CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Mobile

Two-factor authentication: How and why to use it

Find out how two-factor authentication works, why you should use it and how to set it up

Image by Alexandre Normand, CC BY 2.0

You might not realize it, but you regularly use two-factor authentication. When you swipe your debit card and are asked to enter your PIN code or write a check and are asked to show your driver's license? Each is a form of two-factor authentication. The first example requires you to possess your card and know your PIN code. The second requires you to possess your checkbook and prove your face matches the mugshot on your ID.

Two-factor authentication requires two ways of proving your identity and can also be used to protect your various online accounts. It doesn't offer perfect security and requires an extra step when logging into your accounts, but it does make your data more secure online.

How does two-factor authentication work online?

Two-factor authentication (2FA) -- also known as two-step verification or multifactor authentication -- is widely used to add a layer of security to your online accounts. The most common form of two-factor authentication when logging into an account is the process of entering your password and then receiving a code via text on your phone that you then need to enter. The second layer in two-factor authentication means a hacker or other nefarious individual would need to steal your password along with your phone in order to access your account.

There are three types of authentication:

  • Something you know: a password, PIN, zip code or answer to a question (mother's maiden name, name of pet, and so on)
  • Something you have: a phone, credit card or fob
  • Something you are: a biometric such as a fingerprint, retina, face or voice

How does the second factor work?

After you enter your password -- the first authentication factor -- the second factor usually arrives by SMS. That is, you'll get a text with a numerical code that you'll then need to enter to log into your account. Unlike a PIN code for a debit card, a 2FA code is used only one time; each time you log into that account, you'll be sent a new code.

Alternatively, you can use a dedicated authentication app to receive codes instead of having them texted to you. Popular authentication apps are Google Authenticator, Authy and DuoMobile.

Should I use SMS or an app?

Many sites and services, including Amazon, Dropbox, Google and Microsoft, give you the option of using SMS or an authentication app. Twitter is the biggest example of a site that forces you to use SMS. If you have the choice, use an authentication app.

Receiving codes via SMS is less secure than using an authentication app. A hacker could intercept a text message or hijack your phone number by convincing your carrier to transfer it to another device. Or if you sync text messages with your computer, a hacker could gain access to SMS codes by stealing your computer.

An authentication app has the advantage of not needing to rely on your carrier; codes are sent to your phone based on this shared secret and the current time. Codes expire quickly, usually after 30 or 60 seconds. Since an authentication app doesn't need your carrier to transmit codes, they will stay with the app even if a hacker manages to move your number to a new phone. An authentication app also works when you don't have cell service, another bonus.

Using an authentication app requires a little extra setup but offers better protection than SMS. To set up an authentication app, you will need to install the app on your phone and then set up a shared secret between the app and your accounts. This is usually done by scanning a QR code with your phone's camera. Once set up, however, an authentication app saves you the step of needing to enter a code; you simply tap on the app's notifications to log into one of your accounts.

What if I don't have my phone on me?

Many online services such as Dropbox, Facebook, Google and Instagram let you create backup codes, which you can print out or screenshot. That way if you lose your phone or don't have a cell signal, you can use a backup code as a second authentication factor to log in. Just make sure you keep your printout of backup codes in a safe place.

Will 2FA make my accounts more secure?

No security product can claim to offer perfect, foolproof protection, but by combining two of the above three types of authentication, 2FA makes it harder to get into your account. You not only make your accounts more difficult to attack, but you also make your accounts less attractive targets.

Think of it in terms of home protection. If you have a home security system, you lower the odds of a burglary. If you have a loud, large dog, you also lower the odds of a burglary. If you combine a security system with a big dog, then your house becomes even more difficult to break into and a less attractive target. Most burglars will simply find an easier mark -- one without an alarm and the potential for a dog bite.

Similarly, two-factor authentication prevents a large portion of hackers from targeting your account; many will simply move on and find easier accounts to break into. And should they target you, they'll need more than just your password. In addition to your password, a hacker would need to also have your phone -- or gain access to the tokens placed on your phone by the authentication mechanism via a phishing attack, malware or activating account recovery where your password is reset and 2FA is then disabled. That's extra work.

Is 2FA a hassle to use?

I don't know if I would call it a hassle, but 2FA does require an extra step when logging into your accounts. You'll need to enter your password, wait for a code to arrive via SMS, and then enter that code. Or if you use an authentication app, you'll need to wait for notification to arrive that you can then tap to verify it's you.

