SEARCH

How-To Geek

Secure Yourself by Using Two-Step Verification on These 16 Web Services

2012-06-19_124752

Two-factor authentication, also known as 2-step verification, provides additional security for your online accounts. Even if someone discovers your password, they’ll need a special one-time code to log in after you enable two-factor authentication on these services.

Notably absent from this list are banks and other financial institutions. It’s a shame that you can use two-factor authentication to protect your in-game currency in an MMORPG, but not the real money in your bank account.

Google / Gmail

Google offers two-factor authentication that secures your Google account, including your Gmail, files in your Google Drive, and everything else. You can use the Google Authenticator app on your smartphone or get login codes via SMS message. We’ve covered enabling two-factor authentication for Google accounts before.

You can even use Google Authenticator apps on your computer without a smartphone, although it’s more secure to do so on a separate device.

image

Facebook

Facebook’s “Login Approvals” feature requires you to enter a code whenever you login from an unrecognized computer. The code will be sent  to your mobile phone via SMS. Facebook offers instructions on setting this up.

LastPass

LastPass offers a number of different two-factor authentication options to secure your account. You can use the Google Authenticator app, which is free for everyone. LastPass Premium subscribers can purchase a physical YubiKey token and use other options to secure their password database.

For more information, read our guide to setting up two-factor authentication in LastPass. We’ve also got a list of 11 ways to make your LastPass account even more secure.

Dropbox & SpiderOak

Dropbox now offers 2-step verification using the Google Authenticator app. When you log in from a computer you haven’t trusted, you’ll have to enter a security code generated by the app. Enabling this feature is one of the 6 ways to secure your Dropbox account.

dropbox-security-code-header

Google Drive offers two-factor authentication through your Google account, while Microsoft’s SkyDrive also offers some two-factor authentication support.

SpiderOak, a Dropbox-like cloud storage service, also offers 2-factor authentication.

Microsoft

Microsoft offers some rudimentary two-factor authentication. It’s available when you access billing.microsoft.com, xbox.com, and SkyDrive. When you access another service with your Microsoft account – such as Outlook.com or Hotmail – you won’t be prompted for a security code. Read more about Microsoft account security codes here.

Yahoo! Mail

Yahoo! offers two-step verification, but only for your email. When using this feature, you’ll have to enter a code sent to your mobile phone via SMS or enter the answer to your account security question to log in. Make sure your account security question is unguessable if you use this feature – as usual, security questions are a weak link. Read more about enabling and using Yahoo!’s “Second sign-in verification” feature here.

Amazon Web Services (AWS)

Amazon offers multi-factor authentication via its AWS Virtual MFA app or Google Authenticator. This is only for AWS services, such as Amazon S3’s storage service, not for the average consumer’s Amazon account. Get started with it here.

Battle.net & MMORPGs

Massively multiplayer online role-playing games (MMORPGs) have been at the forefront of offering two-factor authentication to prevent account thefts and in-game items and currency from being sold. Blizzard offers a Battle.net Authenticator app that secures access to your World of Warcraft, Diablo 3, and Starcraft 2 logins.

Many other MMORPGs also offer two-factor authentication. For example, if you play Guild Wars 2 or Star Wars: The Old Republic, each offers two-factor authentication systems for you. Read more about enabling it for Guild Wars 2 or SWTOR.

battle.net-mobile-authenticator

Your Website

If you host your own website, you can install a WordPress plugin or Drupal module that enables two-step authentication with the Google Authenticator app. DreamHost accounts also offer multifactor authentication with Google Authenticator, as does the CloudFlare service.

Your Linux Server

You can implement two-factor authentication on your own Linux server to increase its security. We’ve covered using the Google Authenticator PAM module to add two-step authentication to your SSH server. All the number-crunching happens on your own server; no phoning home required.

google-authenticator-ssh-header


Do you use two-factor authentication for another service? Leave a comment and let us know about it.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 12/12/12

Comments (24)

  1. Alessandra

    Thanks. Very useful hints!

  2. Brent

    PayPal as well offers 2 step.

  3. Ken

    Note, My CU has manditorily implemented this 2 step verification. As inconvenient as it is for me, I do appreciate how much more it is to “the bad guys.”

  4. Bowser

    Thanks for the article. We ALL need to be more proactive about our personal account security. In this day and age we need to take responsibility of our info. If you don’t trust the site don’t use it. We have heard a million times don’t use the same passwords, back-up you info, then there is two-factor authentication. But the sad fact is there are millions of people who are not taking advantage of this awesome functionality that is being offered to them by several sites. I really hope this serves as a wake-up call to companies and individuals alike, for the need to kick this complacent attitude about authentication and passwords. Take advantage of the 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.

  5. David

    Almost all financial institutions I’ve met in the UK from banks to stocks & shares use some form of two-stage (two page) login, requiring selected variable characters from a password.

    And there’s only one well-known commercial password filler that can help with this..none of the others are useful, alas.

