How do you protect your photos, messages, and more from being hacked or stolen online? With two-factor or two-step authentication!
Hackers are too good, and security systems flawed. Longer complicated passwords created by generators like Safari's iCloud Keychain or third party apps like LastPass or 1Password can help, but the best way to lock down your accounts is to add extra security options for two-step or two-factor (2FA) authentication. Here's how to go about it.
- How to set up two-factor for Apple and iCloud
- How to set up two-factor for Google and Gmail
- How to set up two-factor for Dropbox
- How to set up two-factor for Twitter
- How to set up two-factor for Facebook
- How to se up two-factor for Tumblr
- How to use Authy to manage two-factor
What is two-factor authentication?
Two-factor authentication is the most prevalent way to secure your accounts: It asks you to authenticate that you are who you say you are by supplying not only your password, but a unique code supplied from your phone or an external app. It ensures that those accessing your accounts have access to your physical devices as well as your virtual passwords, and makes a simple password crack or social engineering hack a lot more insufficient when it comes to accessing your personal data.
What's the difference between two-factor authentication and two-step authentication?
They're commonly used interchangeably, but two-factor traditionally requires two different types of authentication. That can include something you know (password), something your are (fingerprint), or something you have (Bluetooth dongle). Two step authentication, on the other hand, can use the same type of information delivered by different sources. For example, a code you remember (password) plus a code you're sent over SMS (token).
Two (or more) factors can be more secure, but two steps are typically enough for most online accounts. It's a better version of the old "security questions". It not only helps you avoid needing to remember your random answers, but it also removes the risk of relying on potentially easy-to-find information.

Why is two-step authentication so important?
Passwords are weak, broken, and by all accounts, outdated: Having to remember a random assortment of numbers, letters, and possibly (but not always) other characters can be tough on your memory and easy for attackers to compromise, especially when technology like Touch ID exists. Apps like 1Password or LastPass can help with organizing and memorizing your passwords and even help you create super-long strings, but you're still reliant on a single password to keep you safe. Two-step/two-factor authentication requires two different keys to log you into your account, significantly amping up the level of difficulty for any would-be hackers to access your personal information.
What accounts can I set up with two-step authentication?
Over the past few years, lots of web services and banks have hopped aboard the multiple authentication methods bandwagon — more than we can properly list. The folks over at Two Factor Auth, however, have kindly put together a master list of services that support two-factor or two-step authentication, along with links to how-to documents, what methods of two-factor authentication they support, and how to contact a service you use to request that they implement two-factor authentication.
Here at iMore, we've put together a bunch of articles on some of the most popular services that support two-factor/two-step authentication — as well as the easiest ways to set it up — to help you keep your accounts safe and away from prying eyes.
What if I lose my phone (or have it stolen)?
One of the big fears with SMS or code-based two-factor authentication is the potential loss of your primary authentication device: If you don't have your phone, you can't get SMS messages, et cetera. Thankfully, most services offer recovery keys or special passcodes that can unlock your account in case you don't have access to your cell phone at the present moment. Make sure to write these down in a safe place; I use 1Password's secure notes feature for this, and also store a hard copy in my office.
Need more help with two-step authentication?
Running into trouble setting up two-step authentication? Have a question about turning two-step or two-factor on for your favorite service? The iMore Forums are a great place to get advice and help from other members of our community; you can also ask a question in our Q&A forum and we'll get back to you as soon as we can.
Reader comments
How to use two-step and two-factor authentication: The ultimate guide
Is it me, or does Google two factor authentication work terribly with Yosemite. When I have it enabled, Mail.app keeps asking for my password. I really want to use the Mail.app that is why I currently have 2 factor authentication disabled.
You need generate and use an app specific password to use Google services on Mac/iOS correctly. This can be done in your Google security settings.
Yes, but with that generated app specific password, Mail.app works for 5 minutes then it asks for the password again. Strangely, if Mail is disabled but Contacts and Calendar left enabled, that doesn´t happen.
At least for iOS, this is supposed to be fixed in 8.3, where it will work with Google two factor.
Yup, this is fixed in iOS 8.3 and OS X 10.10.3.
