Why and Where You Can Enable 2-Factor Authentication
Remember the guy in the movie who would walk away from an explosion, with a stylish and confident gait, putting on his aviators just when everything behind him starts burning to ashes? He knows the fire won’t reach him. Something’s got his back and he knows it. If he were to be in the utterly boring world of password security, that something would have been 2-factor authentication.
Gmail can be hacked, hackers can social engineer the security questions but unless they physically kidnap you or get hold of your phone, they can’t get into your account if you have 2-factor authentication enabled.
Google’s ex-spam guru Matt Cutts said it best when he said “Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like your phone.
2-factor authentication works something like this: When you log in to a website, just entering your password isn’t enough. Once you’ve entered a password, you’ll get an authentication code on a physical device close to you. It can be an SMS on your phone or if you’re using one of the compatible services, the Google Authenticator app.
What You Need Know about 2-Factor Authentication in General
- You don’t always have to use SMS to verify. You can use Google Authenticator app for supported services, on your smartphone or tablet.
- If for some reason you can’t receive SMS, you can print out a set of one time backup codes and carry it with you.
- You don’t have to enter the authentication code every single time you log in. In services like Gmail, there’s an option to enter the authentication code once every 30 days when you’re using the same computer.
- When you’re logging in using a new computer or device, the 2-factor authentication is a must.
A Practical Guide to 2-Factor Authentication
A lot of major websites support 2-factor authentication now. Gmail, Dropbox, Paypal etc are all in. But the reality is that 2-factor authentication is cumbersome. It’s important but cumbersome.
So pick your most important services where your files, mails, data and communication is stored and use 2-factor just there.
Services Where You Can Enable 2-Factor Authentication
Google: Google can either send you a confirmation code via SMS or the Google Authenticator app which is available for iOS, Android and even BlackBerry. Devices can be saved for 30 days. Click here to enable it.
LastPass: We’ve covered LastPass’s 2-factor (hardware and software) authentication in detail in the password management apps section of this guide. LastPass partners with services like Google Authenticator, Toopher and Duo Security. You can also use YubiKey which serves as a physical USB authenticator. Go to Settings on LastPass’s website and navigate to Muiltifactor options. To know how to enable Google Authenticator, see this.
Facebook: Facebook calls its 2-factor system “Login Approvals” and it sends you a 6 digit code via SMS. It also works with the Google Authenticator app. Enable it from here.
Twitter: Twitter’s 2-factor authentication is fairly straightforward. It will send you a 6 digit authentication code when you log in using a new device. That’s it. Click here to enable it.
LinkedIn: LinkedIn’s process is the same as Twitter where you’re sent a 6 digit code via SMS. Enable it from here.
Dropbox: For a lot of us, Dropbox is where we save all our files. You’ll want to make sure it’s well protected. Dropbox does the usual 6 digit code via the SMS bit but it also has support for apps like Google Authenticator, Duo Mobile and Authenticator app for Windows Phone. Check out Dropbox’s documentation page for a step by step guide on how to enable it.
Steam: If you’re a gamer your credit card is already saved to a Steam account. Secure the account using 2-factor authentication by going to Steam -> Settings -> Manage Steam Guard Account Security in the Steam app.
Microsoft: Microsoft will send you a seven digit code via email or SMS when you use a new machine. Enable it from here.
Yahoo! Mail: Do you still have to use Yahoo! Mail? You can have a 6 digit authentication code sent in when you start using it on a new machine. Click here to enable it.
PayPal: If you use PayPal for business transaction, you’ll want to make it as secure as possible. PayPal will send a 6 digit code via SMS when you use it on a new machine. Click here to learn how to enable it.
Amazon Web Services: Amazon’s S3 and Glacier storage services support 2-factor authentication using Google Authenticator. Enable it from here.
Evernote: If you want to sleep peacefully knowing your personal thoughts are safe from the reach of hackers, turn on 2-factor authentication using Google Authenticator. Check out Evernote’s blog post to know how to do it.
WordPress: WordPress doesn’t have a direct support for 2-factor authentication using SMS but you can enable it using the Google Authenticator plugin.
More Websites with 2-Factor Authentication
The list of websites that have 2-factor authentication feature is too big to go in detail here. Thankfully Josh Davis, a computer science student, has compiled all the popular websites that have this feature at his site called Two Factor Auth. You’ll also find handy links to the corresponding documentation pages there.
His website also lists sites that don’t yet have this feature.
How to Use Authenticator Apps Instead of SMS
Google Authenticator is one of the most widely used 2-factor authenticator apps. You’ll see that most of the websites listed above support it.
But how exactly does it work?
When setting up Google Authenticator with a service, you either need to scan a QR code using the app or input details manually. Most of the time a QR code will do.
When you scan the QR code using the Google Authenticator app, it links the the service with your physical device. Now every time you open the app, it will connect with the service and generate a new verification code that only lasts 30 seconds. The next time you log in using a new device, just open the Authenticator app and a new code will be there waiting for you.
You may add new accounts by going to the Set up an account section of the app.
Google Authenticator vs Authy
Just like Google Authenticator, Authy is a free third party service for managing 2-factor authentication codes. Authy has a Chrome app that can be used on Windows, Mac and Linux alongside the iOS, Android and BlackBerry app.
While Authy has security features like device based authentication, master and backup passwords (things that even Google Authenticator does not), it’s still a third party app from a company you’ve never heard of.
It also allows you to manually input the authentication code while setting up a 2-factor authentication account. This is helpful if you don’t carry a modern smartphone with application support.
While the tight security is appreciated, it does make the app considerably harder to use. If you’re just starting out with 2-factor authentication, this extra barrier might be off-putting.
My advice: Start with Google Authenticator. It’s easy to use and despite its lack of features, it just works.