Here's How to Turn On Two-Factor Authentication
Bob Sullivan is an award-winning journalist and the author of four books, including two New York Times bestsellers. He is now a syndicated columnist, frequent TV guest, and co-host of the podcast Breach, which examines history’s biggest hacking stories. Read more of Bob's stories at BobSullivan.net.
By now you’ve heard that Twitter has suggested to all users that they change their passwords. I’m here to tell you that you can do more to make yourself much safer with very little effort.
Now is a good time to turn on two-factor authentication at Twitter—and at Facebook, and Gmail, and Amazon, and anywhere else you can. A tiny percentage of consumers have done so—a Google engineer let slip recently that 90 percent of Gmail users don’t use two-factor—and that’s a mistake. It only takes a moment, and while it’s not foolproof, it is considerably safer.
Ninety percent of Gmail users don’t use two-factor authentication.
Good on Twitter, which sent out its provocative warnings yesterday after it discovered a bad password storage process. Some users’ passwords were theoretically viewable in plain text to employees or others on Twitter’s internal networks, though the firm says it has no reason to believe that actually occurred. Still, the familiar call went out to all users suggesting they change their passwords. For the vast majority of you, that means doing something fairly unhelpful like adding an exclamation point to your old password, or switching from one dog’s name to another.
That’s not great, but let’s face it: The average consumer needs to remember 150 passwords. No one can do that. So you reuse passwords. Of course you do. If that’s you, you might consider using a password manager, but they’re not for everyone.
Two-factor authentication, on the other hand, is for (almost) everyone, and you should turn it on now.
For those of you who’ve heard of two-factor—and that’s less than the half the U.S. population — but haven’t bothered to set it up yet, today’s the day. If you haven’t heard of it, well, today’s the day for you, too. You have to work on your Twitter security settings anyway.
What is two-factor authentication?
In general, two-factor authentication means you must tell a website something you know (a password) and prove there’s something you have (usually, your smartphone) before you gain access. This can become a problem for those of us (I mean me) who have an old smartphone with bad battery life. But that’s the price of security.
There are many flavors of two-factor, and not all are created equal. The most rudimentary involves a site sending you a text message with a one-time code you then use to log in. This is better than nothing, but hackers have figured out how to intercept such messages.
Two-factor authentication adds another serious speed bump to someone trying to log into your account.
So a better setup involves a code generator that lives on your smartphone, like Google’s Authenticator app. Users who log in open the app and enter a temporary code that’s only good for about 30 seconds. You can see why a dead cell phone would be a problem, right?
Even using this format, the steps vary slightly. You might need multiple codes to log in to multiple sites. Facebook generates such codes within the app itself. Google’s implementation works really well on Android. A Gmail login simply prompts a pop-up on the phone that asks, “Is this you?”
Again, two-factor isn’t foolproof. But it does add another serious speed bump to someone logging into your account, perhaps akin to the Club steering wheel lock that was once popular as an anti-theft device. One lesson from that era you should borrow: No one wanted to be the only car on the street without a Club. So as two-factor gets turned on, consumers who don’t bother will become bigger targets. Hackers will focus harder on their less-protected accounts. So don’t be that person.
Here are links to common two-factor instructions: