Enable Two-Factor Authentication

So everybody’s really excited about [[wiki:Heartbleed]] and now we’re seeing helpful folks on social media urging all their friends and family to [change their passwords](http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/).

Leaving aside that your Instagram password is probably one of the least interesting things an attacker might get through Heartbleed, changing your password will only help you until the next time a security breach leaks a (hopefully) hashed password database.

Passwords alone aren’t good enough for security anymore. Fortunately, more and more sites have implemented [two-factor authentication](http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now/all) or [[wiki:two-step verification]].


I’ve been using [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en) with Google accounts for a little over a year. And since I’m using [LastPass](http://lastpass.com) to generate and store passwords, I use it there too.

**UPDATE!** [Nathaniel McCallum](http://nathaniel.themccallums.org/) just let me know there’s a free software alternative to Google Authenticator in [FreeOTP](https://fedorahosted.org/freeotp/). I’ll be checking that out and probably switching.

What I only recently realized is that plenty of other sites, Facebook, Hotmail, this blog, and many more have implemented the same one-type password standard that Google Authenticator uses, complete with QR codes to scan.

Lifehacker has a great write-up on [enabling two-step verification](http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now) on several popular sites, and they point to a [list of sites with links and instructions](http://evanhahn.com/2fa/) on how to enable two-factor authentication.

The app is used to verify that you *have* a specific smart phone after you’ve confirmed that you *know* a password. Those are the “two factors” in “two-factor authentication.”

Once you’ve used the authenticator app once on a given browser, you can usually check a box to not prompt you again from that browser. But if someone else managed to get your password, they’ll be prompted to get a code from your smartphone: something they don’t have.

Given the increasing sophistication of attacks, setting up a two-step verification system is absolutely necessary to keep your information and identity secure. And now that we have easy-to-use tools like FreeOTP or Google Authenticator, there’s no reason not to.

So do it! When you’re going around resetting all your passwords again, do yourself a favour and set up two-factor authentication too.

4 thoughts on “Enable Two-Factor Authentication”

  1. What happens when my smartphone falls out of the canoe?

    What happens if I don’t have the financial resources for a smartphone?

    Is there a solution for the rest of the world?

  2. Many services give you a number of back-up options. Google, for example, lets you print off a set of codes you can keep in your wallet.

    And pretty much every service also uses SMS (some even a voice phone call) to send you your verification code.

    I just think an OTP app is way less cumbersome. If you happen to have a smartphone.

    Keep in mind, you only need to use this the first time you log in from a browser. It probably wouldn’t hurt to keep a VM or a portable Firefox on a USB keychain and carry that around with you.

Comments are closed.