Two-Factor Authentication, aka multi-factor authentication, aka two-step verification, aka “2FA” for short, is an easy way to add an additional layer of security to your accounts. Most of your online accounts—from email to social media accounts and beyond—offer this relatively simple layer of protection to help you keep your data secure. In short, 2FA requires you to present two (or more) distinct pieces of evidence to show that you are who you say you are before you can gain access to an account. Single-Factor Authentication, on the other hand, only requires one piece of evidence. For most online accounts, the 2FA protocol starts with your password. Once you’ve entered that correctly, you’ll be asked for another piece of information, like the first car you owned or a unique number generated by an authentication system sent to your phone. It’s like what you do for your debit card, the so-called “chip and pin” method. First, you insert your card’s chip. Then you verify your identity by entering in a PIN code.
With all the leaks, hacks, malware, and phishing schemes out there, multi-factor authentication has become a critical component of your data security to deploy as many security measures as possible on as many accounts and as much data as you can. Perhaps you have already started using unique, complex passwords and a password manager like Dashlane, LastPass, 1Password, or KeePass to help you generate and store your strong passwords. That’s necessary, but it isn’t sufficient. Two-Factor Authentication is another piece of the security puzzle, making it much harder for would-be attackers to get the evidence they need to access your accounts and the sensitive data in them.
Common Two-Factor Authentication Tools
With just a couple of clicks in the settings menu, you can enable 2FA on many of your most important accounts. The technology and user experience vary, but they all have the same goal: requiring you to prove your identity using something you know, like your password, and something you have, like a code generated by your phone, an app, or a special security key or something you are, like your fingerprint, face identification, eye scan, or other biometric screen. Sometimes you can choose which 2FA method you use. Sometimes you only have one option. Sometimes you don’t have any.
Text Messaging (or SMS)
This one is fairly ubiquitous. Once you’ve enabled SMS 2FA, you’ll provide a phone number. When you next log in, you’ll enter your username and password. Then you’ll be asked to enter a short code that gets texted to your phone. It isn’t foolproof, but it is an excellent start. Some software will also give you the option for a phone call to your mobile device to deliver the code.
Many companies and apps use a tool like Google Authenticator, which is a software token app that generates a unique 6-digit number every 60 seconds (or so). These time-based one-time password generators (“TOTP”) are part of the Open Authentication (“OATH”) architecture that you sometimes see with the “Log in with Google” or “Log in with Facebook” buttons. There are many different authenticator apps out there, like Authy, Microsoft Authenticator, Free OTP, Sophos Authenticator, Duo Mobile, Kamzan, LastPass Authenticator, and more. Google’s Authenticator app is the most popular and prevalent.
After you enter your password, you’ll be asked to verify your identity with 2FA. You open your authenticator app, find the one-time password, and enter it into the application to gain access. If you don’t have your phone with the authenticator app, you won’t be able to access the account.
Using Google Authenticator (or another TOTP) with your apps and accounts is quick and easy. The account you’re securing will walk you through the process. And if you’re worried about losing access to Authenticator, often you’ll be able to switch your Authenticator account to a different phone or device as needed. You can also sign in from a trusted computer (something you would have set up previously) to use other 2FA options to access your account without the TOTP. If you’re locked out of your authenticator and your account, most companies have account recovery forms you can submit to get your account back. Just make sure that the backup contact information you submit is correct and up-to-date.
Apple users may have noticed a clever new push-based 2FA method recently: Trusted Devices. This is already common for those of you who regularly sign into your Google Account from different or new devices. If you’re trying to log in on one device, you’ll get a prompt on another device indicating that someone is trying to log in to your account. It is faster and easier than some other options, and you can often see location-based data that tells you when someone is trying to log in from a place that doesn’t make any sense. If you see someone trying to access your account from Crimea and you’re in Cleveland, maybe you don’t authorize the access…
A newer 2FA method has emerged recently that requires a physical “key” to access your accounts. You’ll set this up through the account you’re trying to protect and, on your next log in, you’ll be asked to connect your device to a security key and tap the key to allow your login. On the upside, these keys don’t require you to get a code and they are very secure. But they can be expensive and aren’t yet universal, and they don’t usually work well with a mobile device (since most use USB ports).
Finally, some apps will give you a set of “backup codes.” Evernote, for example, gives you a set of codes that you can print and store in a safe place. If you ever lose access from your other 2FA, you grab your piece of good old-fashioned paper, type in one of the backup codes, and you’re back up and running in no time.
How Do I Enable Two-Factor Authentication On My Accounts?
To setup 2FA for your Gmail account, go to your Google Account, first go to myaccount.google.com. On the left-side menu, you’ll see “Security.”
Click it. You’ll head into a menu where you can enable 2FA if you haven’t already. Follow the instructions to enable extra security on your account.
On your iPhone or iPad, go to Settings/[Your Name]/Password & Security. You can enable 2FA from there. You’ll be prompted to enter and verify a trusted phone number where you’ll receive verification codes.
On your Mac, click on the Apple menu to navigate to System Preferences/iCloud/Account Details to access the security options and get a verification code.
Microsoft and Outlook
To enable 2FA for your Microsoft account, you’ll navigate to account.microsoft.com/security. From there, you’ll see options to turn 2FA off or on. Just follow the instructions and you’re set!
Microsoft uses its Microsoft Authenticator app (obviously), so you’ll need to download Microsoft Authenticator if you want something more than just code verification for 2FA on Outlook.
Yahoo, Facebook, Amazon, HubSpot, Twitter, Etc.
By now, you’ve figured out how and where to enable 2FA on your accounts. For most of your accounts, you’ll be able to change your security settings to enable 2FA. Importantly, many of the cloud-based practice management software tools give you 2FA options. You should use them. Your data is valuable to you and tempting to hackers. You can also check whether an app, service, or online account offers 2FA by visiting twofactorauth.org.
Have you had any issues with 2FA before? Do you have any other thoughts about it? Do you have any suggestions for other things we should cover in this blog? Let us know in the comments!