The 2014 Heartbleed bug exposed millions of internet logins to scammers thanks to one itty-bitty piece of code, and our security nightmares have only gotten progressively worse in the years since.
What’s the average internet user to do? Well, you should have strong passwords. Even when strong, though, passwords are a pretty laughable method of authentication, because they can be scooped up pretty easily by a variety of methods. (You can stop changing your passwords constantly unless they’re in a breach.)
What you really need is a second way to verify yourself. That’s why many internet services, a number of which have felt the pinch of being hacked or breached, offer multi-factor authentication (MFA). We used to call it two-factor authentication (2FA), but more factors are better. You’ll find all the terms used interchangeably with “multi-step,” “two-step,” and “verification,” depending on the marketing.
Biometric scanners for fingerprints, retinas, or faces are on the upswing thanks to innovations such as Apple’s Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone as a code that can be used only once.
You can get that code via SMS text message (which is not a great idea) or a specialized smartphone app called an “authenticator.” Once linked to your accounts, the app displays a constantly rotating set of codes to use for logins whenever needed—it doesn’t even require an internet connection. There are numerous apps, some from big names such as Microsoft and Google, as well as Twilio Authy, Duo Mobile, and LastPass Authenticator. They all do the same thing, essentially; a few add password management and other features. Here’s our rundown of The Best Authenticator Apps.
The majority of popular password managers offer MFA authentication by default. The codes provided by authenticator apps sync across your accounts, so you could scan a QR code on a phone and get your six-digit access code on your browser, if supported.
Be aware that setting up MFA can actually break access on some older services. In such cases, you must rely on app passwords—a password you generate on the main website to use with a specific app. You’ll see app passwords as an option with Facebook, Twitter, Microsoft, Yahoo, Evernote, and more—all of which either are used as third-party logins or have older functions you can access from within other services. The need for app passwords is, thankfully, dwindling.
Remember this as you panic over how hard this all sounds: Being secure isn’t easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it’s worth the extra work to avoid theft of your identity, data, or money.
Apple Two-Factor Authentication
If you’re an iOS or Mac user, your Apple ID is a big part of your life. It’s important not just for access, but also for storage via iCloud; purchases of movies, books, and apps; and subscriptions to services such as Apple Music and Apple TV+.
To activate two-factor authentication, go to the Manage Your Apple ID page(Opens in a new window) and sign in. Look for Account Security > Two-Factor Authentication and click “Get Started…”
You are then furnished with steps on how to set up 2FA for Apple using either iOS or macOS. On iOS you go to Settings > [your name at the top] > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication. (Here are specifics on setting it up in iOS so you can literally use your iOS device as an authenticator app.)
You’ll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it’s the number already on the phone you’re using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.
After that, signing into anything with an Apple ID should generate the code on the device used for setup. Apple also supports app-specific passwords(Opens in a new window) and physical security keys.
Note that once Apple’s Two-Factor Authentication is active, you can’t turn it off. “Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information,” Apple says(Opens in a new window).
Dropbox Two-Step Verification
Dropbox on the desktop(Opens in a new window) has a tab called Security(Opens in a new window). It’s where you go to check how many current sessions are logged in and devices are using the account, to change the password, and of course, to turn on two-step verification. Toggle it to on, enter your password, and you’ll be asked whether you want to get security codes via SMS text messages or a mobile authenticator app.
If you choose texts, enter a phone number to get a code immediately. You also can enter a backup number and receive a 16-digit number you should save somewhere safe; it lets you deactivate two-step verification if needed. If you choose the authenticator app (and you should), you’ll see a QR code onscreen to scan. Other options include the use of a hardware security key, if you’ve got one. Dropbox provides excellent MFA instructions(Opens in a new window).
Google 2-Step Verification
With access to your credit card (for shopping on Google Play or paying via Google Pay), important messages and documents, your smart home devices, and even your videos on YouTube—essentially your whole life—a Google account has to be well protected. Thankfully, the company has been offering MFA since 2010.
You can visit the Google Safety Center to find 2-Step Verification(Opens in a new window). Simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, go to the phone and acknowledge with a tap that you are the one signing in.
If that doesn’t work, you’ll need to enter an extra code. That code is sent to your phone via SMS text, via a voice call, or by using an authenticator app. Google Authenticator(Opens in a new window)—or any authenticator app—can generate the verification code for you, no internet required. On your personal account, opt to register your trusted computer(Opens in a new window) so you don’t have to enter a code during every sign-in.
Once you’ve set up Google 2-Step Verification, access it again by visiting your Google account security settings(Opens in a new window). Use that to select optional phone numbers or emails that can receive codes, switch to using an authenticator app, and generate app-specific passwords.
Microsoft Two-Step Verification
Microsoft has tied together most of its services under one umbrella. Outlook.com, OneDrive, Xbox Live, Skype, an Office subscription, the Windows operating system itself, and much more can all use the same account. Naturally, it should get some extra protection.
In fact, Microsoft said in 2021 that it won’t even require a password on accounts—as long as you use one of its MFA-style methods to log in. That means using either the Microsoft Authenticator app on iOS(Opens in a new window) or Android(Opens in a new window) or the Windows Hello biometric sign-in. But you can stick with using a password and getting a security key or verification code, if you prefer.
Sign in to your Microsoft account at account.microsoft.com/profile(Opens in a new window). In the top navigation, click Security; on the next page, click Advanced security options. You’ll see a link called Add a new way to sign in or verify, and you can enter lots of info here, such as email addresses and phone numbers that can be used to get a code—also, you can set up Enter a code from an authenticator app. Under that, you’ll see options for Passwordless account and Two-Step Verification.
You don’t need to use Microsoft Authenticator if you’re only setting up MFA access with a password. It also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick “other” during the setup. Or you can get the codes sent via text message or email.
To use the Passwordless account option, Microsoft Authenticator is required on your smartphone. But you may not even have to enter a code—the app will pop up when you try to sign in somewhere, and after you log into the phone, you click a couple of boxes to authenticate, easy-peasy. (Some might say too easy—since all anyone needs to access your Microsoft account now is to steal your phone.)
Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways).
At Trinity Worldwide Technologies, we offer comprehensive network risk assessments and training services which invites users to sit through various vignettes on security. This service uses short video tutorials and has a question and answer segment to test employee knowledge on the given topic. Our training is delivered via email, and tracked and reported so we can monitor employee participation. Give us a call at 732.780.8615 or email us at [email protected] if you would like more information on these services.
Excerpt taken from Eric Griffith, “Multi-Factor Authentication: Who Has It and How to Set It Up“, pcmag.com, March 8, 2023