A secure password goes a long way toward protecting your account, but it is hardly foolproof. Short or simple passwords are vulnerable to brute-force or dictionary attacks that systematically test password combinations until your true password is revealed. Keyloggers could capture and transmit typed passwords from an infected computer. Packet sniffers potentially intercepted login details at public wireless hotspots or local networks. And your password is always at risk to behind-the-scene workers or breaches at the server level, both of which are beyond your control.
The point is, modern accounts need a leg up to maintain security against hackers. That is where two-step verification shines. This secure system, often called two-factor authentication, requires two pieces of information before granting access to your account: something you know and something you have.
Something You Know
“Something you know" refers to your account password. Alone, however, the password is useless, so even if a hacker possesses your password, he cannot access your two-step-enabled account. Before that password could grant access to your account, you (or the hacker) would need to have the second-step verification device.
Something You Have
Your cell phone typically addresses the second “something you have" requirement. When you attempt to log in to your account, your phone receives an SMS message containing a code, and a prompt displays on the login screen. Once you successfully enter this code, thereby proving you have the phone, you can access the account.
Although text messages are the most common second-factor method, they aren’t the only ones. Some accounts optionally submit codes through voice calls or voicemail. Authenticator apps, such as Google Authenticator, Windows Authenticator or Authy, are alternative options to receive codes through the Internet, which is especially helpful when traveling abroad with no cell coverage. Some accounts, such as Windows 8, also allow a secondary email address to receive codes. Finally, if you have established a trusted device, you won’t need a code at all when accessing the account on that device, which means a lazy user has no excuse for not enabling two-step verification.
Most accounts give you the option of “trusting" a device when you successfully log in from it. If you missed this option, you can probably find it in the Security section of its online account. To use a Microsoft account as an example, you would find an option labeled, “I sign in frequently on this device. Don’t ask me for a code." Also, be aware that some accounts temporarily or permanently trust any device from which you successfully log in, which means you should take care which accounts you access on a shared computer. Better yet, only access accounts from your home computer or mobile devices to which you have exclusive access.
Enabling Two-Step Verification
Most accounts offer the two-step verification option in the Security section of the account settings. Enabling this feature registers you cell phone, authenticator app or secondary email as the second login requirement. In Microsoft accounts, access the Password and Security Info section and select Set up Two-Step Verification. In Google accounts, click Account, Settings and then Setup next to the Password box’s 2-Step Verification option. In Apple accounts, open the Password and Security section and click Get Started in the Two-Step Verification section.
When you first set up two-step verification, you will probably see an option for a recovery or backup code. If the account doesn’t automatically create this code, choose to do so and save it in a secure location. This code is your spare key, in case you lose or break your second-tier authentication device, and lets you access your account by alternatively entering this single-use code. If you missed this option, trudge through the account’s security section until you see the option for recovery codes or keys. Depending on the account, you are allowed a single recovery code (Windows) or multiple codes (Google) at a time. While you’re in the security section, you can also set up additional recovery options, such as questions or secondary emails, to serve as additional backups.
Many apps and some hardware, such as Xbox, can’t send security codes to your device, so you must manually approve each app. Look for an “App Password" option in the governing account’s (Microsoft on Windows, Google for Android, Apple for iOS) security section, generate a new key and enter it in the app’s prompt. You don’t need to remember this code; once it has been successfully entered, you won’t be prompted again.