How to Set Up 2FA: Layered Security for Online Accounts

two-factor-authTwitter hacks are a specialty of OurMine, a self-styled “security group” that offers personal and enterprise services, but is more known for breaking into tech personalities’ social media accounts. Their past victims include Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, Spotify founder Daniel Ek, Amazon CTO Werner Vogels, and their latest—Niantic CEO John Hanke.

Niantic is the developer behind the global phenomenon Pokémon Go, a mobile app with a steadily growing fan base despite its limited availability, and one that has spawned a whole range of cyberscams looking to take advantage of them. In this latest attack, OurMine claims the hack is “for Brazil,” which attempts to convince developers to make the game available in the country.   

The OurMine hacks are notable, simply because the victims head some of the biggest multinational technology companies in the world. In theory, a company—especially one working in software and technology—should be aware of the best security practices, but everyone makes mistakes and this certainly isn't the first time a tech executive has been hacked. Mark Zuckerberg, for example, evidently had a weak password that he reused on more than one account. The password for both his Twitter and Pinterest was “dadada”, which was undoubtedly easy for him to remember. Unfortunately, it's also easy to hack. OurMine revealed that John Hanke had an equally weak and unoriginal password: “nopass”.  

Layer your security

Aside from practical safety tips, like making sure the password for your accounts is complex and unique, users can also add another layer of security. Twitter and many other platforms have implemented two-factor authentication (2FA) as an added line of defense for their users. 2FA is when you use two separate types of identification to log into an account.

The identification types are broadly classified as:

  • something you know (like a password)
  • something you have (like an smartphone which can provide a specific code)
  • something you are (like a fingerprint)

A combination of these gives you more security than just a having a single factor of authentication.

Only a handful of devices come equipped with fingerprint scanners, so the typical combination is a memorized password and a unique code that comes in through Short Message Service (SMS) or an app on your phone. In the case of Twitter, the user has to change their Security & Privacy settings to send login verification requests to a specified number. After the 2FA is applied, users are prompted to enter the password as well as the code sent to them each time they log into Twitter.

Most of the popular websites and online services have implemented options for enabling two-factor verification processes—an option that users are recommended to turn on. What could someone do with your Apple password? How badly would you be affected if someone posed as you on Facebook? Would your work be affected if your LinkedIn account was hacked? It would be much better if these questions remain theoretical.

The sites mentioned above and many others have 2FA readily available and can easily be set up.

How to Set Up 2FA on Popular Sites

Twitter

  1. Log into your Twitter account and go to Settings.
  2. On the left hand side menu, click on Security & Privacy.
  3. In Login Verification, click on Verify Login requests. The site prompts you to add a phone number.
  4. Follow the prompts and you should be receiving six-digit codes on your phone, which you’ll need every time you sign in to Twitter.  

For mobile users:

  1. Go to the Me button on your Twitter app.
  2. Click on the gear symbol to access the settings.
  3. Click on your account name.
  4. Scroll down and click on Security to seethe option to enable Login Verification.

Facebook

  1. Log on to Facebook and go to Account Settings
  2. Click on Security and scroll down to Login Approvals.
  3. Click Edit.
  4. Read how it works and Get Started.
  5. You’ll be asked to enter “known browsers”, which are trusted browsers that won’t require a security code.
  6. Enter your phone details.  
  7. A verification code will be sent to you. Enter the code into the prompt box and your set up is complete.

To receive codes without relying on a mobile service, go back to Login Approvals and click Set up Code Generator. Follow the instructions to install an app that can generate codes.

Google

There are two options for Google’s 2-Step Verification feature: a code sent to the user’s phone, or a Security Key.

For the code:

  1. Go to Google’s 2-Step Verification page and sign in to your account.
  2. Click the Get Started button and follow the next steps
  3. Choose how to get your code: through text or call

You can also set up the Google Authenticator app to receive codes when a mobile service isn't available.

For the Security Key:

Instead of using a code, users can just insert the Security Key into the computer’s USB port when prompted. Your computer needs to be running Google Chrome 40 or newer, and you can use any device compliant with the FIDO Universal 2nd factor (U2F).

  1. Go to Google’s Add Security Key page.
  2. Insert your security key into your USB port and click on Register.
  3. Depending on what type of key you have, complete your registration.

LinkedIn

  1. Hover over your profile photo on your homepage and select Privacy and Settings > Manage.
  2. Click the Privacy header and scroll down to Security  to turn on your two-step verification, which requires a mobile number.

Amazon

  1. Log onto Amazon and go to Your Account.
  2. Click Change Account Settings.
  3. Scroll down to Advanced Security Settings > Edit,which directs users to the2FA start page.
  4. Click on the Get Started button. You’ll be asked to choose the method of receiving codes: Through SMS, or an authenticator app (to generate codes even without mobile service).
  5. Enter the code sent to your mobile device (through a message or the app) to complete the setup.
  6. Click Verify code and continue.
  7. After this setup, Amazon will ask you to either provide a backup phone number (in case connection to the primary phone fails) or download an authenticator app, which will give you codes even without mobile service. 
Instagram

  • Open your app and click the Settings tab on your profile
  • Under Account, click on Two-Factor Authentication
  • Switch on Require Security Code
  • Whenever your account is accessed from a new device, you’ll be sent a security code, which will be required to log in

Apple ID

 Apple’s two-factor authentication is only available for iCloud users using iOS9 or OS X El Capitan or later.

  1. Click on the Apple menu and go to Systems Preferences.
  2. Click on iCloud.
  3. Find the Account Details andclick on Security to see the option to turn on two-factor authentication.

For Apple mobile devices:

  1. Go to Settings > iCloud.
  2. Tap on your Apple ID.
  3. Tap Password and Security to turn on two-factor authentication.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.