Two-step verification and two-factor authentication add an extra layer of security to accounts you access online, including email addresses and bank accounts. You enter your username and password, but before you get in, you have to enter a second factor — two hoops to jump through.
If someone tries to reset your password and you have 2FA enabled, it’ll be much harder for them to gain access to your account. (It’s similar to needing both a PIN number and a debit card to take cash out at an ATM machine, since it minimizes the damage from someone who might have access to your credit card, but not your PIN number.)
The second factor you’ll need to prove your identity might be a numeric code sent to you via text message, or a code generated on a phone app like Google Authenticator. These codes may expire within a certain amount of time. Another example of a second factor is a security key such as Yubikey, a small hardware device that can be plugged into the USB port of your computer and used to secure passwords on some sites or accounts.
Action item: Set up two-step verification on your Gmail account, if you have one. The steps are listed here: https://www.google.com/landing/2step/. You can choose the method of the second level of identification by selecting phone calls, text messages, the Google authenticator app, or a security key. Make sure to add backup phone numbers for Google to contact you in case you lose your phone, and to print out one-time use backup codes and keep them in a safe place so you can use them if your phone is unavailable, like when you’re on a plane.
Some tips:
- We do not recommend receiving codes via text message, as it is easy to intercept. Additionally, if you are traveling to a different country, you may not have access to SMS messages. When you first set up two-step verification, you may be asked to use your phone to receive codes for the first time. After the initial set up, please change the method of receiving code to authenticator app, phone, or security key.
- Some password managers (1Password) allows you to use their app as an authenticator. This is a good alternative for those sharing passwords and codes within a team.
- Authy is a good alternative to the Google Authenticator app, as it allows you to receive codes through multiple devices (mobile, desktop) and has backup capabilities.
Bonus: Add 2FA to other accounts you care about if it is available. Your bank, project management software, retail accounts and social media accounts are good places to start. See http://twofactorauth.org for a list. You can even add 2FA to your WordPress site with tools including Clef (freemium) or iThemes Security Pro.
Check out more digital hygiene tips:
- Removing public data
- Privacy protection on domain names
- Https everywhere
- Anonymous “Tor” cloak or VPN
- Prepare for a DDos attack
- Two-step verification
- Privacy plug-ins/cookies
- Third-party permissions
- Image “hidden pixels”
- Links and attachments
- Install patches and updates
- Use a password manager/strong password
- Strengthen security questions
- Encrypt hard drive/backup data
- Click to play
- Use end-to-end encryption
