Over the past few years, you may have heard a number of companies, app makers and service providers announce that they're launching two-factor verification or two-factor authentication, often abbreviated to 2FV.
If you ever wondered what the heck it even is, or whether it's worth using, we'll attempt to answer your questions in this feature.
- These are the 25 internet passwords you must not use, and the apps to you should use to protect them
What is two-factor authentication?
Breaking it down to the most simple explanation, it's basically adding a second layer of protection to your account, app or service to go alongside your regular method of logging in. In most instances, this involves receiving a code by SMS to your mobile number, but there are variations.
How does two-factor authentication make your account more secure?
When someone tries to log into your account from a new device, or even new browser, with your password, when they hit "enter" or "submit", it'll take them to a new screen asking for a code. This code has been sent to the registered mobile number as an SMS.
Does two-step authentication always need a mobile number?
While it's the easiest and most convenient way to add a second layer of security, it's not the only way.
As an example, WhatsApp can't use your mobile number as its second verification method, because that's the primary method for logging in. So instead, it asks you for a six-digit PIN number every so often, or when you log in from a new smartphone.
While Apple does use SMS verification for iCloud account security, it also uses its "Trusted Devices" method. Using this method, it sends a four-digit code directly to a trusted and verified device, which then pops up in a little window on the screen once you unlock your iPhone or iPad.
Where SMS isn't used there's often the option of getting a two-factor authentication code from a dedicated app like Google Authenticator. These sorts of apps simply offer access to a time-sensitive code that changes after a given period of time and so is constantly secure but gives you quick and easy access to your account.
What if I've lost my phone?
Most services - as mentioned - offer more than just the phone number SMS method for logging in. Nearly all of them will offer you the ability to generate backup codes or, like Apple, give you a recovery key that's a really long chain of letters and numbers which you can input instead of using your password and SMS code.
Be sure to set up a recovery key, and store it somewhere safe like in a password-protected document and/or secure password app.
Two-factor authentication: Is it worth it?
Yes. Absolutely. Once it's set up it only adds one extra step to logging into your account from a new device or browser.
It's always worth doing and failing to do so can often lead you open to privacy nightmares. A recent article by the Washington Post revealed just how dangerous this can be. There have been several reports of incidents where owners of smart home cameras have had their devices hacked and been spied upon by criminals simply because they failed to use a secure password and activate two-factor authentication.
On the off-chance that someone has got your password, and tries to get into your account, you'll have the peace of mind knowing that they can't get in without also having your phone which - even if they have - is likely locked and protected behind a password, pattern or fingerprint scan.
To add further privacy, there are settings within Android and iOS to ensure that you can stop SMS notifications from showing up on a lock screen. Just head to Settings > Notifications and select which apps you want to have display information on the lock screen, or choose to hide sensitive information (on Android).
How do I activate two-factor verification on iCloud, Gmail, Twitter and so on?
For most accounts that you have, you'll normally find the two-factor verification option in your account security settings. This usually just means finding your settings options, which is normally straightforward. Most services you log in to will have an option, but here are a few of the more popular services:
How to enable Apple two-step verification
For your Apple ID or iCloud account you head to appleid.apple.com, then log into your account and look for the two-step verification in the Security section, and choose to turn it on.
You'll then go through a setup process that's really simple to follow. Also, be sure to create a recovery key and then make a note of that somewhere safe, where you know you'll never lose it.
How to enable Google 2-step verification
For your Gmail/Google account, log into any Google service, or just go to Google.com and click on your profile image in the top right corner, then select "My Account". Click the "signing in to Google" option under the Sign-in and security tab. Look for the 2-Step Verification option and choose to activate it.
Here you can add your phone number, choose to get a Google Prompt on your phone, set up some backup codes that you can print off, or download and install the Authenticator app on your Android phone or iPhone.
How to enable Twitter login verification
Log in to Twitter on desktop and click the small image thumbnail in the toolbar, then select "Settings and privacy" in the drop-down menu. Tick the "Verify login requests" box in the security options, and - if you haven't already - enter your mobile number so that it can send you SMS codes.
You can also use the mobile Twitter app to generate codes when you log in by opening the sidebar menu, heading to Settings and privacy > Account > Security > Login code generator.
How to enable Facebook two-factor authentication
In Facebook on the desktop site, click the little globe icon in the toolbar, then go to Settings > Security and login, then choosing the "Use two-factor authentication".
You can add your mobile number for text message codes, add security keys to log in by USB or NFC, or generate codes in the Facebook mobile app. You can also generate specific app passwords to use once for apps that don't support Facebook's two-factor authentication.
Check out these articles for more on enabling two-factor authentication on other services: