Two-step verification is just an app's way of asking you for two forms of ID. You keep a lot of private information in your apps and online accounts -- home address, photos of your kids, credit card numbers, maybe even health details -- and usually that sensitive data is secured with just one line of defense, your password. A strong password helps, and so does a password manager, but for a hard-to-hack second line of defense, enable two-step verification everywhere you can.
How two-step verification works
Two-step verification -- also known as two-factor authentication (2FA) or multifactor authentication -- requires that you use two means of proving your identity. In most instances, you'll log in with a password, and then you'll be asked for a second verification, like a passcode text-messaged to your phone.
Authentication methods fall into three categories:
- Knowledge: Something you know, like a password, a PIN, or the answer to a security question.
- Possession: Something you have, like an RSA or USB token, a card reader, an ATM card, or your phone.
- Inherence: Something you are, as when a device recognizes your fingerprint (like Apple's Touch ID), retina, voice, or face -- there are even proposals for brainwave ID.
No single method is foolproof, but they're stronger when combined, especially if one of the factors is something hackers can't get their hands on. For example, someone might be able to guess or steal your Gmail password, but if you've asked Google to verify by text or voice call, the hacker can't get into your email unless they also have your phone.
Where to enable two-step verification
It may seem like a hassle to set up two-factor authentication on your accounts, which may be why many people have not done so -- Duo Security did some impressive napkin math and concluded that about 6.5 percent of Google users have enabled 2FA. But setting up two-step verification is pretty straightforward and certainly far less of a headache than mopping up after someone infiltrates your email, deletes your cloud files, makes unauthorized payments, or swipes the data they need to steal your identity. Here's how to enable 2FA on popular apps and services to foil fraud, snooping, and mischief.
Apple: Go to the My Apple ID page and click Manage Your Apple ID, then Password and Security. Select Get Started under Two-Step Verification and decide which device(s) you want Apple to send four-digit codes to. You also get a Recovery Key and can set app-specific passwords. If you'd like illustrated instructions, see CNET's how-to.
Box: Click your name at top right in your Box account, go to Account Settings and Security, and click the box next to "Require 2-step verification for unrecognized logins." Box will send six-digit codes to your phone.
Dropbox: Click your name at top right in your Dropbox account. Select Settings, Security, Enable under Two-Step Verification, and then Get Started. You can get verification codes by text to your phone or through an app like Google Authenticator (scroll down to find out how that app works).
Facebook: Click the triangle at top right, select Settings, and go to Security. Click Edit to the right of Login Approvals and then tick the box next to "Require a security code to access my account from unknown browsers," which will open a dialog box explaining the process. Facebook will send six-digit codes to your phone.
Google: Go to My Account and select Sign-In & Security. Scroll down to Password & Sign-In Method and click 2-Step Verification. Tell Google which phone you want to use, and choose to get codes by text or voice call, or you can use the Google Authenticator app instead. While you're in security settings, you can also set app-specific passwords. If you'd like to use a physical authenticator instead of security codes, register a Security Key. For illustrated instructions on setup, see CNET's how-to. To block phishing, you might also want to download Google's Password Alert Chrome extension to alert you when you enter a log-in and password on a fake Google page.
LinkedIn: Go to Security Settings and, under "Two-step verification for sign-in," toggle the feature on. Enter your phone number and click Send Code to start getting six-digit codes to verify sign-in.
Microsoft: Follow the instructions in CNET's guide to add two-step verification to your Microsoft account. You can also use Google Authenticator. If you're planning to upgrade to Windows 10, it appears that Microsoft will have 2FA built-in through a feature called Next Generation Credentials that will let users enroll multiple devices.
PayPal: Log in to your account and click the gear icon at top right to enter Settings. Click the Security tab and then Edit next to Security Key. Click the Get Security Key text link to register your mobile phone, and you'll get a six-digit code to confirm. You can also activate a hardware key.
Snapchat: In the app, swipe down to go into your account. Tap Settings, then Login Verification. Snapchat will send a test message to verify.
Tumblr: In your account, click Settings and go to Security and Two-Factor Authentication. Enter your phone number and choose whether to get codes by text and/or authentication app. You can also generate one-time codes in the Tumblr apps, either by text or authenticator.
Twitter: Go to Settings, then Security and Privacy, and choose a Login Verification option, sending codes either to your phone or to the Twitter app. You'll get a test message to verify.
WordPress: Click your avatar or go to your Two-Step Authentication page on WordPress. Select Security, Two-Step Authentication, and Get Started. You can then choose to verify by SMS or by authenticator apps. While you're tweaking settings, consider adding app-specific passwords. WordPress is a frequent hacker target, and you should enable all available security measures.
Visit Two-Factor Auth for a more complete list of sites and apps that do and don't support 2FA, including communication apps, social media, banks and payment services, gaming networks, health apps, retail sites, and more.
If you want to manage 2FA for multiple accounts from one dashboard, try a free standalone authentication app like Google Authenticator, Authy, or DuoMobile. Bonus: These apps work even when you're offline, out of cell network, or in airplane mode.
Google Authenticator (Android, iOS) lets you generate one-time six-digit verification codes on your phone. Authenticator was established for Google accounts, but it works with many third-party apps, including WordPress and password managers like Dashlane and LastPass, if you want backup for your master password. See CNET's how-to if you ever need to transfer Authenticator to a new phone.
Authy (Android; iOS; Chrome extension for Windows, Mac, and Linux) generates seven- or eight-digit verification codes. You can sync across devices, and you can also opt for encrypted cloud backups and (on iOS devices) fingerprint Touch ID.
DuoMobile (Android, iOS). DuoMobile sends you six-digit codes, or you can simply enable one-tap Approve or Deny buttons. If you don't want to use your mobile device for authentication, register a landline or a hardware token. You can get a free 30-day trial, or business accounts are $1 per user per month.