Experts agree that the best way to protect your personal data online is to use a strong password and store it in a password manager. A password manager is essential, too, since it’s impossible to remember long and complicated passwords that are different for each account you use.
But while this will prevent your passwords from being guessed by a hacker, or cracked using sophisticated ‘brute force’ software, it won’t stop your password from leaking if someone hacks the online service in question.
Most services have measures in place to prevent this, but it’s still advisable to take your own extra security measures to prevent even a leaked password from being useful to a hacker.
No code, no access
That’s why many online services offer an extra later of security called two-factor verification. In addition to your password (the first ‘factor’), this asks for an extra piece of information (the second ‘factor’) before you can gain access to your account — usually a simple numeric code.
The crucial part is that this code is random, changes every few minutes and is generated by something only you have access to, such as an app on your smartphone. That means even if your password is compromised, no one can access your online account without also having access to your smartphone.
Verification made easy
Many major online services support two-factor verification (sometimes called two-factor authentication or login approval), including Google, Facebook, Microsoft and PayPal. They all work in much the same way, but while most rely on an app to generate verification codes on demand, a few use a text message sent to your mobile phone.
Incidentally, once enabled, you don’t have to use two-factor verification every time you want to access an online account. Most services allow you to ‘trust’ a computer so that you only need to enter the additional code once.
Microsoft has even included a similar feature in Windows 10 in the form of a PIN code, which means you don’t have to enter your complicated Microsoft account password each time you log into your PC. You’ll find this option at Start > Settings > Accounts > Sign-in options.
Turning on two-factor verification
While the exact steps are different for every online service, setting up two-factor authentication almost always involves going to your account settings, enabling the feature and completing a test verification.
Some services also provide a backup code so you can gain access to your account if you lose your code generator (your phone might be stolen, for example). This is something you need to save in a safe place, for obvious reasons — that’s where a password manager app comes in handy.
You can see a list of services that support two-factor verification at the Two Factor Auth site and here are direct links to set-up pages for popular online services — you’ll need to log in to each service to see the relevant page:
- Microsoft account (look under Two-step verification)
- Twitter (look under Log in with code)
Get the Google Authenticator app
Services that use a smartphone app to generate verification coded may use an app of their own, but most rely on Google’s Authenticator app.
Available for Android and Apple devices, this lets you scan an on-screen QR code using your smartphone for the service in question, which then gets added automatically to the app’s list. Then you just need to launch the app whenever you need to generate a code and find the service you want.
Why you might need a unique app password
That’s really all there is to setting up and using two-step verification, but there is an extra complication. Some of the software you run on your computer or smartphone to connect to online services won’t support two-factor authentication, which means they won’t work once this security feature is enabled.
If you use an email application with a webmail account (rather than check email in a web browser), for example, it may not work when two-factor verification is enabled unless it offers a way to enter a verification code. if not, there is a solution.
Services that work with other software (Gmail, for example) can generate one-off app passwords you use instead of your existing password and verification code combination, where required. So once an app password has been substituted in the application concerned, it will work again — and that app password won’t work anywhere else.