Many websites offer enhanced account security in the form of two-factor authentication. We explain what it is, why you should use it and how to get started.
Lately, it seems that each new week brings a fresh revelation about a website security breach and an urgent call to change your password on said site, as well as any other site where you used the same password (admit it, you do this). Most recently, a serious flaw was discovered in the ubiquitous OpenSSL cryptography software—aka Heartbleed. And even though there was no evidence that the flaw had been exploited, Heartbleed sent the Internet into a (justifiable) conniption, with millions of people scrambling to change account passwords for countless vulnerable Web services.
The cavalcade of site hacks (real or potential) isn’t likely to abate anytime soon, but there is something you can do to protect yourself and your small business. Setting up two-factor authentication (or 2FA for short)—on websites that support it—gives your online accounts an added layer of security. Note: you might find that some websites use different terms such as "two-step verification." Don’t fret, it's the same thing.
Ready to learn more? We'll explain 2FA, how it can protect you, and where to find it on some of the most popular websites.
Understanding Two-Factor Authentication
Since the dawn of the commercial Internet you’ve been urged to learn how to create strong passwords. Doing so minimizes the chance of hackers discovering your password through guesswork. But when bad guys compromise a website’s security defenses, they don’t have to guess your password—they can see it. And at that point it doesn’t matter whether the password was Joe2014 or 255 characters long with a mix of numbers, punctuation, and cuneiform.
Simply put, 2FA throws up an extra roadblock to account access should someone get their hands on your password, regardless of whether they’ve guessed it or stolen it from the site itself. As the name indicates, 2FA introduces a second method of proving that you are who you say you are.
The first is your password (something you know). A second can be something you have, such as a piece of hardware. This is how most websites and services implement 2FA, leveraging the fact that just about everyone nowadays walks around with a mobile phone. Yet another authentication factor can be something you are, such as your fingerprint, voice, or face but, practically speaking, we’re still some distance from using personal characteristics to log into Web services.
Depending on how a particular site has implemented it, 2FA is typically handled one of two ways. Either the site sends a numeric code (usually four to six digits) to your phone via SMS text message, or the code is generated by an authenticator app running on your phone (such as Google Authenticator, which is free for Android, iOS and—that most-ancient of mobile devices—the BlackBerry). A site that supports 2FA will prompt for the numeric code after you supply your password; enter the code and you’re in—otherwise, no access.
The benefit of the SMS method is that it can be used on any mobile phone, not just smartphones, and the authenticator app method works even if your phone isn’t connected to the Internet. In either case, the code you get has a shelf life; it expires after a few hours, and you can use it only once.
So what’s the catch? Well, more security always means less convenience, and logging onto sites with 2FA does take a tiny bit more time and effort, but only the first time you log in from a particular computer or device because you can register those you own to eliminate subsequent code challenges.
The other wrinkle comes up when you’re accessing a particular service via a third-party service or piece of software. For example, if you enable 2FA on your Google account and access your Gmail using, say, Microsoft Outlook or the iOS mail app, they won’t work anymore (since Outlook and the iOS mail app have no way to challenge you for the numeric code). For these kinds of situations, services can provide you with new passwords specific to each app, which allow them to work within the 2FA framework.
How-to Activate Two-factor Authentication
Here’s how to find and enable 2FA settings on eight major websites you might use in connection with your small business. Remember: many sites use slightly different terminology, such as "two-step verification." Also, each of the following headings links to a page with detailed information about how 2FA works for that site or service.
Head over to the My Apple ID page, click Password and Security in the left margin, then click Get Started under Two-Step Verification. You’ll proceed through some caveats (such as the fact that your security questions will no longer apply and Apple won’t be able to reset your password), and then you can define trusted devices that can receive codes. Your options include either iOS devices with Find My Phone enabled or any SMS-capable phone. Apple may make you wait three days to enable two-step verification if you recently made changes to your account information.
From the Security tab under your account settings, look for Two-step verification and click Enable. Dropbox supports both SMS and authenticator apps, including the aforementioned Google Authenticator and several others. If you go the app route, Dropbox gives you the option of scanning an on-screen QR code to configure your authenticator app to work with the service.
Go to your account security settings and look for the "2-Step Verification" option to activate the feature. Choose to receive codes via SMS or the Google Authenticator app, and create app-specific passwords, if necessary.
Log into your Microsoft account, click Security & Password in the left margin, then look for Two-step verification and click Set up two-step verification. If you’ve previously registered your phone number with Microsoft, you may be required to verify your identity via your phone or an email address before you can change your security settings (which itself is 2FA).
As it happens, some of Microsoft’s products don’t support secondary security codes—including the desktop version of Microsoft Outlook and Windows Phone 8, so you’ll need special passwords for them. (See here for details on how to set up passwords for various Microsoft products and services.)
LastPass doesn’t do 2FA via SMS text messaging, but it does support a number of authenticator apps, including Google Authenticator. To use that app, start here, otherwise see the link above for instructions on how to set it up using other apps. If you have a LastPass Premium subscription, you have the option of using methods that support authentication via USB thumbdrive, smart cards, or a fingerprint.
Log into the service, click your icon at the upper-right of the page, then click Review next to Privacy & Settings. Then click Accoun, and, finally, Manage security settings. Under Two-step verification for sign-in, click Turn On and enter your phone number. As of this writing, LinkedIn doesn’t support authenticator apps, and it doesn’t support app passwords, which is why the service warns you that some LinkedIn applications will not be available when 2FA is turned on.
PayPal calls its version of 2FA Secuirty Key, and you can click that link to turn set it up. You can either use your mobile phone to receive codes, or if you feel like springing for $30, get a credit-card size hardware token that generates codes at the push of a button.
Visit your account security settings, and then look for Login verification at the top of the page. You can get your codes by SMS text or use Twitter’s own mobile app (iOS or Android only) as your authenticator. You can also set up 2FA directly from the mobile app—find the Settings menu, tap your name, then Security.
Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7, from Friends of ED.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!