You’ve almost certainly heard about how you should use a different strong password for each Web site where you have an account. But you’ve likely encountered sites that encourage or even require you to do more than just enter a password in order to sign in. Many larger employers, as well as financial institutions and Internet companies—like Apple, Google, Facebook, and Dropbox—offer a higher level of security, called two-step verification. In fact, Apple requires that all new iCloud accounts have a phone number for two-step verification.
To break into a normal account, assuming an intruder can guess your username, the intruder must have only one thing—your password. But with two-step verification, breaking in becomes far more difficult. That’s because the intruder must have two things—your normal password and a time-limited one-time password that is generated by a special authentication app or sent to you in an SMS text message or an email message. This secondary password is valid for only a short time and can be used only once.
Typically, you enter the secondary password only the first time you log in on a particular device or in a particular Web browser, so using two-step verification with an account requires an occasional extra step, but not a daily inconvenience.
Sites that offer two-step verification will provide setup and usage instructions, but the basics are as follows. You’ll enable two-step verification in the account settings, and then tell the site how to send you the one-time password when you want to log in, usually by providing your phone number or email address.
Some sites offer the option of handling two-step verification through an authentication app instead of through text messaging or email. These apps can be more fussy to use, but they are considered to be more secure, since a determined intruder who was coming after you personally could hijack or eavesdrop on your phone number or email. Common authentication apps include Authy, Google Authenticator, and 1Password; they run on your iPhone or iPad. If you opt to rely on an authentication app, you’ll use your device’s camera to scan an onscreen QR code or you’ll enter a secret key. Either way, that information makes it possible for the authentication app to generate a valid one-time password every 30 seconds.
Make sure to record any backup codes the site provides; they’re essential if you lose access to your phone or your email.
When it comes time to log in to a service protected by two-step verification, you’ll enter your username and password as you normally would. Then, however, you’ll be prompted for a one-time password, and the service will either send you one via SMS or email, or require you to look it up in your authenticator app.
Even if an attacker obtains your password and tries to use it to log in, the attempt will fail unless the attacker can also intercept your text or email messages, or had stolen your iPhone and circumvented its passcode. That’s all extremely unlikely.
It’s not necessary (or even possible) to enable two-step verification all your accounts, since many aren’t important enough to warrant that level of lockdown. For more significant accounts that provide the option—email, social media, cloud services, and banking—you should always use two-step verification for added protection.
You may also hear the term two-factor authentication, which is even more secure than two-step verification when implemented correctly. That’s because two-factor authentication combines something you know (your password) with something you have (such as a special keyfob that generates time-limited one-time passwords) or something that’s true of you (biometric info like a fingerprint or iris scan). It might seem like using your iPhone to receive a text message or run an authenticator app qualifies, but since you can usually both log in and get your one-time password on your iPhone, it’s not true two-factor authentication.
Regardless of the terminology, going beyond a single password, no matter how strong, significantly increases your security, and you can congratulate yourself for taking steps to protect yourself each time you turn on two-step verification in another important account. (For more about strong passwords, using a password manager to take the pain out of strong passwords, and details about two-step verification and two-factor authentication, we recommend the ebook Take Control of Your Passwords.)