Skip to main content

A guide for two-factor authentication: Which websites offer it, and how to set it up

Heartbleed has us all scared, given that one itty bitty piece of code has left everyone's log-in information potentially up for grabs.

So what is a person to do? Well, you should definitely change your passwords on the sites that have patched their OpenSSL problems, but you should change your passwords regularly anyway! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authenticating who you are.

What you really need is a second factor of authentication. And that's why many Internet services, a number of which have felt the pinch of being hacked, are embracing two-factor authentication for their users. It's sometimes called 2FA, or used interchangeably with the terms "two-step" and "verification" depending on the marketing. But what is it?

As my colleague and security expert Neil J. Rubenking puts it: "There are three generally recognised factors for authentication: Something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options."

We are far from ubiquity in terms of having biometric scanners for fingerprints and retinas as that second factor. In most cases, two-factor authentication is simply a numeric code of a few digits that's sent by SMS text message to your phone, which can only be used once.

More and more services are also now supporting a specialised app on the phone called an "authenticator," which will do that same job. The app, which is pre-configured by you to work with the service, has a constantly rotating set of codes you can use whenever needed — and it doesn't even require a connection. The arguable leader in this area is Google Authenticator (free on Android, iOS, and Blackberry). But Authy (free on iOS and Android) does the same thing, and with far more colour and style; it makes Google's app look washed out and ancient. There's also a number of authenticator apps for Windows Phone. And services like Toopher work with websites to try and develop a system that means you won't even pull out your phone; it claims it's already made Google Authenticator obsolete. But that's not ubiquitous yet, either.

Here's a video that Google made a couple of years ago which explains the basics of 2-Step Verification:

You should also be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA setup with Microsoft, that's great — until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords — a password you generate on the main website to use with a specific app (such as Xbox Live). You'll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr — all of which are used as third-party logins, or have functions you can access from within other services.

Remember as you panic over all this: Being secure isn't easy. But that's exactly what the bad guys count on — that you'll be lax in protecting yourself. So while implementing 2FA on your accounts will mean it takes a little longer to log in each time, it's worth it in the long run to avoid some serious theft risks, in terms of your identity, your data, or even your money.

What we have here isn't an exhaustive list of services with 2FA supported — for that, check out this list of banks, web hosts, and more. In this article, we'll cover the major services everyone tends to use, and walk you through the setup with each. Set up 2FA on all of these and you'll be more secure than ever.

Google 2-Step Verification

With access to your credit card (for shopping on Google Play) and your important messages and documents — essentially your whole life — a Google account has to be well protected. Thankfully, the company has been working on 2FA systems since 2010.

Google calls its system 2-Step Verification, and it's all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, you'll need to enter an extra code that is sent via SMS text, a voice call, or by using an app called Google Authenticator. Typically you only have to do it once per account, per device.

Google Authenticator — actually, any authenticator app — can generate a verification code for you even if you're offline. You must typically sign up for 2-Step Verification before you can use it. The app will scan a QR code to give you access, then provide a time-based or counter-based code generation to give you a code to type in even if your smartphone is offline. It replaces getting the code via text or voice calls or email. Authenticator apps also work with other services, like LastPass, WordPress, Facebook, Evernote, Microsoft, and Dropbox.

Once you've set up 2-Step Verification, you access it again by visiting your Google account security settings. On the 2-Step Verification page you can select the phone numbers that can receive codes, switch to using an authenticator app, and access your 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can't get to the authenticator app).

This is also where you generate app-specific passwords. Let's say you want to use your Google account with a service or software that doesn't use the standard Google login (for example, I ran into this with Trillian on iOS). You typically get shut out of such a service if you've got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.

Facebook Login Approvals

Facebook is the last place you want to lose control of an account, but its version of two-factor authentication may help prevent that. It's called Login Approvals, and on the desktop you access it by going to Settings, then Security. If you click "Edit" next to that feature, you'll get a box to check that says "Require a security code to access my account from unknown browsers."

Check it, and assuming you've set up a mobile phone on your Facebook account, you'll get a text with a six-digit code. You enter that on the desktop and if it works, you'll get an immediate confirmation.

It's simple to set up — but whenever you access your Facebook account in the future, on a mobile phone, tablet, PC, or even with a different service (like AIM), you should have your phone handy.

If you don't have access to your phone, go back to the Security Settings and click the little pencil icon next to Login Approvals, which will provide several other options. One is to "get codes" that you can save or print.

There's also a Code Generator that's part of the Facebook app for iOS and Android. You access it from the "More" menu and it shows a six-digit number you can use for login; but it changes every 30 seconds. It works with the third-party code-generating mobile apps (such as Google Authenticator) as well, which you can set up from Facebook settings by scanning a QR code on your screen with the app.

