How to . . . beef up security on your online accounts

Two-factor security: what is it, why might you need it and how do you set it up?

We tend to get lulled into a false sense of security when it comes to our devices and security.
We tend to get lulled into a false sense of security when it comes to our devices and security.

Security warnings arriving in your email are nothing new, but chances are many of them are fake – phishing emails trying to get your to log on to a dodgy website and hand over your login information without a second thought.

But what if they are genuine? It happened recently to a friend of mine. He woke up to a pop-up notification on his iPhone from Apple, warning that he'd logged into another Apple device. Then came the email that told him he had signed into iMessage earlier on an iPhone 5s. The problem? He doesn't own an iPhone 5s. So someone had his password and had logged into his account.

We tend to get lulled into a false sense of security. If you have a decent password you think that is all you need to keep prying eyes out of your accounts. You may also have taken on board the frequent advice not to reuse passwords across multiple services.

But the truth is that you can follow all the rules that security experts lay down, and you may still find yourself caught out. A momentary lapse of attention, a well-thought out phishing campaign or some bad code hiding a vulnerability can set all your careful security practice aside.

READ MORE

The answer? Two-factor authentication, also known as two-step verification. That means you don’t rely on something you know – simple, or not so simple, passwords – but also need something you have, usually a unique code delivered to your smartphone or tablet. Without that code, you can’t log in – and neither can anyone else. The codes also expire after a certain time.

The caveat: while it makes your accounts more secure, using two-factor authentication can be a giant pain, especially if you are relying on your much abused smartphone to deliver the access codes. If you lose your phone, you could temporarily lose access to your accounts; ditto if the battery dies.

But it is worth bearing in mind that most services won’t ask for an authentication code after the first time you log in from that specific browser or machine, unless you specify that you want it to ask every time. That’s handy for shared or public machines.

If you are concerned about the security of your accounts, two-factor authentication is worth considering. Here are some of the more common services that use it, and how you can set it up.

GOOGLE

If you use Gmail, Google Drive or Android, you have a Google account. Most of us do, and if you add it all up, there's a scary amount of information on there that you'd really rather did not fall into the wrong hands.

Google’s two-step verification is easy to enable and straightforward enough to use. When you sign in, you’ll be asked for your password as normal. Then you’ll get a code sent to your phone (or if you are using a computer, you can set up a USB security key). Use that computer regularly? You can tell your account to remember that, so when you log in from that computer next, you’ll only need your password.

You can get that code through various means: primarily a text message to your phone number attached to your Google account, or a code delivered through a phone call to your registered mobile number. You could add a back-up method too – through the Google Authenticator App, which you can download to your smartphone, or a printable set of codes that you can bring with you while you’re travelling, for example. You can also set up your phone to prompt you for authorisation when you log into your account, so you don’t need to type in the code yourself.

If you are using a computer, you can set up a memory stick to take care of the authorisation, and simply plug it into the USB port when needed.

You might also have noticed that there’s a heavy reliance on your phone to authorise your log-ins; you can set a back-up phone just in case you lose your primary number.

How to set it up: To enable two-step verification on Google, go to the two-step verification page. You may get a prompt to log in to your account.

Click ‘Get started’. You’ll be prompted to choose the method through which you want to receive your verification code (text or phone call). It will then send a code to your phone, which will allow you to turn on two-step verification.

You’ll then be prompted to check your settings and authorised phone numbers, or add some of the back-up options mentioned above.

You can also check what devices have trusted status – ie those you have requested not to ask for an access code after the initial log in – and remove those devices that you no longer use.

FACEBOOK

Facebook allows you to add a couple of extra layers of security to your account, the most simple of which is the login alerts. Every time you log in from a new location, you will get an alert.

But there is also Login Approvals, which allows you to use your mobile phone to approve access to your account.

Again, it’s heavily reliant on your mobile phone; Facebook will text you the initial code to enable login approvals to the phone number associated with your account – if you have given it one.

How to set it up: On your browser, go to the little drop down arrow beside the padlock icon. Go to Settings>Security. Under Login approvals, check the box that says Require a login code to access my account from unknown browsers. You'll get a pop up box that talks you through the set up, but it's far less involved than Google's or Microsoft's process.

TWITTER

Twitter is another one that requires your mobile phone to enable two-factor security. It uses login verification through codes texted to the phone number associated with your account. You’ll also have to have a confirmed email address associated with your account.

However, and this may be an issue, not all mobile operators are supported. Twitter won’t allow me to add a Three mobile account for login verifications, for example.

To set up login verification through a web browser: Go to twitter.com and sign in to your account. On the profile icon menu, click Settings>Security and privacy settings and check the box that says verify login requests. You'll have to verify your password, and then the site will send you a message with your first login code. Enter the verification code when prompted and click Submit.

You’ll also be prompted to get a backup code, which you’ll need if you lose access to your phone or change your number.

On iOS:

Go to the Me tab, and click the gear icon. Select Settings>Account>Security and enable login verification. Tap

‘Confirm’. You’ll be prompted to send a code to your phone number, which you will need to verify your number

On Android:

Tap your profile icon or the menu button, and select Settings>Account>Security. Check the box for login verification and follow the instructions to enrol your number and send the code to your phone.

ICLOUD:

Apple has a slightly more complex approach to security, distinguishing between two-step verification and two-factor authentication. For most users, the differences aren’t important, as it essentially amounts to the same thing – an extra layer of security on your account that requires a code of some sort.

But if you’re interested, here are the differences:

Two-step verification is a slightly older technology, in use since 2013; two-factor authentication was introduced in 2015 with iOS 9 and El Capitan.

Two-step verification uses four-digit codes sent to your trusted numbers; two-factor authentication uses six-digit codes.

Two-step verification has a recovery key you must note down and keep safe in case you get locked out of your accounts; two-factor authentication doesn’t require that offline recovery key.

Two-step verification requires you to generate app-specific passwords for those apps that don’t support the technology; two-factor does not.

Two-factor authentication is recommended for those who have iOS devices running iOS 9 or later, or OS X El Capitan or later; two-step verification is good for devices that are earlier than this and cannot be upgraded. You’ll also need two-factor authentication to use your Apple Watch to unlock your Mac, for example.

Regardless of the method, once you’ve enabled two-factor security, you’ll have to have access to your nominated mobile number or device, or you’ll be unable to log in to your account.

How does it affect the devices on which you use your iCloud sign in? Once you enable two-factor authentication, you’ll have to provide a code to log in to your account on new devices. On your iPhone, iPad or iPod Touch, for example, you’ll be asked for the code once, and that will be it unless you log out, change your password or erase the device.

On new browsers, you can opt not to be asked for the code after the initial log-in, but that’s not recommended if you share a device, or use a public PC.

To enable two-factor authentication through your iPhone or iPad running iOS 9 or later:

Open Settings>iCloud and select your Apple ID at the top of the screen. Select Password and security. Tap Two-factor authentication to turn it on and follow the prompts.

To enable it on your Mac with OS X El Capitan or later: Go to Apple menu >System Preferences >iCloud >Account Details. Click Security, then turn on Two-Factor Authentication.