Security Basics: If a Service Offers Two-Factor Authentication, Use It

Twitter announced this week that it was aware some Twitter login credentials are circulating on the Dark Web, and Mark Zuckerberg infamously had some of his (mostly unused) social media accounts hacked. That makes for a perfect segue for some basic security advice: if a website, service, or app offers two-factor authentication, use it.

Apple Two Factor Authentication

Apple Two-Factor Authentication

Two factor authentication at its most basic means that logging requires two forms of verification (it's also sometimes referred to as two-factor verification). It's the digital equivalent of needing, say, your birth certificate and a driver's license to get a passport.

Basic Two-Factor Authentication

Early two-factor authentication usually meant having to click a link in an email to change a password. That method effectively ensures that the person requesting a password reset has access to the email account attached to the login. While still not foolproof—the hacker could have compromised the email account itself, or a device that has your email already set up on it—but it is an added layer of security.

Another form of two-factor authentication is requiring a PIN code in addition to a password. While superior to password-only logins, many think that using device-based two factor authentication is better still.

That form of two-factor authentication often requires users to enter a one-time code sent to your mobile device over SMS or generated by a dedicated app such as Google Authenticator, Blizzard's Battle.net Authenticator, or the built-in two-factor authenticator in 1Password.

This method goes a step further in protecting you because it requires the additional form of verification when you log in from a new device, or even every time you log in, depending on the service and setting options.

Apple Two-Factor Authentication

Apple has a two-factor authentication system built into iOS and OS X that sends a code to any device you have authorized within iCloud. I absolutely recommend you enable this, and you can do so through your Mac or iOS device you have authorized:

On your iPhone, iPad, or iPod touch with iOS 9 or later:

  1. Go to Settings > iCloud > tap your Apple ID.
  2. Tap Password & Security.
  3. Tap Turn on Two-Factor Authentication.

On your Mac with OS X El Capitan or later:

  1. Go to Apple () menu > System Preferences > iCloud > Account Details.
  2. Click Security.
  3. Click Turn on Two-Factor Authentication.

When activated, Apple will periodically require you to enter a code it sends to the device of your choice. Apple also requires it when logging on to your account from a new device, a key protection.

Next: Using Google Authenticator or 1Password with Third Party Sites Like Dropbox

Page 2 - Using Google Authenticator or 1Password with Third Party Sites Like Dropbox

 

Third Party Authenticators

Google Authenticator (App Store link) and the built-in authenticator in 1Password can be used with third party services set up to allow them.

Wikipedia has a list of third party sites and services that allow Google Authenticator, including Amazon, Bitstamp, Dropbox, Blockchain.info, Kickstarter, SEGA, Tumblr, Evernote, and scores more. Most of those same services will allow 1Password or other standalone authenticators, too.

On most services, this is turned on during account setup or activated under security settings for existing accounts. For instance, in Dropbox, click Settings -> Security -> Two-step verification -> (click to enable):

Dropbox Security Screen

Dropbox Security Settings

From there, you can choose to use text messages or a mobile app, which means a third party authenticator like Google Authenticator or 1Password.

Dropbox Security Screen

Choose text messages or a mobile app

If you choose text messages, you simply enter your mobile number. Dropbox then sends a code to that number that you enter before being able to proceed further. This is to ensure you entered the phone number correctly and have control over the mobile device with that number.

If you choose Use a mobile app, Dropbox generates a QR code you would then scan with the third party authenticator, like this, but without the sections blurred to protect the innocent.

Dropbox Security Screen

QR code for a third party authenticator

When you scan the QR code, you are essentially sharing keys between Dropbox and your mobile authenticator, a necessary process for any third party authentication process. That allows the service (Dropbox, in this case) to check with the third party authentication service to make sure the code you are entering is correct, while keeping everything encrypted.

These services are relatively easy to use, though they do add some level of additional work and/or inconvenience. Security and convenience are always at odds, though, and the level of security two-factor authentication adds is well worth the minimal inconvenience it adds.

Use Two-Factor Authentication If You Can

And the bottom line is that if a service offers some form of two-factor authentication, use it.