Yesterday I talked about what can happen if someone is able to break into your iCloud account, and also the importance of two-factor authentication, which may have thwarted that specific attack had the account owner enabled it on his Google account. I’ve been using two-factor authentication on Google for 18 months, and on my battle.net account for over three years, but since this attack came to light I’ve also enabled it on some other services. Here’s how to do the same yourself.
This post was updated in May 2013 to add more services. The EFF also has a similar but less extensive article on their blog.
Battle.net is Blizzard Entertainment’s online gaming platform, which powers World of Warcraft, Diablo III and Starcraft II – I play two of those three. They’ve supported two-factor authentication for some time now – I myself have had an ‘authenticator’ (pictured) for three years. I paid for it – it was around £6 at the time, I think – because I’d been unemployed for the preceding four months and had spent a large part of that time playing World of Warcraft and didn’t want someone hacking into my account and undoing all of the progress I had made in the game during that time. Back then, accounts being hacked was a major problem that affected several people whom I knew who played the game, so I felt that without the protection of an authenticator it would only be a matter of time before my account was hacked as well. It’s lived alongside my keys ever since, and despite being a bit scratched it still works fine. It goes with me wherever I go, so it’s travelled with me to London, to Edinburgh and even on a plane to France and back.
There is also a free option, if you have a smartphone – an app is available for iPhone/iPod Touch, Android, Windows Mobile and BlackBerry which does the same job. I would have chosen this option if I owned a compatible device at the time, but I didn’t, hence the physical authenticator. If you play any of the aforementioned Blizzard games, I would strongly advise enabling the authenticator (even if it’s just the smartphone app) as not only will it protect your account but will also allow you access to certain parts of the games that other users can’t access – some guilds in World of Warcraft insist that officers have authenticators, or that an authenticator is required for access to the guild bank, for example.
For more information, see the Battle.net Mobile Authenticator FAQ.
Google enabled two-factor authentication for all of its accounts, including those using Google Apps, last year, and I expect the events of last weekend will have seen a big uptake in usage. You can enable it here – in future, when you log in online, you’ll also be asked for a code. This can either be sent to your phone as an SMS message, or you can use the Google Authenticator iOS or Android app for the code.
Note that there are some caveats which I’ll mention later in this article; also, the Google Authenticator app can be used for other third-party services, and for multiple Google accounts.
I actually hadn’t realised Facebook had such a feature until I read about it during the fall-out from the Mat Honan hack. To enable it, go to your security settings page, and click ‘Edit’ next to ‘Login approvals’. Then, when you log in, you’ll be prompted for an extra code, which will either be sent via SMS, or the Facebook app on iOS and Android can be used to generate a code. Devices that you have used previously will be remembered, so you won’t have to enter the extra code very often.
Once enabled, I would also click ‘Edit’ next to ‘Active Sessions’ and click ‘End Activity’ by all of the entries. This forcibly logs out any open Facebook sessions on any other computers. You’ll then need to log in again on each of these using your username, password and code.
Like with Google, there is a caveat with third party services – see below.
Yahoo! has two-factor authentication in beta at present. It works in the same way as Facebook; once enabled, you will be prompted for a code for any new device that needs to access your account. The second factor can either be a code (again, sent by SMS to your phone) or one of your security questions, but you can insist on only using your phone which should be more secure in case the answers to your security questions are obvious. You can enable it here.
Dropbox implemented two-factor authentication following a recent minor security breach. It can either use SMS, or the aforementioned Google Authenticator app. To enable it, log into Dropbox on the web, click on your username in the top-right and select Settings. Next, choose the Security tab, and follow the instructions next to ‘Two-step verification’.
In April 2013, Microsoft began rolling out two-factor authentication for Microsoft Accounts – the thing you use for logging into Outlook.com (formerly Hotmail) and other Microsoft properties. Again, you have a choice of using SMS or an app; the only official app is one for Windows Phone but, amusingly, you can use the Google Authenticator app as well. You can enable it here.
Two-factor authentication is possible both on self-hosted WordPress installations, and on WordPress.com. For the former, see the guide I wrote in August 2012, which involves installing a plugin. For the latter, go to your account settings to enable it. Again, Google Authenticator is the preferred method although WordPress.com also supports codes via SMS.
Apple enabled two-factor verification in March 2013, which is done by SMS or on your Apple mobile device. You will need a device running iOS 6 but no extra software is necessary. Enable it at appleid.apple.com. You will only be asked for it when making changes to your account, such as changing your password, or adding new devices to your account.
When I first wrote this in August 2013, app.net barely existed, but it has already added two-factor authentication. Like many others here, it uses the Google Authenticator but doesn’t, as yet, offer SMS as a backup.
Twitter has been quite late to the game, only enabling two-factor authentication in May 2013. SMS is the only option here, and is enabled by going to your Account Settings and enabling the option called ‘Require a verification code when I sign in.’. If you haven’t associated a mobile phone number with your Twitter account, then you will be walked through this; otherwise, Twitter will just send you a text message saying that everything’s okay.
Again, Evernote were a bit late to the party, also enabling two-factor authentication at the end of May 2013, although initially only for Premium and Business users. This follows a major security breach in March of that year. Both SMS and the Google Authenticator are available, with SMS the default. SMS appears to use the same system as Yahoo! as the text messages come from the same phone number, in the UK at least. All official Evernote applications support two-factor authentication in their latest versions but some users may need to update, and all users will find that they will need to log into each app again after enabling it.
The problems with two-factor authentication
Now that I’ve told you all to enable it, it’s probably best that I tell you the limitations and caveats – especially for Google, Microsoft, WordPress, and Facebook to a lesser degree. The main issues you’ll encounter are when dealing with third-party services, or accessing your account via something other than a web browser, such as accessing Gmail via IMAP. IMAP doesn’t support two-factor authentication, so you’ll need to create an ‘application specific password’ in your Google account settings. This is a 19 character password that is displayed to you once, for you to use instead of your ‘master’ password. It’s advisable to use a different one for each service that requires it – should that password be compromised, you can revoke it. And that application specific password cannot be used to access your account to change your master password, so an attacker could not lock you out of your account even if he obtained an application specific password. You may think that allowing application specific passwords undermines the security of your account, but trust me, it is better.
Google does plan to alleviate this problem by proposing extensions to the IMAP and XMPP protocols to use OAuth, which would permit two-factor authentication. There hasn’t been much adoption of this so far, however.
The other inconvenience is when logging into services on your mobile device, such as the Google+ iPhone app. You have to enter your username and password, then close the Google+ app, open the Authenticator app, make sure that the code isn’t about to expire (i.e. the circle in the top left isn’t red), then memorise the 6 digit code and then re-open the Google+ app and enter it. It’s a bit of a faff.
With two-factor authentication, you are sacrificing some ease of access, and you will need to have your phone handy whenever you log in somewhere new. But, it offers a much greater level of security and protection against those who wish to gain access for nefarious purposes.