Many online services offer two-step verification or two-factor authentication. Enable this for an account and it’ll require more than just your password to sign in. You’ll also need something else — and there are many different types of additional authentication methods you can use.
Different services offer different two-step verification methods. But, when you set up two-step verification, you’ll often be able to choose between a few different methods. Here’s how they work and how they differ.
Many services allow you to sign up to receive an SMS message whenever you log into your account. That SMS message will contain a short one-time-use code you’ll have to enter. With this system, your cell phone is used as the second authentication method. Someone can’t just get into your account if they have your password — they need your password and access to your phone or its SMS messages.
This is convenient, as you don’t need to do anything special and most people have cell phones. Some services will even dial a phone number and have an automated system speak a code, allowing you to use this with a landline phone number that can’t receive text messages.
However, this ties authentication to the cellular network. If you’re somewhere without a signal, for example, you won’t be able to receive those messages.
Google Authenticator/App-Generated Codes
There are also apps that can generate temporary codes. The most popular, widely known app that does this is Google Authenticator, which Google makes for Android and iPhone. Install the app, scan the code when setting up a new account, and that app will generate new codes every 30 seconds or so. You’ll have to enter the current code displayed in the app on your phone as well as your password when you log into an account.
While Google Authenticator is popular, other apps are also available. For example, Authy does a very good job of this, complete with encrypted backups of your codes that make it easier to move between phones. Despite the name, these apps use an open standard. It’s possible to add Microsoft accounts to the Google Authenticator app.
This is nice because it works even if you don’t have a cellular signal — the app will continue to generate time-specific codes, even without an Internet connection. However, it’s a bit more complicated for the average person to set up.
Some services — for example, Blizzard’s Battle.net Authenticator — also have their own dedicated code-generating apps.
Physical Authentication Keys
Physical authentication keys are another option that’s just now becoming more popular. Big companies are creating a standard known as U2F, and it’s already possible to use a physical U2F token to secure your Google, Dropbox and GitHub accounts. This is just a small USB device you put on your keychain. Whenever you want to log into your account from a new computer, you’ll have to insert the USB key and/or press a button on it. That’s it — no typing codes. In the future, these devices should work with NFC and Bluetooth for communicating with mobile devices without USB ports.
This solution works better than SMS verification and one-time-use codes because it can’t be intercepted and messed with. It’s also just simpler and more convenient to use. For example, a phishing site could show you a fake Google login page and capture your one-time-use code when you attempt to log in. They could then use that code to log into Google. But, with a physical authentication key that works in concert with your browser, the browser can ensure it’s communicating with the real website and the code can’t be captured by an attacker.
Expect to see a lot more of these in the future.
Some mobile apps may provide two-step verification using the app itself. For example, Twitter’s mobile app allows you to enable “login verification.” Whenever you attempt to log into Twitter from another computer or device, you’ll have to verify that login attempt from the mobile app on your phone. Twitter is checking to ensure you have access to your phone before you attempt to log in.
Apple’s two-step verification works similarly, although it doesn’t use an app — it uses iOS itself. Whenever you attempt to log in from a new device, you can receive a one-time-use code sent to a registered device, like your iPhone or iPad.
Other services rely on your email account to authenticate you. For example, if you enable Steam Guard, whenever you attempt to log into Steam from a new computer, you’ll have to enter a one-time-use code sent to your email account. This at least ensures an attacker would need both your Steam account password and access to your email account to gain access to that account.
Recovery codes provide a safety net in case you lose the two-step verification method. When you set up two-step verification, you’ll usually be provided with recovery codes you should write down and store somewhere safe. You’ll need them if you ever lose your two-step verification method.
Be sure you have a copy of your recovery codes somewhere if you’re using two-step authentication.
No service provides this many options itself. However, many services do offer multiple two-step verification methods you can pick from.
There’s also the option of using multiple two-step verification methods. For example, if you set up both SMS verification and a physical security key, you could gain access to your account via an SMS message if you ever lost the security key.
Written by Chris Hoffman for How To Geek