Two-Factor Authentication: Who Has It and How to Set It Up
By Don’t let scammers get their hands on your sensitive information. Here’s how to secure your online accounts—from Amazon and Google to Twitter and WhatsApp—with two-factor authentication (2FA).
The 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code, and our security nightmares have only gotten worse in the years since.
What’s the average internet user to do? Well, you should definitely change your passwords regularly. They’re a pretty laughable method of authentication and can be scooped up pretty easily by a variety of methods.
What you really need is a second way to verify yourself. That’s why many internet services, a number of which have felt the pinch of being hacked or breached, offer two-factor authentication. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing.
As Techlivenews lead security analyst Zorro puts it, “there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple’s Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.
You can get that code via text message or a specialized smartphone app called an “authenticator.” Once linked to your accounts, the app displays a constantly rotating set of codes to utilize whenever needed—it doesn’t even require a internet connection. The leader in this area is Google Authenticator (Android, iOS). Others such as Twilio Authy, Duo Mobile, and LastPass Authenticator all do the same thing on mobile and some desktop platforms. In fact, the majority of popular password managers all offer 2FA authentication by default.
The codes provided by authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Be aware that setting up 2FA can actually break access within some older services. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and others—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.
Remember this as you panic over how hard this all sounds: being secure isn’t easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it’s worth it in the long run to avoid serious theft, be it of your identity, data, or money.
The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you’ll be more secure than ever.
Amazon Two-Step Verification
Amazon added 2FA support late in 2015 and it’s pretty important to turn on, as Amazon has its fingers in many pies, like Comixology, Audible.com, and sites that use Amazon for payments—all tied to your credit card.
Open up Amazon.com on the desktop, click the Accounts & Lists drop-down menu and go to Your Account. Click on Login & Security. On the next page, click Edit next to Two-Step Verification (2SV) Settings. The preferred method is an authentication app (scan the QR code); phone number(s) are the backup method.
A nice option with Amazon is the ability to tell the service to skip the codes on select devices (or on multiple browsers on the same device)—say a PC to which you and you alone have access. If that option doesn’t work later, come back to the Advanced Security page and click Require codes on all devices.
Apple Two-Factor Authentication
Your Apple ID is a big part of your life if you’re an iOS or Mac user. It’s important for not just access, but also storage via iCloud; purchases like movies, books, and apps; and memberships like Apple Music and Apple TV+.
To activate two-factor Authentication, go to the Manage Your Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”
You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. You can’t do it via a browser on another operating system anymore. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.
You’ll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it’s the number already on the phone you’re using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
After that, signing into any thing with the Apple ID should generate a code on the device used for setup. Apple also supports app-specific passwords.
Note that once Apple 2FA is activated for two weeks, you can’t turn it off. “Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information,” Apple says.
Dashlane Two-Factor Authentication
A password manager favorite, Dashlane also supports 2FA. You have to turn it on via the desktop using the software for Windows or macOS, and you’ll need a separate authenticator app on your smartphone to scan the QR code.
In the desktop program, click Tools > Preferences > Security tab. Then open the Two-Factor Authentication tab. Click Two-Factor Authentication to toggle it on. You get a prompt to download Google Auth, Duo Mobile, or Authy. You then get the standard QR code to scan. If you have an external U2F security key, Dashlane also supports that.
You can also get 2FA support for other password managers like RoboForm Everywhere and Keeper Password Manager & Vault.
Facebook Two-Factor Authentication
Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. On the desktop you access it by going to Settings > Security and Login.
Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you’d like to receive your second form of authentication: a text message, authenticator app, or physical security key.
If you select an authenticator app (which might be the best option when it comes to Facebook), Facebook will produce a QR code on the desktop screen. Open your authenticator app on your smartphone, select add, and hold your smartphone up to the computer screen to capture the code. The next time you sign into Facebook and it requests your six-digit code, open the authenticator app to retrieve it.
For apps that don’t work with two-factor authentication when you log in with your Facebook credentials, Facebook offers App Passwords, a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you’ll have to generate a new, unique app password. This is necessary for older devices. Get them via Settings > Security and Logins > App passwords.
The above options require you to have access to your phone, of course. But when you activate 2FA, you can get a list of 10 recovery codes to download and use at any time, even if you don’t have your phone. Get them in the 2FA settings area and save them somewhere safe.
Facebook also supports the Universal 2nd Factor (U2F) of a hardware security key, something you plug into or put near your computer to get access.
Google 2-Step Verification
With access to your credit card (for shopping on Google Play), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.
Google calls its system 2-Step Verification. It’s all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge with a tap that you are the one signing in. Easy.
If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, opt to register your computer so you don’t have to enter a code during every sign-in. If you have a G Suite account for business, opt to only receive a code every 30 days.
Google Authenticator—or any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text, voice calls, or email.
Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can’t get to the authenticator app.) This is also where you generate app-specific passwords.
People with particularly high-risk jobs should consider using Google’s Advanced Protection Program.
Instagram Two-Factor Authentication
Facebook-owned Instagram has offered two-factor authentication since 2016. To turn it on, go to your profile and tap the hamburger menu on the top-right. Tap Settings > Security > Two-Factor Authentication. There you can choose how you’d like to get your authentication code.
Option one: turn on Text Message and add your phone number (include the country code, because Instagram is everywhere). You’ll get a confirmation code via SMS text message. Enter it. Option two: turn on Authentication App. The app will walk you through the steps to set it up (since you can’t exactly scan a QR code from your mobile phone while using the app on your mobile phone.)
