Enabling two-factor authentication—or 2FA for short—is among the easiest, most powerful steps you can take to protect your online accounts. Often, it’s as simple as a few clicks in your settings. However, different platforms sometimes call 2FA different things, making it hard to find: Facebook calls it “login approvals,” Twitter “login verification,” Bank of America “SafePass,” and Google and others “2-step verification.”
That’s why, this holiday season, EFF’s 12 Days of 2FA is here to help you navigate the world of two-factor authentication. In a series of 12 posts, we’ll show you how to enable 2FA on a range of online platforms and services.
Enabling 2FA is not the only or even the top security precaution users should take. It is, however, an accessible way to add another layer of security to online accounts without having to do a lot of technical, extra work. The best way to decide if 2FA is right for you is to think about your threat model and assess what additional security measures are available to you.
Similarly, this series is not comprehensive. Rather, it’s meant to cover a range of popular websites and services to get you started. We recommend checking twofactorauth.org’s more extensive list of sites that support 2FA to make sure you cover all of your accounts.
Check back over the coming weeks as we update this page with links to new posts about how to enable 2FA on different platforms and services.
- Bank of America
- Gmail and Google
- Outlook.com and Microsoft
- Yahoo Mail
What you know, what you have, and what you are
Any action that requires authentication—from unlocking your car with a key to signing into your email with a password—involves something that you know (like a password or a PIN), something that you have (like a key or cell phone), or something that you are (like your fingerprint or voice). Generally, combining these types of authentication--that is, using two-factor (or multi-factor) authentication--translates into tighter security.
You have probably encountered 2FA already. An ATM, for example, requires both your card (something you have) and your PIN (something you know). Another example: when you log into Facebook from a new device or new location, you may have to jump through some extra hoops beyond entering your password, like identifying pictures of friends on Facebook. These extra layers of authentication protect your account in case one authentication factor is stolen or compromised.
More than passwords
Relying on more than a password to secure online accounts is so important because passwords are relatively easy to steal or compromise. Passwords can be vulnerable to eavesdroppers on cafe and airplane wifi, to tech company data breaches, and to phishing attacks. Add in a second factor, though, and an attacker needs more than just your password to access your accounts.
That second factor can take several forms, including:
- A one-time verification code sent to you via SMS text message
- A time-based one-time password (TOTP) generated by a dedicated app, like Google Authenticator and Authy
- A download-able, print-able, hard-copy backup code
- A hardware token, like a Yubikey
These generally rely on verifying something you have: your mobile phone, printed-out backup codes, another piece of hardware like a Yubikey, etc.
Each method has its pros and cons. For example, while SMS verification is the most common 2FA method, it also requires you to have immediate access to your phone, to have a strong enough mobile signal to receive a text message, and to hand over your real phone number. Most critically from a security perspective, SMS itself offers little protection in transit, and the text containing your log-in code can be intercepted by your telecom and others.
On the other hand, hardware tokens like Yubikey are perhaps the most secure and seamless-to-use 2FA method, but still aren’t supported by most services and are small enough to easily lose. Authenticator apps like Google Authenticator can strike a nice middle ground, but exclude users who do not use smart phones.
Regardless of which 2FA methods are right for you, enabling 2FA doesn’t mean you can let your password hygiene slip. In fact, enabling 2FA across your various accounts is a great opportunity to check and make sure your passwords—your "first" factor—are still a strong line of defense. Follow best practices for creating and managing different, strong passwords for each one of your accounts.