Google's 2 step verification sucks next to Apple's implementation as it's too complicated.
Sent from the iMore App
How so? When I set up 2 step with Apple, I had to wait a few days to complete the process. I didn't have to do this with Google.
With Google you have to use the stupid Google Authenticator app which doesn't work as well as it should and it would tell me to "set up the 2 step verification on your computer" which I have already but thankfully I managed to change it so it just generates a code like Apple's 2 step verification. But Apple's one works better for me as I set it up like 2 years ago before Apple made changes.
Sent from the iMore App
People are too lazy for two factor authentication. Myself included.
Posted via the iMore App for Android
This is how I felt before starting work on these articles. But it's ten minutes to set up and offers MUCH more peace of mind.
If I turn on two factor authentication, would that pose a problem if I lost a device and needed to find it with find my iPhone? That is, since I don't have the physical device for authentication, will I be able to turn on and use Find My iPhone?
If you use Authy, you shouldn´t have a problem if you allow your other devices to get your tokens.
For Apple, there is a recovery key as well. I redid my iPad and didn't have any of my other registered devices with me at the time. I was able to bypass the normal two factor with that bypass key, which is a 12 character assigned code.
That was a really good question. Need this one answered before I dare set this up for iCloud :-)
Yes, iCloud does allow you to find a lost device without entering your 2-step code.
Additionally, you can setup multiple iOS devices and phone numbers that can accept text messages, to verify your identity.
And here is why, depending on where you live, you should NOT use two-factor autentication. In some parts of the world (including Brazil), thieves are asking for your Apple password at gunpoint upon stealing your phone. If you have two-step, the thief can then change your Apple password, receive the code on the stolen phone, and gain control of your entire Apple life.
If don't have two-step, and rely instead on the security questions, you can later regain control of your account and transfer everything to a new device.
Yipe! That's a little insane. and scary. But also why Apple provides a recovery key for your 2FA account. Either way, that is definitely a bit outside my wheelhouse where 2FA is concerned, and it makes sense to use your best judgment.
UGH. I need an article talking about using Authy and or 1Password with 2 factor - can 1Password do it, or do I need Authy? Why would I choose Authy over the Google 2 factor App, or the RSA token app? When is Authy the wrong decision?
See our Authy article! You can use either Authy or Google or 1Password — they all do the same thing.
No they don't.
Authy is 2FA. 1Password is TOTP or two step verification.
I set up 2-factor authentication on all my Apple devices. I guess it works OK and provides good protection, but I wasn't prepared for the number of times I would be expected to enter my Apple ID password ALL THE TIME now. When I launch the iTunes Store on my iMac, it asks for my password immediately, then if I buy a song or app, etc, it asks for it again! Same on my iPhone, I find myself entering my Apple ID password all the time, and it can get a little annoying. Just fair warning, if you do make the switch to 2-factor authentication, you will be entering your password a LOT more than you did before.
Yeah, here is why Apple should make it available in my country, too (a EU country, at that). But hey, there's still hope, some day.
Reduce data theft – 2FA reduces the risks of phishing attacks and thus potential loss of your data.
Read more http://www.linkgard.com/blog/google-apps/google-apps-vs-office-365-2fa.html
You forgot to mention that Microsoft lets you set it up as well.
Sent from the iMore App
They say that there is always a tradeoff between security and convenience, and in my case, after having 2FA enabled for quite a while, I've gone back and chosen convenience instead of the extra security of 2FA.
I had a friend who found that his authentication key didn't work with Apple because they were actually tying his account to an OLDER authentication key that he was fortunately able to dig up with a great deal of sleuthing. No explanation for why that happened, though. And if you lose your key, you can end up deeply hosed.
The other issue for me is that the whole app-specific password thing is an *enormous* pain because third party apps don't tend to handle it very well, at least in my experience. You may forget that you need an app-specific password for an app, or more likely, you may not have any idea what that even is. It's been very poorly explained.
The other thing I find strange is that, with text message forwarding set to go to my iMac, laptop, iPad and iPhone, the 2FA security codes I receive via text message go to all devices at once — and presumably thwart the supposed extra security anyway. Apple shouldn't allow phone numbers/texts as their code delivery vehicle anymore, for that reason.
