Twitter rolled out two-factor authentication last week, joining a growing group of tech companies to support the important security feature. Two-factor authentication can help mitigate the damage of a password breach or phishing attack.
The Three Authentication Factors
- A knowledge factor, like a password or PIN. Something you know.
- A possession factor, like a key or a hardware dongle. Something you have.
- An inherence factor, like a fingerprint or an iris. Something you are.
The principle comes from the idea that any authentication system—whether it's the deadbolt on your front door, the lockscreen on your smartphone, or the bouncer at a secret clubhouse—works by confirming something you know, something you have, or something you are. Each of these are called "factors."
Normal password logins just check whether you know a password, which means anybody else who learns it can log in as you. Adding a second factor—in this case, checking something you have, your phone—means that even if your password is compromised by, say, a keylogger in an Internet cafe, or through a company's security breach, your account is safe.
That's important because phishing, which is one of the most common way in which individual accounts are compromised, only gets information about passwords. Require a different factor, and phishing attacks become much more complicated and much less effective.
One example of two-factor authentication in the offline world is ATM cards. Normally, you need to both have a card and know its PIN in order to make a withdrawal. Online two-factor authentication brings the same concept to your services and devices.
As they become more popular, these systems have gotten increasingly user-friendly; it doesn't have to be a difficult trade-off of convenience for security. Here's how to enable two-factor authentication on Twitter, as well as on Google, Facebook, Dropbox, Apple, and Microsoft.
Twitter has named its two-factor authentication system "Login Verification," and its announcement provides a straightforward guide on how and why to use it. It directs you to your account's settings page, where enabling the option is basically a one-click affair.
Unfortunately, for now Twitter only supports two-factor authentication by SMS, so if you don't want to attach your phone number to your account, or don't have reliable or secure phone service, it may not fit. Many of the other services outlined here already offer support for standard and secure offline authentication protocols. Hopefully Twitter will follow suit.
Google was one of the first major services to make two-factor authentication (it calls it "2-Step Verification") widely available. It's got a landing page that explains two-factor authentication generally, and a single settings page for configuring it across various Google services.
Because many people use apps and devices without two-factor authentication support to connect to Google services, it's useful to also understand Google's one-time password system.
Google's Authenticator app, which is available on iOS, Android, and Blackberry, can generate login codes for any compliant service (including Facebook, Dropbox, and Microsoft) and is a popular choice.
Dropbox has a very clear tutorial on enabling two-factor authentication within that site, and supports authentication over SMS or over any of the popular authentication apps. You can enable the option in the Security section of your account settings, and it will require an authentication code whenever you sign into Dropbox on a new device or computer.
Facebook calls its two-factor authentication "Login Approvals," and it allows you to use a mobile app to generate authentication codes while offline. You can enable it in the Security section of your account settings — and while you're there, it's worth taking a minute to review the other options on that page.
Note that while Facebook only officially supports codes from its own mobile apps, clicking the "Having Trouble?" link will show you a key you can enter into another authentication app, like Google's Authenticator.
Apple's two-factor authentication can be used to secure Apple IDs against unauthorized logins on new devices and changes to your account information. It is only compatible with devices that support SMS or Find my iPhone notifications, and for now it is only available in the U.S., UK, Australia, Ireland, and New Zealand. You can turn it on in the "Password and Security" section of your Apple ID settings.
Microsoft is a new entry to the two-factor authentication game, rolling out the option only last month. It's a welcome addition, given that a single Microsoft account can access an Outlook inbox, devices like the Xbox console or Surface tablet, and of course Skype. You can turn it on in the "Security Info" section of your account settings.
There's an Authenticator app available for Windows Phone, and Microsoft's system is compatible with other authentication apps such as Google's. Also, as with Google, some devices and apps that use a Microsoft account don't support two-factor authentication, and use one-time passwords.