The simple way to make your online accounts unhackable

Two-factor verification puts an extra layer of security on your internet account to make them inaccessible to anyone but you — even if someone else knows the password.

Experts agree that the best way to protect your personal data online is to use a strong password and store it in a password manager. A password manager is essential, too, since it’s impossible to remember long and complicated passwords that are different for each account you use.

But while this will prevent your passwords from being guessed by a hacker, or cracked using sophisticated ‘brute force’ software, it won’t stop your password from leaking if someone hacks the online service in question.

Most services have measures in place to prevent this, but it’s still advisable to take your own extra security measures to prevent even a leaked password from being useful to a hacker. 

[Read more: How to create the ultimate uncrackable password]


No code, no access

That’s why many online services offer an extra later of security called two-factor verification. In addition to your password (the first ‘factor’), this asks for an extra piece of information (the second ‘factor’) before you can gain access to your account — usually a simple numeric code.

PayPal login code

The crucial part is that this code is random, changes every few minutes and is generated by something only you have access to, such as an app on your smartphone. That means even if your password is compromised, no one can access your online account without also having access to your smartphone.

PayPal SMS


Verification made easy

Many major online services support two-factor verification (sometimes called two-factor authentication or login approval), including Google, Facebook, Microsoft and PayPal. They all work in much the same way, but while most rely on an app to generate verification codes on demand, a few use a text message sent to your mobile phone.

Incidentally, once enabled, you don’t have to use two-factor verification every time you want to access an online account. Most services allow you to ‘trust’ a computer so that you only need to enter the additional code once.

Microsoft has even included a similar feature in Windows 10 in the form of a PIN code, which means you don’t have to enter your complicated Microsoft account password each time you log into your PC. You’ll find this option at Start > Settings > Accounts > Sign-in options.

Windows 10 PIN


Turning on two-factor verification

While the exact steps are different for every online service, setting up two-factor authentication almost always involves going to your account settings, enabling the feature and completing a test verification.

Some services also provide a backup code so you can gain access to your account if you lose your code generator (your phone might be stolen, for example). This is something you need to save in a safe place, for obvious reasons — that’s where a password manager app comes in handy.

Facebook verification

You can see a list of services that support two-factor verification at the Two Factor Auth site and here are direct links to set-up pages for popular online services — you’ll need to log in to each service to see the relevant page:


Get the Google Authenticator app

Services that use a smartphone app to generate verification coded may use an app of their own, but most rely on Google’s Authenticator app.

Available for Android and Apple devices, this lets you scan an on-screen QR code using your smartphone for the service in question, which then gets added automatically to the app’s list. Then you just need to launch the app whenever you need to generate a code and find the service you want.

Google Authenticator


Why you might need a unique app password

That’s really all there is to setting up and using two-step verification, but there is an extra complication. Some of the software you run on your computer or smartphone to connect to online services won’t support two-factor authentication, which means they won’t work once this security feature is enabled.

If you use an email application with a webmail account (rather than check email in a web browser), for example, it may not work when two-factor verification is enabled unless it offers a way to enter a verification code. if not, there is a solution. 

Google app password

Services that work with other software (Gmail, for example) can generate one-off app passwords you use instead of your existing password and verification code combination, where required. So once an app password has been substituted in the application concerned, it will work again — and that app password won’t work anywhere else.

[Read more: How to create strong passwords and never forget them]


More from BT