What's the Deal with Two-Step Verification?

It seems that we can’t go a week without hearing about some new security breach involving tens of thousands or even millions of passwords. That’s why it’s essential that you use strong passwords of random characters (and manage them in a full-featured password manager like 1Password or LastPass or, for a more basic approach, iCloud Keychain). But many major Internet companies like Apple, Google, Facebook, and Dropbox offer an option for a higher level of security, called two-step verification.

With a normal account, a bad guy has to get only one thing—your password—to break in. With an account that’s protected by two-step verification, however, breaking in becomes far more difficult. That’s because logging in requires both your normal password and a time-limited one-time password that is generated by a special authentication app or sent to you in an SMS text message or via email. What’s important about these secondary passwords is that they’re valid only for a short time and they can be used only once. You have to enter these secondary passwords only the first time that you log in on a particular device or in a particular Web browser, so they are just an occasional extra step, not a daily inconvenience.

Sites that offer two-step verification will provide setup and usage instructions, but the basics are as follows. You’ll enable two-step verification in the account settings, and then tell the site how you’ll get the one-time password when you want to log in, generally providing your phone number or email address. For services that use an authentication app like Google Authenticator, Authy, or 1Password, you’ll have to scan a QR code on screen or enter a secret key—either way, that seeds the app with a value that enables it to generate a valid one-time password every 30 seconds. Make sure to record any backup codes the site provides; they’re essential if you lose access to your phone or your email.

When it comes time to log in to a service protected by two-step verification, you’ll enter your username and password as you normally would. Then, you’ll be prompted for a one-time password, and the service will either send you one via SMS or email, or require you to look it up in your authenticator app. Since a bad guy who might have obtained your normal password would also have to intercept your text or email messages, or have stolen your mobile phone (and be able to get past its passcode), you’re far, far safer.

Most sites that use two-step verification don’t require that you enter a one-time password on every login, since that would be overkill. It’s also unnecessary to enable two-step verification for every account you might have—there isn’t much liability to someone logging in to your New York Times account since they couldn’t do anything diabolical once in. For more-important accounts—email, social media, cloud services, banking—you absolutely should use two-step verification for added protection so a bad guy can’t impersonate you to your friends, receive email-based password resets for other sites, or access your most important data.

You may also hear the term two-factor authentication, which is even more secure than two-step verification when implemented correctly. That’s because two-factor authentication combines something you know (your password) with something you have (such as a secure token keyfob that generates time-limited one-time passwords) or something that’s true of you (biometric info like a fingerprint or iris scan). It might seem like using your iPhone to get a text message or run an authenticator app qualifies, but if you end up doing everything on a single device that could be compromised, it’s not true two-factor authentication.

Regardless of the terminology, going beyond a single password, no matter how strong, significantly increases your security, and you would be well served to employ such a security technology for your most important accounts. To learn more about why strong passwords are necessary, using password managers, and even more details behind two-step verification and two-factor authentication, check out Take Control of Your Passwords.