  6. Sara

    Before you breathe a sigh of relief in the knowledge that your online items will be more secure, you should read this article, because it’s still very possible for hackers to get around this authentication:

    http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/

  7. Lisa

    However, because I value my privacy, I don’t want to give Google my phone number. Why won’t Google offer another way? LastPass offers grid authentication, which is pretty cool.

  8. steven

    Suggest more research. There is at least one bank that offers quadruple verification: User name, password, do-you-recognize-this-picture, and one-time code to either email or txt.

  9. john3347

    Lisa, you are being foolish with your statement here. If you have ever typed your phone number on your keyboard to ANYONE, it is very likely that Google already has your phone number. If you have ever “Googled” anything or have any Google account, they have personal information on you that maybe you don’t even know. When Google sells that information, that is the source of the spam that you get in your email as well as other “bad things”. Google is NOT your friend. If you have a Google account, failing to “give Google your phone number” is false security. Google already has your phone number.

  10. Connie

    Good information. Thank you!

  11. Scott

    I’ll second others’ comments about banks. HSBC and many other UK banks have 2-step verification. In fact HSBC have just enforced it for all accounts.

    @Steven, that’s only 3-factor, not 4 ;)

  12. Dale Bailey

    My Bank has just started this option. If you want too .

  13. Dave

    My one bank, here in Australia, has compulsory 2 step authentication for all (new)transfers or when setting up an account to transfer to (SMS). Interesting, though once several transfers have been made to a particular party, this seems to fall away?? Another (one of my credit cards) requires that the merchant redirect you to a bank URL where you enter your bank password and are then transferred back to the merchant’s site to complete your purchase. I am not very technical so I’d appreciate some comments, from many of you who are, particularly on the latter – thanks

  14. Johann

    @Lisa,

    You don’t have to give Google your phone number for 2-factor authentication. You can just use their app which generates the time-based code (like the RSA tokens do) for you. Nothing needs to be sent to a phone.

  15. John Smith

    Did yahoo discontinue their two step verification services?
    I see the following trying to turn it on my account.

    Second sign-in verification setup: Add mobile phone
    Oops! It looks like our servers are taking a break. Please try again later.

    I saw that few weeks earlier and thought that they had an outage.

  16. pohsibkcir

    It would be great if it worked and in most cases it does. But, Yahoo is the most hacked corporation, that any other business associated with them is just as vulnerable … Including mobile phone services.. Captchas would work IF they were intelligible. Mobile phones are over used as it is. We have two decades of text messaging influence that has allowed most 1st & 2nd World Nations to pass us in education.

    The best way to deal with security would be a Biometric App for your Smart Phone, linked by WiFi on a secure network … I bet there’s a friggin’ app for it … someplace, :P

  17. kevin

    The best way to keep your bank accounts safe is to stop using online banking you bunch of lazzy idiots the only way to keep your details safe is face to face banking i did see one bank offering to but your fav photo on your bank card think they are selling it very short should offer only your photo on the front so whrn you pay your pic is in front of the person your are paying

  18. Roland

    @Kevin,

    Before bashing/insulting people you don’t even know, perhaps you should quit being “lazzy” and go back to school. When an insult is poorly spelled and the sentence structure is nonsensical,it just becomes laughable.

    Face to face banking will become a thing of the past. The USPS is struggling to stay afloat and many institutions require electronic payments. We aren’t being lazy, we’re being efficient. And quite frankly some of the hoops one has to jump through for online security is a lot of work!

  19. Joel

    I don’t know about other banks, but my Savings and Loan uses two-step verification. At first I didn’t appreciate the extra step involved, but have grown to realize the extra security it provides.

  20. Joel

    @Kevin….I guess you must have missed English 101. Before you bash other people, learn how to spell and proper sentence structure. I guess You are the one that has been “LAZZY”….what kind of word is that? Idiot.

  21. Carver

    Thanks for this write up.

    GoDaddy.com also has a 2-step verification.

  22. ReadandShare

    I probably shouldn’t be disclosing this, but I don’t use cell phones. Oh, I have one, but it’s always in the car — in case of emergency — and I charge it up once every two months or so.

    Two-factor that involves cell phones won’t work for me. I prefer using strong passwords, and extra precautions like picture recognition to ensure legitimate page.

    Fool proof? No, but not a single mishap for me, and I’ve been using online banking and purchases for years now. Incidentally, old-fashioned branch banking has its risks too.

    Practice common-sense care, and I would worry beyond that.

  23. web

    one missing, steam guard(for steam), sends you a verify code to your mail, don’t leave home without it.

  24. Troik

    Yes Paypal is notable missing from that list.

    I use 2-step-athentification everywhere I can get it, but sadly most mail services don’t offer it yet, which is a crying shame because many services use your mailaccount to check if you are really you, e.g. when you click on “forgot password”, so if your mail-account gets compromised, you loose everything. Hope this is coming soon for more services (Gmail of course has it)

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!