Want CNET to notify you of price drops and the latest stories?

How to enable two-factor authentication on popular sites

It may not be the perfect security solution, but two-factor authentication reduces the risks associated with common Web activities -- from searching to social networking to online banking.

Jason Cipriani
Jason Cipriani
Jason Cipriani Contributing Writer, ZDNet
Jason Cipriani is based out of beautiful Colorado and has been covering mobile technology news and reviewing the latest gadgets for the last six years. His work can also be found on sister site CNET in the How To section, as well as across several more online publications.
Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Jason Cipriani
Dennis O'Reilly
3 min read


One of the safest and simplest computer-security measures available is gradually becoming commonplace. Two-factor authentication adds a layer of protection to the standard password method of online identification. The technique is easy, relatively quick and free. So, what's the problem?

Critics are quick to point out the shortcomings of two-factor authentication: it usually requires a USB token, phone, or other device that's easy to lose; you sacrifice some privacy by having to disclose your telephone number to a third party; and it is subject to "man-in-the-middle" and other browser- and app-based attacks.

Still, as more hacks and database breaches occur, two-factor authentication is the most practical protection available. The number of big-name services supporting two-factor authentication continues to grow: Google, Facebook, Yahoo, PayPal, Twitter, Snapchat, Microsoft, LastPass and Dropbox are among the sites that let you require two-factor authentication to sign in to your account from unverified computers and devices.

Something you know and something you have

If you've used your bank's ATM, you've used two-factor authentication: you insert your ATM card (something you have) and enter your passcode (something you know). Most Web services supporting two-factor authentication send a unique access code to your phone, but banks and other financial services may require a hardware token that either displays a code you enter or that you insert via USB, smart card or other port.

Here are the steps required to activate two-factor authentication on some of the most popular Web services.


Screenshot by Jason Cipriani/CNET

To activate the service's Login Approvals feature, sign in to your Facebook account. Click the drop-down arrow in the very top-right corner and choose Settings. Select Security in the left pane, then click Edit to the right of Login Approvals. Next, check "Require a security code to access my account from unknown browsers."

A window opens explaining how log-in approvals work. Follow the prompts, which include adding a phone number to your account (if haven't already done so) and entering a confirmation code sent to your number to verify you are, well, you.

You can also take advantage of the code generator feature within Facebook's mobile applications, should you not have cellular signal when attempting to log in to the site. The code generator is found within the app, but sliding out the "More" menu and scrolling down to the Settings section. There you can expect to find a Code Generator option, which will display a six-digit code when launched.


Screenshot by Jason Cipriani/CNET

Yahoo's two-step verification can be setup by visiting your account settings page, here. Click on Account Security on the left side of the page.

At the bottom of the list will be a switch to enable two-step verification. Sliding it to the On position will bring up a prompt asking you for your phone number. Enter your number, then click either Send SMS or Call Me in order to receive a confirmation code. Enter the code when you receive it, and you're done.

Another prompt will ask you if you'd like to create an app password. If you haven't been prompted by a third-party app for an app password, you can select Skip for now.


Screenshot by Jason Cipriani/CNET

Setting up two-step verification for PayPal requires you to login to your account on the website. This link should take you to your account settings summary. If it doesn't, you can login, then click on your profile icon followed by Profile and settings.

On the left side of the page, click My Settings and scroll to the bottom of the page. Find Security keyand click on Get Started to the right. You'll have to enter your password again before continuing.

Your Security Key page should look similar to the one above -- with no keys currently activated. Click on the Get security key link at the bottom, and follow the prompts. Per the norm, you'll need to enter a phone number and then a confirmation code sent to that number via text. After which, the security key page will have a listing with your phone number and the word "Active" next to it.

If you're looking for a guide to activating two-step with a site or service not listed here, you're in luck: we also have guides for Google, Microsoft, Snapchat, Twitter, LinkedIn, LastPass, Apple, Dropbox and Tumblr.