What is two-factor authentication?

Two-factor authentication sounds scarily technical, but at its simplest it’s just proving who you are using two different methods. It’s not actually anything new either, for example when you get money out of a cash machine you need the combination of your bank card and your PIN number to withdraw anything.  

Lots of companies are encouraging their users to set up two-factor authentication to protect their online accounts.  For example, Amazon, Apple and Google.  Not all companies offer it, and for those that do it’s not generally compulsory yet, but it is becoming quite popular so you’re likely to come across it more and more.

All online accounts already have “one-factor” authentication, or as I like to call it, a password.  Typing in your password when you log in to your account tells the company it’s you.  But as you often hear in the news, hackers can get hold of passwords.  

Two-factor authentication adds a second level of security by getting you to also type in a short numerical code that only you can access. For example, one that’s texted to your mobile phone or sent to your landline (I’ll explain more about these in a minute).  It’ll then only let you into your account if you type in the right password and the right code.  

The code only works once, so you need a new one each time you log in. This might sound like a right pain, having to type in your password and fiddle about getting a code each time you want to login, but if you use a device regularly (for example your laptop at home), you can usually tell it you “trust” that particular device so it doesn’t ask for a code every time.

How does it make my account safer?

It’s safer because you need both your password and a code to get into your account. This means that if some nasty hacker finds out your password, they still can’t get into it because they don’t have the code. (Well, unless they’ve found out your password and stolen your phone or tapped into your landline somehow.  Not very likely.)  Two-factor authentication isn’t foolproof, but it is safer than just using a password.

How do you set it up?

Log in to your account as normal using your password.  You might then be asked to set it up, but if you aren’t you’ll be able to find it in your account settings or security settings.  Look for something like “two-factor authentication”, “2-step verification”, “login verification” or “login approval”.

First you’ll have to choose how to get your code (sometimes called a “verification code”).  There are three main ways:

  1. A text message to your mobile phone.
  2. An automated voice call to your landline phone. (Note: not all companies offer the landline option, which is pretty irritating for those of us who don’t have a good mobile phone signal!)
  3. Using an authenticator app on your phone or tablet.  These are free from the app store, and strangely any one will work. For example, I set up two-factor authentication on my Amazon account using the Google authenticator app.  Once you’ve got the app, you use it to scan a QR code on the screen of whatever you’re trying to log in to (a QR code is a bit like a fancy barcode).  It’ll then generate a code for you to type in.

You might be asked to choose a backup method too, in case you can’t get the code in your preferred way (e.g. if you’ve got no mobile phone signal).  It’s a very good idea to do this if you get the option.  Instead of giving you a backup method, some companies give you a list of codes to use in emergencies that you print off or write down and keep in a safe place.

Once you’ve typed your code in you’ll also usually be asked whether it’s a “trusted” device or if you want it to “remember” your code. If you’re using your personal phone, tablet or computer then you’ll probably want to do this, so it doesn’t drive you mad asking for a code every time you log in.  If you’re using a friend’s tablet or a computer in the local library it’s not a good idea to do this.

An important point to remember

Every time you try to log in on a new device you’ll have to type in a code to prove it’s really you.  So remember that you’ll need access to the thing your code comes from – either your landline or mobile phone.

Useful links

Here are some links to setting up two-factor authentication from the major tech companies:
Google https://www.google.com/landing/2step/
Apple (for iPhones and iPads) https://support.apple.com/en-gb/HT204915
Microsoft https://support.microsoft.com/en-gb/help/12408/microsoft-account-about-two-step-verification
Yahoo https://help.yahoo.com/kb/SLN5013.html
Amazon https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=202025410

If you’d like to set it up for a company not listed here and you’re not sure how to do it, drop us a comment below, or post a comment to the clubroom.
Thanks 🙂