Two-Factor Authentication: Who Has It and How to Set It Up
Two-Factor Authentication: Who Has It and How to Set It Up
In 2014, the Heartbleed exploit left everyone's login information potentially up for grabs thanks to one itty-bitty piece of code, and in the past few years our security nightmares have only gotten worse.
What's the average internet user to do? Well, you should definitely change your passwords—regularly! Passwords are a pretty laughable method of authentication and can be scooped up by scammers pretty easily, from sheer brute force to simple phishing
What you really need is a second way to verify yourself. That's why many internet services, a number of which have felt the pinch of being hacked, offer two-factor authentication. It's sometimes called 2FA, or used interchangeably with the terms "two-step" and "verification" depending on the marketing. Even the White House once had a campaign asking you to #TurnOn2FA. But what is it exactly?
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
You can get that code via text message or a specialized smartphone app called an "authenticator." Once linked to your accounts, the app displays a constantly rotating set of codes you can use whenever needed—and it doesn't even require a internet connection. The arguable leader in this area is Google Authenticator (free on Android and iOS). Twilio Authy, Duo Mobile, SAASPASS, and LastPass Authenticator among others all do the same thing on mobile and some desktop platforms, and the majority of popular password managers all have 2FA by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Here's a video Google made about two-step verification basics, which provides a good idea of what's involved.
Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that's great—until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You'll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid some serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you'll be more secure than ever.
No comments