US military reportedly acts against ransomware groups The cost of flying internationally Spider-Man: Across the Spider-Verse trailer Omicron vs. delta Free COVID at-home test kits Cyber Week deals

Google signs up 150 million people for two-factor authentication: What it is, how it works

The extra step can better secure your accounts while protecting your personal information against hackers and fraud.

google-logo-5

Google is auto-enrolling accounts in two-step verification.

Angela Lang/CNET

Google, in observance of Cybersecurity Awareness Month, plans to auto-enroll 150 million users in two-step verification and require two million YouTube creators to turn the security feature on by the end of 2021. Having a second form of authentication when you login to your accounts dramatically decreases the likelihood of an attacker gaining access to your personal information, the search giant said in a blog post. 

Setting up two-step or two-factor authentication (also called 2FA) is becoming commonplace as a way to make it harder for scammers and fraudsters to gain control over your identity and accounts -- and to prove that you're really you. That's because it uses a second action to confirm your identity, for example before you bank online. 

Two-factor verification goes hand in hand with use of a password manager that sets up and remembers complex passwords that are much more secure than a short set of words and symbols, such as P4ssW0rd*. Using both would boost your account security. While two-factor authentication can be time-consuming to set up for every account, it's relatively straightforward to set up and use, and well worth the effort. 

In the spirit of cybersecurity awareness, we also recommend checking to see if your account passwords are already on the dark web (and then changing them) and seriously considering a password manager if you don't use one already (we no longer recommend LastPass, but Bitwarden is a good alternative). 

Read more: Cybersecurity Awareness Month: Time for your safety check

What is two-factor, or two-step, authentication?

Two-factor authentication (also sometimes written as 2FA) is also commonly referred to as two-step verification or multifactor verification. For simplicity's sake, I'm going to refer to it as two-factor authentication or 2FA for the duration of this post. 

Think of two-factor authentication as an extra layer of security for your online accounts. If you're not using 2FA on an account, your login process involves entering your username and password, and that's it. Two-factor authentication adds an extra step to that process. First, you'll enter your username and password, then you'll be asked to enter a one-time passcode (sometimes also called an OTP) which is typically a six- to eight-digit number. You obtain that number, which changes every 30 to 60 seconds, via an app or a text message. 

Once you've entered that code, only then are you granted access to your account. 

Effectively, a would-be bad guy would need to know your username and password and have taken over your phone number or have physical access to your phone and your authenticator app of choice to sign in to your bank's website or your email account. There's still something to keep in mind, though. 

1password-ios-faceid-lightmode

Using a password manager is the easiest way to increase security without also increasing the burden on yourself.

1Password

For the best security, don't use SMS to retrieve your codes. Use an app instead

When two-factor authentication first started to roll out to various websites and services, nearly all of them only supported sending your one-time password via text message. And while that's a convenient and easy way to receive your codes, it's also wildly insecure due to SIM swap fraud

SIM swap fraud occurs when someone calls your wireless carrier impersonating you and convinces the employee to change the SIM card linked to your phone number. With all your incoming calls and text messages now being routed to someone else's phone, they can sign in to any online account of yours that's been part of any sort of data breach or hack. 

Making matters even worse are hacks like the recent T-Mobile breach, which included enough of a customer's personal information for anyone to impersonate you when they call customer care along with PIN codes that customers added as an extra security step. 

Now playing: Watch this: In a world of bad passwords, a security key could be...
4:11

See how quickly things can spiral out of hand if you're using text messages to receive, say, your bank's 2FA codes? 

If at all possible, use an authenticator app like Google Authenticator or a password manager to store your temporary codes

I use a password manager to create and store all of my account passwords, along with my one-time passwords. The app not only lets me know when a new service supports two-factor authentication, but it also will copy and paste the code when I'm logging in to an app or website, making the entire process of using 2FA painless.

In addition to being more secure, an app doesn't require an active internet connection to show you the current code assigned to your account. That means if you're traveling and on a plane, you can still access your code -- something you can't do if you have to receive it via SMS. 

ig-2fa

When turning on two-factor authentication, make sure to take note of your recovery codes. 

Matt Elliott/CNET

Don't gloss over saving recovery codes

When you go through the process of setting up two-factor authentication, you'll be prompted to save a recovery code (or a series of recovery codes). DO NOT SKIP THIS STEP. 

That recovery code is what you'll use to get back into your account should something happen and you lose access to your two-factor authentication codes. It's not something that companies like Apple take lightly. Without that code, your account is as good as closed, and with it all of the data it holds. 

Hypothetically, let's say you have your 2FA codes arriving via text messaging. After a fun night out with friends, you realize your phone is gone, and with it, access to your OTP codes. And the only way to sign in to your bank account or your carrier is with a one-time password, unless you have a recovery code. 

Trust me, as someone who has had to use a recovery code a time or two, future you will thank present you for saving your recovery code. 

I suggest saving anything related to recovery in a password manager and taking a screenshot of the code that you can store in a secure place, even if that means printing it out and keeping it in a file. 

Instructions for two-factor authentication on popular websites and services

Here are the links to either the proper account settings page to set up 2FA, or to the appropriate support page detailing how to enable 2FA for popular companies and websites. If a company isn't listed below, I recommend searching for the company name with two-factor in the query (e.g. "Facebook two-factor"). 

The website 2fa.directory has a searchable database with direct links to the appropriate support page for many websites. You should also take some other steps to protect your personal info, and here's what you can do to limit the chances of experiencing SIM swap fraud yourself. 

Yes, two-factor authentication is worth the trouble 

You're right, to some extent 2FA is a hassle. But it could be worse. The longest part of the process is getting it set up for all the online accounts you have that support it. After that, waiting for a code via text messaging or using an app to access the code is a breeze and something you'll quickly adjust to just being part of your normal routine. 

We haven't met anyone who particularly enjoys using two-factor authentication, especially on a linked Apple account because it sends an alert to every single device you own, but we do it because it keeps our personal data and financial information secure. If someone were to gain access to our accounts, they could quickly wreak havoc with our personal and professional lives, and it would take weeks or even months to put all of the pieces back together. 

Don't believe us? Read this story from CNET's sister site ZDNet. Several years ago, mobile contributor Matthew Miller had his T-Mobile SIM card swapped, and the perpetrator then quickly deleted his entire Google account, used $25,000 from his bank account to purchase bitcoin and locked him out of his Twitter account -- and that was just in the first hour or so. 

The small inconvenience of two-factor authentication will go a long way in keeping you from an even bigger hassle.