Yesterday’s news that hackers might have stolen some seven million Dropbox credentials should have scared you into changing your password. And if you didn’t already have two-step authentication enabled on your account, it should be pretty good reminder that you need to turn it on for every account possible.
If you’re not worried about the security of your accounts, you’re ignoring a serious threat that’s confirmed by a never-ending deluge of security breaches. Two-step authentication is one of the best ways to prevent unauthorised access to your accounts, even if somebody manages to steal your password. Here’s how to do it.
Two-step, or two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password to get into your account. In the most common implementation, after correctly entering your password, an online service will send you a text message with a unique string of numbers that you’ll need to punch in to get access to your account.
The idea is that you’re drastically more secure if somebody needs both your password and the physical phone to get access to your accounts. Add a passcode to your phone, and you’re safeguarded against someone stealing both.
Is it perfect? No. But it’s way better than just irrationally hoping nobody ever gets a hold of your password.
Below we’ve outlined the steps for locking down the most popular services that offer two-step authentication. Most of the services work basically the same way, but there’s a little nuance to each, which we guide you through below. After each description is a link to each service’s FAQ so you can get more detailed instructions if you want them.
Apple’s two-step verification adds extra security to your Apple ID, and will help prevent people from making purchases in iTunes as well as unauthorised access to your iCloud account. To turn it on, log into My Apple ID, click Passwords and Security, and navigate to Enable two-step verification“.
In addition to providing a phone number where you’ll receive texts, Apple will also force you write down a recovery key that you’ll need in the even that you forget your password. And, write it down, because on the next page, you’ll be forced to prove you wrote it down. These codes, sometimes called backup codes, are important so you can access your account when you’ve lost your phone. [Apple]
Two-step verification on Google will protect you across all of Google’s many services as well as with that use APIs to pull in Google data.
While logged into your Google account, click your avatar in the top right corner of any Google page, and navigate to your Account. At the top of the following page click Security, and then click Enable next to 2-step verification.
Note that because you probably use your Google account with lots of third-party apps like Gchat, you’ll need to create an app-specific password for each of them. So if you want to log in to a new phone, or enable a new calendar application, you’ll need to head back to the security page, click on App passwords, and let the system generate a key for every app you’d like to link. You only get to see these passwords once, so if you need to enter one again for whateverThis is also where you disable apps that you no longer use or trust.
Also, make sure to setup some backup codes. Don’t get locked out of your email just because you left your phone at home. [Google]
Login into your account and navigate to the settings page from the drop-down arrow in the top right corner of the page. Under the Security tab click Edit next to the Login Approvals line. As with other Twitter and Microsoft, you can choose to receive SMS verification codes, or use the Facebook mobile app the verify your identity.
Login to your Microsoft account, and navigate to the tab for Security & password. Then, click Set up two-step verification and follow the instructions. In addition to an email/text message option, Microsoft will also give you the option of installing the Microsoft Account app on your phone, which will make authentication faster. If you only ever use one phone, this is probably worth doing.
Log in to your account, click your avatar in the top right corner and navigate to Settings. Under the Security tab, you’ll be given two options for Login verification. Either you can use the standard text message method, or you can use the Twitter app to verify requests. [Twitter]
Login to your account and click Settings in the top right corner. Under the Security tab click Enable next to the line item that says Two-step verification. From the Security page you can also see which devices and desktop browsers have access to your account already, and revoke access if necessary. [Dropbox]
Login to your Yahoo account, and click your username in the top right corner to navigate to your profile information page. Under the Sign-in and Security heading, click Set up your second sign-in verification. As with your Google account, you’ll need to create app-specific passwords for your mail clients, calendars and other apps that use you Yahoo account. [Yahoo]
Login into your account and click the settings cog. Under the Security Summery tab, click Enable beneath the Two-Step Verification line. Evernote, like Apple, will force you to store registration keys that will help you get into your account in the event that you forget your password or don’t have access to your phone. [Evernote]
PayPal’s Security Key works a little differently than the rest in that you’ve got an extra option. After logging into you account, click the settings cog in the top right corner of the page, and under the Security tab, click the Edit button next to the Security key line. Then click the link that says Get security key.
In addition to an option register your phone for standard text verification, PayPal also offers the option to purchase a physical hardware key that you use to unlock you account. That’s not totally necessary for everyday users, though. [PayPal]