I use 2FA authentication on many of my online accounts and find it less of a hassle to use than using a strong password or passphrase that combines upper and lowercase letters, numbers and symbols. And while I'm on the topic of strong passwords, let me state that using 2FA as an excuse to use weaker, easier-to-enter passwords is a bad idea. Don't weaken your first factor just because you have added a second factor.

How do I enable 2FA?

Many sites and services offer 2FA but call it by a variety of names. Below are quick primers for enabling two-factor authentication on some of the more popular online destinations.

Amazon

Sign in to your Amazon account, click Account & Lists at the top right and then go to Your Account > Login & Security Settings and click the Edit button for Advanced Security Settings. Click the yellow Get Started button and sign up to receive codes via SMS or an authenticator app. You'll also need to add a backup phone number to lessen the odds of getting locked out of your account. For more, see this Amazon help page.

Apple

From an iOS device, go to Settings > iCloud, sign in if you aren't already and then tap on your Apple ID. From your Apple ID page, tap Password & Security and then tap Turn On Two-Factor Authentication. On a Mac, you can enable it by going to System Preferences > iCloud > Account Details > Security and clicking Turn On Two-Factor Authentication. For more, see this Apple Support page.

Dropbox

Click your name at top right in your Dropbox account and go to Settings > Security and you'll see a status listed at the top of the page for Two-step verification. Next to the Disabled status, click the (click to enable) link and then click Get Started. You can then choose to get verification codes via text on your phone or an app like Google Authenticator. For more, see Dropbox's instructions.

Facebook

Click the triangle button at top right, go to Settings > Security and then click Edit to the right of Login Approvals. Next, click Enable next to where it says that Two-Factor Authentication is currently disabled. For more, see this Facebook help page.

Google

Head to Google's 2-Step Verification page, click the blue Get Started button and sign into your account. You can choose to receive codes via text or a voice call. You can also set up and print backup codes, add a backup phone number and set up Google's Authenticator app. You can also sign up to use Google prompt, which sends a notification to your phone that you can simply tap instead of having to enter a code.

Instagram

From the app, go to your profile page and tap the gear icon in the top-right to open the Options panel. Tap Two-Factor Authentication and then tap to toggle on Require Security Code. Instagram will then send you a six-digit code that you'll need to enter to enable the feature. (If your account doesn't have a confirmed phone number, then you'll be asked to enter your number.) Instagram will also send you five backup codes to screenshot. For more, see this Instagram help page for account and notification settings.

LinkedIn

Go to LinkedIn's Security Settings page and click Add a phone number if you haven't already done so for your account. With your phone number added, click Turn on next to where it says Two-step verification is turned off, enter your account password and then enter the verification code that LinkedIn sent to your phone.

Microsoft

Go to the Security settings page, sign in with your Microsoft account and click Set up two-step verification. You can choose to receive codes via email, text or via the Microsoft Authenticator app. You'll also need to create an app password to continue to use Microsoft devices and services that don't support 2FA such as the Xbox 360 and Outlook.com email on an iPhone or Android phone.

PayPal

Log in to your account and click the gear icon in the top right to enter Settings. Click the Security tab and then Update next to Security Key. Enter your mobile phone number and then enter the verification code that PayPal sends you.

Slack

Sign in to your team and go to your Account page at my.slack.com/account/settings. Click the Expand button to the right of Two-Factor Authentication and then click Setup Two-Factor Authentication. You can sign up to receive code via SMS or an authentication app. You can then get backup codes to print out.

Snapchat

Open the app, swipe down to access your account, tap the gear icon to open Settings and then tap Login Verification. You can sign up to receive code via SMS or an authentication app and create recovery codes. For more, see this Snapchat Support page.

Twitter

From the Twitter app, tap your profile icon and then tap the gear icon and tap Settings. Go to Account > Security and toggle on Login verification. You'll get codes via SMS. You can then request a backup code, which you can screenshot to keep handy. For more, see this Twitter support page.

Yahoo

In your Yahoo Account, go to Account security and toggle on Two-step Verification. If you have Yahoo's Account Key enabled, you'll need to disable it. Account Key looks and smells like two-factor authentication but it is really only one-factor; it lets you skip the first factor of entering your password and only enter a code sent to your phone. Yahoo's two-step verification is the more secure option of the two. You can also create app specific passwords for any apps that don't support 2FZ and use your Yahoo account.

If you use other website and services, check out the comprehensive Two-Factor Auth site for categorized lists of sites, services and apps to see which support 2FA and those that do not. Categories include banking, cloud computing, communication, email, health, social and many more.