One of the safest and simplest computer-security measures available is also one of the least used. Two-factor authentication adds a layer of protection to the standard password method of online identification. The technique is easy, relatively quick, and free. So, what’s the problem?
Critics are quick to point out the shortcomings of two-factor authentication: it usually requires a USB token, phone, or other device that’s easy to lose; you sacrifice some privacy by having to disclose your telephone number to a third party; and it is subject to man-in-the-middle and other browser- and app-based attacks.
Still, for online banking and other Web transactions, two-factor authentication is the most practical protection available. The number of big-name services supporting two-factor authentication continues to grow: Google, Facebook, Yahoo, PayPal, LastPass, and Dropbox are among the sites that let you require two-factor authentication to sign in to your account from unverified computers and devices.
Something you know and something you have
If you’ve used your bank’s ATM, you’ve used two-factor authentication: you insert your ATM card (something you have) and enter your passcode (something you know). Most Web services supporting two-factor authentication send a unique access code to your phone, but banks and other financial services may require a hardware token that either displays a code you enter or that you insert via USB, smart card, or other port.
Here are the steps required to activate two-factor authentication on popular Web services.
Google: Sign in to your account, click the down arrow next to the account name in the top-right corner, and choose Account. Select Security in the left pane and click the Settings button under “2-step verification.”
The first screen explains how the process works and links to a page intended to help you decidewhether you would benefit from Google’s two-step authentication. Click “Start setup” to proceed.
After you re-enter the account password, you’re prompted to supply a telephone number to which the authentication code will be sent whenever you sign in from an “untrusted computer or device.” Choose whether you’ll receive the code via SMS text message or voice call.
When the code arrives, enter it on the next screen of the sign-up process and click Verify. You’re then asked to designate the computer you’re using as trusted, but “only if you trust the people who have access to it.” The option to trust the computer is checked by default. Click the Next button when you’re ready to proceed.
Finally, you’re asked to confirm that you want to enable two-step verification. Once you’ve done so, you’ll be prompted to authenticate any other computers or devices you use to sign in to the account. If you lose the phone you signed up with, you can enter a new number via your account settings.
To avoid linking the account to a particular phone, I use a free Google Voice number to authenticate my Google accounts. This also allows me to avoid providing Google with my cell or home numbers.
After you click Confirm, you’re prompted to sign in to the account yet again. You may be prompted to provide new passwords for sites, apps, and services you’ve allowed to access the account that don’t support text messages or voice calls.
Should you decide later that the account doesn’t require two-step verification, return to the account security options and choose the option to turn off the feature.
Facebook: To activate the service’s Login Approvals feature, sign in to your Facebook account, click the gear icon in the top-right corner, and choose Account Settings. Select Security in the left pane, click Edit to the right of Login Approvals, and check “Require a security code to access my account from unknown browsers.”
A window opens explaining how log-in approvals work. Click Get Started, enter the name of each browser you want to allow, and click Add Browser. Next, choose your phone type and click Continue. You’re prompted to make sure you have the most recent version of the Facebook app installed on whichever device you selected.
Next, open the Facebook app on your phone, press the settings button in the top-left corner, and scroll to and press Code Generator. Enter the six-digit code that is displayed on your phone in to the Facebook Login Approval setup wizard. A message indicates that if you’re ever unable to access the code generator, a code will be sent via text message to your cell phone (the service doesn’t support landlines or Google Voice.)
The last step in enabling Facebook’s Login Approvals is to enter the six-digit code that the service sends via text message to your phone. After you enter the code, Facebook warns you that a security code will be required to sign in to the account from an unknown browser. For the week after enabling the feature, you can disable it without requiring a security code. To require a code to disable right away, check the option at the bottom of the dialog.
Facebook’s Login Notifications feature sends you an e-mail or text message/push notification whenever your account is accessed from any computer or device for the first time. To enable the feature, click Edit to the right of Login Notifications in the account’s security settings, select Email or Text message/Push notification (or both), and click Save Changes.
Yahoo Mail: Yahoo’s Second Sign-in Verification requires that you answer a security question or enter a verification code when signing in to your Yahoo account from an unverified computer or device. To enable the feature, sign in to your Yahoo account, click the down arrow next to your name in the top-left corner of the screen, and choose Account Info (you’ll be prompted to re-enter your password).
Click “Set up your second sign-in verification” under Sign-in and Security. Check the box on the screen that appears, and either use an existing number or add a mobile phone number. Once the feature is active, you’ll see a “Success!” message on the Yahoo verification page.
Yahoo lets you use either a security question or a code that it sends to you via text message to verify a new sign-in device, or only a text-message code; the former option is selected by default.
PayPal: To sign up for a PayPal Security Key, sign in to your PayPal account, hover over Profile, and click My Settings. Click “Get started” to the right of “Security key” and choose “Get security key.” You can either order a $30 credit card-sized hardware key, register your mobile phone number for free, or activate your security key from PayPal or VeriSign Identity Protection.
If you choose to register your phone, you’re prompted to enter your mobile number twice. When you click the Agree and Register button, a six-number code is sent to the phone via text message. The code expires after 5 minutes. After you enter the code and click the Activate button, you’re notified that the security key is active.
LastPass: The password-management service’s Grid Multifactor Authentication lets you sign in by entering a code determined by a grid of characters you print out ahead of time. You can choose to bypass the grid sign-in by entering a code sent to your mobile phone or by bookmarklet.
To activate Grid Multifactor Authentication, sign in to your LastPass account, click Settings under Actions on the left, and choose the Security tab. Check Grid Multifactor Authentication and either or both options for bypassing the grid via mobile or bookmarklet, and offline access, if you wish.
LastPass also provides fingerprint and card-reader authentication, but only when a supported browser extension is installed. You can also access the LastPass security settings via the Control Panel in the service’s own app.
Dropbox: To enable the online storage service’s two-step verification, sign in to your Dropbox account, click the down arrow next to the account name in the top-right corner, and choose Settings. Select the Security tab and click Change next to “Two-step verification.”
Click the Get Started button, re-enter the account password, and click Next. The option to use text messages sent to your mobile phone is selected by default. The other option is to use a mobile authenticator app to generate the security codes.
Choose a verification method and click Next. If you selected the text option, enter your mobile-phone number and click Next again. Enter the six-digit code that was sent to the phone via text message and click Next once more. Write down the 16-character “emergency backup code,” click “Enable two-step verification,” and finally click “Done” on the confirmation screen.
Authentication is only one of the perils of online banking
In a post from August 2011 I described how businesses can prevent online bank fraud by converting old PCs into dedicated banking terminals. Many commenters pointed out that you can accomplish the same end by booting your computer from a Linux CD or into a protected drive partition.
Other readers argued that banks should be required to use hardware tokens to authenticate their online customers. My solution is to avoid online banking, with the exception of my PayPal account that links to my bank account. My bank doesn’t know my e-mail address, so I know any message purporting to be from my bank is bogus.
Of course, many computer users find online banking indispensable. There’s no such thing as a one-size-fits-all security solution. Only you can decide how much protection you need while interacting with Web services.