App Passwords is another feature you'll find on the Facebook security page. They can be used to skip the Login Approval process altogether, by generating a one-time password to access your Facebook account via any other app or service. If you log out of that app or service and need to go back in, you'll have to generate a new, unique app password. This is necessary on things like Xbox, Skype, and Spotify, which can't use Login Approvals, but still benefit from Facebook access.

Twitter Login Verification

When you visit the settings for your Twitter account, click "Security and Privacy" on the left. At the very top you'll see Login Verification, with options to skip it, get verification requests at your chosen mobile phone number, or to send the verifications to the Twitter app itself on your iOS or Android smartphone — Twitter is its own authenticator.

To get that to happen on the mobile app, go to the Me menu in your Twitter app, tap the button with a gear symbol, and then enter Settings on the app. Click your name/account name at the top, and scroll down to Security. The only option here is to turn on (or off) Login Verification. You'll get a backup code when you do this, which you can write down or take a screenshot of — you'll need it later, should you lose your phone or want to turn off the authentication.

Twitter also offers temporary app passwords for signing into other accounts that use a Twitter login, even some of Twitter's own apps. You do this on the Password tab in the Twitter settings (via the desktop, you can't do it on the apps). The temporary password is usually a 12-character combo of letters and numbers, and it's good for about an hour. (This is NOT the same as the back-up code mentioned above.) You can view the full list of applications that have access to your Twitter account, or that you use your Twitter credentials.

If you've gone the SMS route for getting the verification code, note that you only get to use one phone for one account. And you're never completely safe.

Apple Two-Step Verification

Your Apple ID is probably a big part of your life if you're an iOS or Mac user. It's important not just for access, but also storage via iCloud and purchases at iTunes, iBooks, and the App Store. Apple offers a more secure way to use the ID, one that's especially handy if you're an iPhone user.

To activate Two-Step Verification, firstly go to the My Apple ID page on a desktop browser and click Manage Your Apple ID, then sign in. Click the Password and Security link on the left to get the "Get Started" link to enable Two-step Verification. Apple expects you to have a list of trusted devices for sending codes to — your trusted device can be any phone that gets SMS messages (it does not work with Google Voice), or any Apple device that has the Find My iPhone service activated, which will probably already be listed if that service is active. My iPhone does both, so I've verified it twice, both as an iOS device and for receiving texts. The codes are only 4-digit numbers with Apple.

Apple also provides a "Recovery Key" code that you use to make changes when (probably not if) you lose your password or "trusted device" (aka iPhone). This one is a longer 14-character mass of letters. Write it down and keep it safe. You can always generate a new one, which deactivates the old one.

You can always turn off the Two-Step Verification on the security page, but then you have to go back to setting up security questions ("Who was the best man at your wedding?") to verify your ID, and no one wants that.

Microsoft Two-Step Verification

In the last few years, Microsoft has done a much better job of tying together all its services under one umbrella account. I use mine for, Xbox Live, Skype, an Office 365 subscription, and more. Naturally it should get some extra protection, and Microsoft provides this.

You sign into your Microsoft account at (Remember when they still called everything "Live"? These things linger). In the left-hand navigation pane, click Security info — the top choice is then Two-step Verification.

Microsoft recommends the use of an authenticator app — but maybe that's because Microsoft makes its own for Windows Phone. It also works with other authenticator apps, like Google's. You can set everything up with the QR code displayed during the setup process — or you can skip it. If you do, Microsoft logins will still try to get you to use an app, but will provide a link to other methods for getting a 7-digit verification code: Text or email. Even if you choose text, it has to go to a phone you've pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as an extra bit of confirmation. That's pretty thorough.

As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (the kind they use on everything from software registrations to Xbox giveaways). Then it gets into the App Password section, by trying to make it easier for those who sync to non-Windows smartphones (like Android, iPhone, and BlackBerry) by providing a specific app password for each platform. Finally, it spells out all the other devices that will need a special app password: Xbox 360; Outlook desktop app for your PC or Mac; Office 2010, Office for Mac 2011, or earlier; Windows Essentials (Photo Gallery, Movie Maker, Mail, Writer); and the Zune desktop app.

You'll need to revisit the Microsoft account security page each time you need to generate a new app password for any of the above. You'll also get an email from Microsoft with a link to the help page on App passwords and two-step verification.

Yahoo Second Sign-In Verification

To set up verification at Yahoo, you have to access your profile settings (look for your name in the upper right of any Yahoo page, then in the profile look for the wrench icon). Once you're in, click Account Settings. The next page has the meat of what you need.

