(Pocket-lint) - Over the past few years, you may have heard a number of companies, app makers and service providers announce that they're launching two-factor verification or two-factor authentication.
If you ever wondered what the heck it even is, or whether it's worth using, we'll attempt to answer your questions in this feature.
- These are the 25 internet passwords you must not use, and the apps to you should use to protect them
What is two-factor authentication?
Breaking it down to the most simple explanation, it's basically adding a second layer of protection to your account, app or service to go alongside your regular method of logging in. In most instances, this involves receiving a code by SMS to your mobile number, but increasingly apps and services are sending a confirmation number to your device as a notification instead. Sometimes you can just tap the notification to approve the login.
How does two-factor authentication make your account more secure?
The idea is that you're adding a confirmatory step to your sign in attempt. Using the SMS example, it means no one can log into the account in question from a new device, even if they have your password.
When someone tries to log into your account from a new device, or even new browser, with your password, when they hit "enter" or "submit", it'll take them to a new screen asking for a code. This code has been sent to the registered mobile number as an SMS.
Some apps that use notifications also send you a code. But increasingly, apps are just sending a notification to your key devices so you can just confirm it was you signing in (in ther words, there's no code)
Does two-step authentication always need a mobile number?
As an example, WhatsApp can't use your mobile number as its second verification method, because that's the primary method for logging in. So instead, it asks you for a six-digit PIN number every so often, or when you log in from a new smartphone.
While Apple does use SMS verification for iCloud account security, it also uses its "Trusted Devices" method. Using this method, it sends a four-digit code directly to a trusted and verified device, which then pops up in a little window on the screen once you unlock your iPhone or iPad.
Where SMS isn't used there's often the option of getting a two-factor authentication code from a dedicated app like Google Authenticator. These sorts of apps simply offer access to a time-sensitive code that changes after a given period of time and so is constantly secure but gives you quick and easy access to your account.
What if I've lost my phone?
Most services - as mentioned - offer more than just the phone number SMS method for logging in. Nearly all of them will offer you the ability to generate backup codes or, like Apple, give you a recovery key that's a really long chain of letters and numbers which you can input instead of using your password and SMS code.
Be sure to set up a recovery key, and store it somewhere safe like in a password-protected document and/or secure password app.
Is it worth it?
Yes. Absolutely. Once it's set up it only adds one extra step to logging into your account from a new device or browser.
It's always worth doing and failing to do so can often lead you open to privacy nightmares. An article by the Washington Post revealed just how dangerous this can be. There have been several reports of incidents where owners of smart home cameras have had their devices hacked and been spied upon by criminals simply because they failed to use a secure password and activate two-factor authentication.
On the off-chance that someone has got your password, and tries to get into your account, you'll have the peace of mind knowing that they can't get in without also having your phone which - even if they have - is likely locked and protected behind a password, pattern or fingerprint scan.
To add further privacy, there are settings within Android and iOS to ensure that you can stop SMS notifications from showing up on a lock screen. Just head to Settings > Notifications and select which apps you want to have display information on the lock screen, or choose to hide sensitive information (on Android).
How to move Google Authenticator to a new phone
If you've set up Google Authenticator on your phone and have multiple accounts connected to it from different sites and apps you may be worried about moving to a new device.
If you buy a new phone whether an Android or iPhone it's now possible to move an entire Google Authenticator account to the new device in one go without having to move each account individually. Which is awesome.
To do this, open the Google Authenticator app on your old device and click on the menu button then "transfer accounts" from there, then select "Export accounts", select all the accounts you want to export, then click next. That will then generate a QR code (or two) that can be scanned.
Keep that running, then open up the app on your brand new phone. Click the same menu button and "transfer accounts", then select "Import accounts", you'll then have the option to scan the QR code on the original phone and simply import the entire list of accounts in one easy action. Hassle-free security on your new device. Just don't forget to wipe your old phone if you're not using it anymore as the accounts will still be on there as well.
How do I activate two-factor verification on iCloud, Gmail, Twitter and so on?
For most accounts that you have, you'll normally find the two-factor verification option in your account security settings. This usually just means finding your settings options, which is normally straightforward. Most services you log in to will have an option, but here are a few of the more popular services:
How to enable Apple two-step verification
For your Apple ID or iCloud account you head to appleid.apple.com, then log into your account and look for the two-step verification in the Security section, and choose to turn it on.
You'll then go through a setup process that's really simple to follow. Also, be sure to create a recovery key and then make a note of that somewhere safe, where you know you'll never lose it.
How to enable Google 2-step verification
For your Gmail/Google account, log into any Google service, or just go to Google.com and click on your profile image in the top right corner, then select "My Account". Click the "signing in to Google" option under the Sign-in and security tab. Look for the 2-Step Verification option and choose to activate it.
Here you can add your phone number, choose to get a Google Prompt on your phone, set up some backup codes that you can print off, or download and install the Authenticator app on your Android phone or iPhone.
How to enable Twitter login verification
Log in to Twitter on desktop and click the small image thumbnail in the toolbar, then select "Settings and privacy" in the drop-down menu. Tick the "Verify login requests" box in the security options, and - if you haven't already - enter your mobile number so that it can send you SMS codes.
You can also use the mobile Twitter app to generate codes when you log in by opening the sidebar menu, heading to Settings and privacy > Account > Security > Login code generator.
How to enable Facebook two-factor authentication
In Facebook on the desktop site, click the little globe icon in the toolbar, then go to Settings > Security and login, then choosing the "Use two-factor authentication".
You can add your mobile number for text message codes, add security keys to log in by USB or NFC, or generate codes in the Facebook mobile app. You can also generate specific app passwords to use once for apps that don't support Facebook's two-factor authentication.