Protecting your accounts with two-factor authentication
Two-factor authentication (2FA) is useful when you're logging in to your account on an untrusted (public) computer. Using a second factor is always significantly more secure than no second factor at all.
Remember that crackers and other such miscreants usually don't know or care who you are – all that matters to them is whether there's something in your account (personal info for scamming you, payment details for fraudulent transactions) which they can quickly profit from.
As always, on computers which may be used by others, log out when finished and never save your password (even when using 2FA).
Before you begin
Because your phone will be treated as a trusted device, having your phone permanently unlocked or unlockable by anybody is a very bad idea with two-factor authentication. You are strongly encouraged to ensure that it requires a pass phrase or PIN or something similar to unlock it.
Once you have a 2FA method configured for an account, you'll see that there's now an option to generate or show backup codes for it – you must make use of this option and, ideally, at least one other recovery option in case you lose your phone or for some reason can not use it. Store the list of backup codes securely! These codes are single-use, so if you've just used the last one or you think that your current list is lost or compromised, generate a fresh list.
It is also recommended that you set a recovery email address (from a different provider) and/or a recovery phone number in case you are unable to log in.
Commonly-used authenticator apps
Some other implementations are listed here.
Choosing a method
This depends on what's supported by the account provider. However, considering all common methods in order of trustworthiness:
| Method | Strengths | Weaknesses |
|---|---|---|
| FIDO | Fastest method. Not vulnerable to replay or MITM. | Physical device with, at most, a button to activate. May operate over USB, NFC and/or Bluetooth. |
| Authenticator app | Should not be vulnerable to replay, but is to MITM. Codes are changed every 30 seconds and remain valid for a few minutes or (if properly implemented) until used. | For maximum security, relies on the phone being securely locked when not in use. |
| SMS | Direct to your phone | Relies on sensitive notifications' content being hidden when your phone is locked. |
| Robo-call | Direct to your phone | Bypasses the lock screen. |
Replay = replay attack, where your login details are compromised and are used from another location without your knowledge to misuse your account.
MITM = “man in the middle” attack, where somebody intercepting communication between your browser and the web site's server does the login instead of you in order to misuse your account, but leaves you thinking that you're successfully logged in.
Anyway, assuming that you have a key, click on “Add security key” and follow the instruactions, activating the key when instructed. This may involve plugging it in, and will involve either pressing its button or holding it against an NFC sensor.)
On Google
First, log in if needed, then click here to go to Google's 2FA setup Once you've clicked on “Get started”, you'll see a page which has options for adding a security key or an authenticator app, as well as for generating or showing backup codes.
Basic setup (SMS or voice robo-call)
First, you'll need to get a code from Google. This can be sent as a text message or an automated phone call; enter the phone number, select the method (SMS is recommended: your phone can be set up so that you need to unlock it to see the content) and click on “Next”. Once you have the code, enter it in the box provided (and if you received it via SMS, you can delete the message – you won't need the number again). Now, proceed to tne next page and confirm that you want to enable 2FA.
You've now set up 2FA via either SMS or robo-call (depending on what you selected earlier) and when you next log in, you may be asked to enter another code. You will receive this via your chosen method.
You can set up alternative methods if you like…
Adding an authenticator app
Click on the authenticator app “set up” link. (You may need to re-confirm your password, and you may get another code to enter.) Follow the instructions shown on screen (if you've already installed an authenticator app, skip the first step); what you'll be pointing your phone's camera at is the QR code (the noisy square with three identical corners).
If you can not scan the image, you can try entering a code instead. The name doesn't matter, but the code does; the code is time-based, so leave that setting alone.
Once the code is scanned or typed in, you'll be asked for a 6-digit code. The app should now be showing it, ready for you to type in; once that's done successfully, your authenticator app is set up.
When you next log in, you may be asked for a code from the authenticator app on your phone.
Adding a security key
This requires a Chromium-based browser, such as Chrome or Vivaldi, or Firefox with the U2F Support Add-on. So far as I know, it does not work with Internet Explorer or Edge.
Google may not offer U2F authentication at log-in time except to users of Chrome or Chromium, although you may well be able to add keys using other browsers.
Security keys can be bought from various online stores such as Amazon – different ones are available but most support FIDO U2F, which is what this authentication method uses.
Anyway, assuming that you have a key, click on “Add security key” and follow the instruactions, activating the key when requested.
You've now set up 2FA via a U2F security key. When you next log in, you may be asked to use your key.
Other options
These include things such as a simple confirmation prompt on your phone. You can enable or disable as you prefer.
On Twitter
Click here to see how to enable SMS login verification on Twitter. (Apparently, TOTP 2FA is in the works.)
On Facebook
Elsewhere
Here's a list of various well-known sites, some of which allow use of 2FA of some sort. Those which do support it will allow it to be enabled via account settings, most likely in a security or login section.
Need something stronger?
Some people such as journalists, political campaign staff or people who are at risk in general, may find the likes of Google's Advanced Protection Programme to be of use.