I suppose 2FA is like insurance — you don't need it until you need it, but you might never need it. In my case, the cost/benefit analysis says to go without it.
Sorry Serenity, but this article is dangerously inaccurate.
Two-step and two-factor are entirely different concepts. Both usually have two steps, but only one requires a second factor at each login. What you've described is 2SV/two step verification; the most commonly used across Apple/Google et al.
You cannot bypass a second factor with a permacookie... it is required by the verifier each and every time you login. If you're prompted to "remember this choice/PC", that's a two-step process.
See https://ramblingrant.co.uk/the-difference-between-two-factor-and-two-ste... for further clarification.
Wrt 1Password/Authy...
1Password does not offer 2FA. What you can do is generate TOTPs in a similar fashion to Authy but the moment you combine both "factors", you're undermining them to the point where the LoA is only as high as the weakest factor... the password. If you require actual 2FA, use Authy.
Yeah, I have 2SV on, but waiting for the "Two Factor" system to roll out to everyone, which just checked and it is not available.
I think you overdid it with the word "dangerously."
this article and the responses raises more questions than it answers for me. When instructions and warnings weigh more than the result I stop and think about whether it is worth while. I want Touch ID on everything. phone,pad, pc the lot. If Touch ID isn't enough,then.....
I was wondering if the author had ever used Touch ID... It IS crucial to remember the iDevice password with Touch ID. When a device is started it can only be unlocked with password and not Touch ID. Also, after Touch ID fails a few times, the user has to type the password in.
Touch ID is a less about security than convenience. Touch ID is actually as weak as the iDevice primary password.
"...and also store a hard copy in my office." Serenity, now the thieves know! Lol.
I don't use this and I'll tell you why. Apple already constantly and insistently disables my accounts and then asks me for those "security questions." Questions only I know the answer to.
They also regularly ask for this information when I get a new device, and sometimes even when I reboot my device. In other words, all the same times that two-factor authentication would come into play. In fact, the security questions *are* a form of two factor authentication.
So since I already have to do that, it's basically the same thing as what is described in this article but with one difference in my favour. The difference is that I pretty much always have my brain with me and thus always have the answer to those questions. I don't always have my phone and it's possible to lose it as well. If I've somehow "lost" my brain, well I'm dead, so it doesn't matter.
The way it's laid out above, if I don't happen to have my phone, if it's stolen, or I drop it down the drain, I'm completely screwed. For that reason, the questions are actually superior for me.
I use 2FA everywhere it is available. Here is a list, unofficial I am guessing, of most 2FA sites. I found a couple of sites I use that I did not know of before.
https://twofactorauth.org/
Some of this stuff can get confusing. I have two factor, bus it does not always ask me. The other day my 6S was showing the spinning wheel in the upper left hand corner all the time affecting battery life I turned the phone off then on. No fix. I then held done the home button, and the sleep wake button, waited for the Apple logo. It reset, and no wheel, but went into settings to add a mail account, and I got need recovery key. Never had that happen before. Good thing I had the key. Strange.
Sent from the iMore App
2 step verify is something everyone should embrace. I've been using it for a long time on everything that allows it.
Posted via the iMore App for Android
Serenity, where exactly do you keep that password in your office?
Good article. Cyber security is very important nowadays and it is our duty to make society cyber aware. I would like to add that there should be one more paragraph about the means of 2-factor authentication. One-time passwords can be delivered not only in text messages or generated with the help of apps. It is much more reliable to use hardware tokens in the form of key fobs or even better plastic cards. Here is a good article about tokens - https://www.protectimus.com/blog/one-time-passwords-generation-algorithm...
I tried using Two Factor for iCloud again (I tried it before but was very annoying.) True to form with a few of Apples services it doesn't really work. App specific passwords seem to only work for about half an hour be fore the app (in my case Fantastical) asks for a new one. It is a shame they won't use QR codes and Authy rather than their clunky take on Two Factor Authentication. Big Apple fan but the constant average-ness of their services does get boring
Can iMore please indicate when these are recycled? Maybe add a date originated / date updated note, and mention what, if anything, has changed?