Can 2 Step Verification Be Hacked?
Yes, your two-step verification/authentication process can be hacked. Here are some potential attacks
- Your smartphone could be stolen and without a long PIN, your authenticator app can be used.
- You might have installed a sketchy smartphone app that could steal your 2FA data and transmit it off your device.
- An attacker might also try to get you or your website company to disable two-factor authentication on your account.
- Your notebook of backup codes could be stolen.
Security is a constant struggle between offense and defense.
We could add a biometric, third-factor “something you are” to your logins like a fingerprint, eye scan, etc. But now we’re sacrificing convenience and accessibility.
The two best things we can do are
- Be a harder-target. Make accessing your data harder than the next user.
- Keep your “factors” separate. Your passwords should be in a password manager. Your smartphone should be with you most of the time. Your backup code notebook can be kept at your family or friend’s house.
Sharing and Multi-Device Two-Factor Authentication
Sometimes you might want your partner to access shared accounts. Maybe it’s more convenient to use your primary smartphone and a tablet to generate a temporary 2FA code. Sharing and multi-device use of an authenticator app increases your risk of two-factor authentication failing.
Remember that your second factor is “something you have”. Well, now you and other people can “have” your second factor. You can see that this makes two-factor authentication weaker.
I do not recommend using shared or multiple devices, but you should think about the risks and do what works best for your situations.
Online Backups of Your Authenticator Data
Some of the authenticator apps offer the ability to backup your list of accounts. This too weakens your two-factor process.
I’m torn over this point if I’m being completely honest.
- On one hand, I have my backup codes notebook which permits access & reset of my two-factor settings.
- On the other hand, I have a list of 48 accounts listed in my authenticator app and this is growing as more sites add 2FA.
At the moment, I recommend only using your backup codes notebook. I’ll update this recommendation as I refine my research and process. 🙂
Data breaches and cyber-attacks are more-frequent as we shift our data and time spent online. Two-factor authentication is easy to set up and worth the additional protection. As more websites and services offer this function, take a few minutes to locate the setting and switch it on. This added layer of security can help save you time, money and hassle.
Related Questions & Tips
How do I turn off two-factor authentication?
To turn off two-factor authentication, go to the website, app, or phone settings typically labeled “Security.” Look for an option that permits toggling on & off this feature. Generally, two-factor authentication should not be turned off once established. This weakens the protected account.
Is two-factor authentication safe?
Two-factor authentication is safe and a recommended addition to account security. It offers an additional layer of protection against attacks and data breaches. The primary risk is loss or theft of the two-factor device which can be mitigated using backups or an alternate factor, like biometrics.
What are the requirements for two-factor authentication?
There are two typical requirements for two-factor authentication. First is something you know like a password or PIN. The second is something you have or possess like a smartphone authenticator app, USB hardware key, or paper with codes. To begin, simply enable 2FA on your accounts.