Twitter rolled out two-factor authentication last week, joining a growing group of tech companies to support the important security feature. Two-factor authentication can help mitigate the damage of a password breach or phishing attack.
The principle comes from the idea that any authentication system — whether it’s the deadbolt on your front door, the lockscreen on your smartphone, or the bouncer at a secret clubhouse — works by confirming something you know, something you have, or something you are. Each of these are called “factors”.
Normal password logins just check whether you knowa password, which means anybody else who learns it can log in as you. Adding a second factor — in this case, checking something you have, your phone — means that even if your password is compromised by, say, a keylogger in an Internet cafe, or through a company’s security breach, your account is safe.
That’s important because phishing, which is one of the most common way in which individual accounts are compromised, only gets information about passwords. Require a different factor, and phishing attacks become much more complicated and much less effective.
One example of two-factor authentication in the offline world is ATM cards. Normally, you need to both have a card and know its PIN in order to make a withdrawal. Online two-factor authentication brings the same concept to your services and devices.
As they become more popular, these systems have gotten increasingly user-friendly; it doesn’t have to be a difficult trade-off of convenience for security. Here’s how to enable two-factor authentication on Twitter, as well as on Google, Facebook, Dropbox, Apple and Microsoft.
Twitter has named its two-factor authentication system “Login Verification”, and its announcement provides a straightforward guide on how and why to use it. It directs you toyour account’s settings page, where enabling the option is basically a one-click affair.
Google was one of the first major services to make two-factor authentication (it calls it “2-Step Verification”) widely available. It has a landing page that explains two-factor authentication generally, and a single settings page for configuring it across various Google services.
Google’s one-time password system
Google’s Authenticator app, which is available on iOS, Android and Blackberry, can generate login codes for any compliant service (including Facebook, Dropbox and Microsoft) and is a popular choice.
Dropbox has a very clear tutorial on enabling two-factor authentication within that site, and supports authentication over SMS or over any of the popular authentication apps. You can enable the option in the Security section of your account settings, and it will require an authentication code whenever you sign into Dropbox on a new device or computer.
Facebook calls its two-factor authentication “Login Approvals”, and it allows you to use a mobile app to generate authentication codes while offline. You can enable it in the Security section of your account settings — and while you’re there, it’s worth taking a minute to review the other options on that page.
Note that while Facebook only officially supports codes from its own mobile apps, clicking the “Having Trouble?” link will show you a key you can enter into another authentication app, like Google’s Authenticator.
Apple’s two-factor authenticationApple ID settings
Microsoft is a new entry to the two-factor authentication game, rolling out the option only last month. It’s a welcome addition, given that a single Microsoft account can access an Outlook inbox, devices like the Xbox console or Surface tablet, and of course Skype. You can turn it on in the “Security Info” section of your account settings.
Republished from the Electric Frontier Foundation under Creative Commons licence.