The app also offers a list of five recovery codes for use in the future to turn off 2FA or get access via other devices. It even offers to take a screenshot of them to add to your camera roll; you can always re-access them in the app as well.
LinkedIn Two-Step Verification
Business social network LinkedIn makes it easy to set up verification, either by SMS texts or authentication app. Go to the Me menu > Settings & Privacy > Account > Two-step verification to activate it or deactivate.
You’ll immediately get a six-digit code you have to enter to verify you’re you. You only get one phone number (no backup). You can also go here to get recovery codes that let you access the account even if you don’t have access to your phone.
Microsoft Two-Step Verification
Microsoft has tied together most its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 Home subscription, and much more can all use the same account. Naturally, it should get some extra protection.
Sign into your Microsoft account at account.microsoft.com/profile. In the top navigation, click Security; on the next page, click More security options. Two-step Verification is the second option. Microsoft will suggest you get app passwords as needed for older service or devices (like Xbox 360); go in later to generate one as needed.
Enter the Set up an identity verification app section. Microsoft makes its own authentication app (iOS, Android), which it will push you to install. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick “other” during the setup. Scan the QR code displayed.
You can skip the authenticator. If you do, Microsoft will still try to get you to use an app, but it does provide a link to a 7-digit verification code via text or email. If you choose text, it has to go to a phone you’ve pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as confirmation.
As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn’t require you to enter any codes—you’ll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven’t logged into in two months; just trust it again on the next login.
PayPal 2-Step Verification
As a service dedicated to making payments, it’s best that PayPal be as secure as possible. Log in, click your name in the upper-right to access your Profile Settings > Login and security. Click “Set up” next to 2-step verification. Select whether you want to receive a text message or code via an authenticator app or using a security key. With that set up, PayPal will give you the option to add a backup to your account, such as a different number or authenticator app, for when you can’t reach your phone.
Reddit Two-Factor Authentication
On a desktop, log in and go to User Settings. Find the tab Safety & Privacy; select enable under Use two-factor authentication. Follow the steps to set up a third-party authentication app—such apps are the only way to get a Reddit 6-digit verification code.
Reddit will also supply some backup codes to save for the few times your smartphone isn’t available. Make sure you register an email with Reddit; it’s the only way to reset your account if necessary.
Snapchat Two-Factor Authentication
Snapchat is a mobile-only service, so the only way to set up 2FA is via the mobile app. Open it up and tap your avatar at the top left. Tap the gear icon on the upper right and select Two-Factor Authentication.
Snapchat warns you that if you lose access to your method for generating a login code (aka, your phone), you could get locked out of your Snapchat account. If you’re okay with that, proceed with setup, and select whether you want to receive a code via text or an authenticator app (you can have both active simultaneously).
If you choose authenticator, you get three options—the first is to Set Up Automatically, which worked like a charm to set up in Authy (my preferred app). It instantly gave me a six-digit code to enter in the Snapchat app. If you Set Up Manually, you get a QR code—but you can’t exactly scan it on the same screen. Instead, it provides a 32-digit code for you to copy and paste.
Once you’re set up, Snapchat will generate a Recovery Code you can use if you can’t get a text or code from the authenticator app. Store it somewhere safe.
Twitter Two-Factor Authentication
To activate Login Verification on Twitter.com on the desktop, click the More menu on the left and select Settings & Privacy > Account > Security > Two-Factor Authentication. You can then choose to get codes via phone (SMS text), authentication app, or with a physical security key (which won’t do you much good on a mobile app, so be sure to set up the authentication app). In the mobile Twitter app, the steps are much the same but you start by clicking on your profile pic.
Twitter will generate backup codes for when you lose a device, and temporary passwords to use one time when logging in at services/places/times you also can’t get a regular 2FA code.
You can also use the Twitter app itself as an authentication app. Click Login code generator to get a six-digit number that updates every 30 seconds, which can help when signing into third-party sites with your Twitter credentials.
A good rule of thumb: occasionally view the full list of applications that have access to your Twitter or that use your Twitter credentials and nix any you no longer use or recognize.
WhatsApp Two-Step Verification
WhatsApp introduced end-to-end encryption as well as two-step authentication to keep out snoops, be they at home or sitting right there at the NSA, CIA, and FBI (Hi, Agent Mulder!).
Setup is easy: Go into Settings > Account > Two-step Verification. Tap Enable, and WhatsApp asks you to create a six-digit PIN to register your phone number with WhatsApp. You’ll also provide an email in case you ever need to do a reset—aka, turn off the verification. If you later sign out or log in with a different device, WhatsApp will text you a code, and you’ll have to re-enter the PIN as well. You can go in to the app to change the PIN or your email any time.
Yahoo Account Key or 2-Step Verification
To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper-right corner of any Yahoo page, and select Manage Accounts > Account Info). Click Account Security and you’ll see the Two-step verification toggle. It will immediately confirm the phone number on your account, or ask for a new one and send a 5-digit verification code. It also warns you that certain apps won’t work with second sign-in verification—those will require app passwords.
There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. It’s very similar to Google Prompt. If you have any Yahoo app on your phone, Yahoo Account Key can send a notification to it directly. You get the notification, push a button to confirm it’s you, and that’s it—no codes or passwords to enter. (If you don’t have a Yahoo app on your mobile device, Yahoo can text or email you an 8-letter code.) When/if you activate Yahoo Account Key, Yahoo deactivates two-step verification, and vice versa, as Account Key must be turned off to allow two-step verification.
After you set up either of the above, the Account Security list displays another option: Generate app password. When you’re ready to access Yahoo services on devices without direct support, you’ll go here to create the new unique password that will allow access.