The second section on this page is Sign-in and Security. It's where you set up passwords, create a "sign-in seal" (a picture you identify at sign in, assuring you that you're on a Yahoo page, not a phishing-scam page), and you can even manage connections to other sites. And at the bottom of the list is a link for "Set up your second sign-in verification." It will immediately confirm the phone number on your account, or ask for a new one. It also warns you that certain apps won't work with second sign-in verification, including Outlook and the mail apps on iOS and Android — those will require App Passwords.

Yahoo is unique in offering a choice — you can have a code texted to your phone, or you can just continue to use security questions. Everyone hates those questions, but they're better than no second-step. However, it's much more secure to have a device receive the code you enter. Yahoo doesn't have an option to use a third-party authenticator app.

After you set up second sign-in verification, the Sign-in and Security list gets another option: "Manage your app passwords." When you're ready to access Yahoo services like mail on devices such as iPhones, Android handsets and so forth, you'll go here to create the new unique password that will hook you up.

Evernote Two-Step Verification

Following a hack last year that forced the reset of over 50 million user passwords, Evernote quickly rolled out two-factor authentication.

To set it up, you should sign in with a desktop browser and enter your Evernote Account Settings. The left navigation pane will show the Security Summary link. The choices here are simple: Put in an email, change your password, and enable Two-Step Verification. When you click enable, it will pop up this warning about using the most recent versions of Evernote to take advantage of the extra security:

Evernote supports text messages and authenticator apps. You'll need to verify both the email and the phone numbers (you can have two) on the account. It also provides four back-up codes for you to write down and save — in fact, you need to enter one just to finish the setup.

Finally, Evernote will point out all the third-party apps you use with its service that may now require a verification code, which includes Evernote for iPhone, Android, Windows Touch, Evernote Clearly, and even Ifttt if you use it — but thankfully they won't need an app password.

Dropbox Two-Step Verification

Dropbox settings on the desktop website have a tab called security. It's where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, to turn on the two-step verification. Click the enable link, enter a password, and you'll be asked if you want to get security codes via SMS text message, or if you want to use a mobile authenticator app.

If you choose text, you enter a phone number and receive a code immediately; you also get to enter a back-up number, plus a 16-digit number you should record somewhere that will allow you to deactivate two-step verification, if needed. If you choose the app, you'll get a QR code on screen that you can scan with an authentication app. The company recommends Google Authenticator, Duo Mobile (Android/iPhone), Amazon AWS MFA (Android), or Authenticator (Windows Phone 7), and Dropbox provides excellent instructions.

LinkedIn Two-Step Verification

The social network LinkedIn, like most, uses text messages to receive authentication codes. You can access the "Turn On" link to activate it on the account Security Settings page.

Enter your mobile number and you'll immediately get a six-digit code you have to enter to verify that you are indeed yourself. Like Twitter, you only get one number (there's no backup). Unlike many other services, LinkedIn doesn't provide extra codes for getting around Two-Step Verification — in fact, turning it off is as simple as clicking the "Turn Off" link on the same page. Not very secure.

Tumblr Two-Factor Authentication

You might not expect Tumblr (which is owned by Yahoo but requires a separate sign-in) to need much security, but hey, you don't want someone else posting animated GIFs on your account! Plus, it also had a breach in 2013, so better safe than sorry.

Simply sign on and visit your Account page. You should turn on SSL security, of course. Below that is a toggle for two-factor authentication. Activate it and you're immediately asked to verify your phone number, which you should have already set up to make audio posts. If not, do it. Then send for the verification code, and hurry, as it expires two minutes after sending. You can also use an authenticator app instead, but can't activate that until after you set up the phone number for texting.

Once that's all set, you have the option to generate 16-character mobile app passwords — you'll need them to access Tumblr for iOS and Android.

PayPal/eBay Security Key

As a service dedicated to making payments, it's obviously best for PayPal to be as secure as possible, and Security Key is its answer. It provides the standard text message-based security key option, but will also sell you a separate piece of hardware, a credit card-sized device that will display the authentication code you need at any time for £20 ($30 in the US).

You can access the PayPal Security Key Setup page by logging in to your account, then head to My Account, Profile. Then click "Get Started" next to where it says "Security Key," and click on "Get Security Key."

You can activate the actual physical security key if you buy one, or you can just register your mobile phone. You'll get a six-digit code in return to complete the registration.

At the end of the setup, you'll also get a link to take you into eBay and turn on a Security Key there as well — but that only works if you've bought the hardware from PayPal. Meh.