Hari Om Prakash

is working as a scientist at Systems Engineering Group,
ADRIN, Department of Space


In the first part of this article, last month, we learnt what two-factor authentication (TFA) is and its three types. Now, let us see how we can activate TFA for various websites and applications.

As secure as TFA is, unfortunately till date, you cannot use it everywhere on the web. However, most websites have recently implemented it, especially banking-sector websites, Gmail, Facebook, Twitter, Dropbox, Microsoft products like XBox Live, OneDrive, Yahoo! Mail, Amazon web services, WordPress, DreamHost, LastPass, and many more.

Fig. 10: Two-step verification for an Apple ID (Credit: Apple)
Fig. 10: Two-step verification for an Apple ID (Credit: Apple)
Fig. 11.1: Two-step verification for a Google account (Credit: Google/Gmail)
Fig. 11.1: Two-step verification for a Google account (Credit: Google/Gmail)
Fig. 11.2: Step 1 in two-step verification for a Google account (Credit: Google/Gmail)
Fig. 11.2: Step 1 in two-step verification for a Google account (Credit: Google/Gmail)

Apple 

Explore Circuits and Projects Explore Videos and Tutorials

In March 2013, Apple offered a consumer-oriented two-step authentication service to help customers secure their Apple IDs against hacking. This new feature disallows unauthorised changes to iCloud or iTunes accounts. It also disallows hackers, who steal Apple IDs, from purchasing digital content or hardware using credit card details stored in the customers’ iTunes and Apple Store accounts. Apple’s web services do not distribute tokens. Instead, they send pass codes (typically as SMSes) to users’ registered mobile phone numbers. Optional TFA sends the pass code to an iOS device (iPhone or iPad) via Find My iPhone app’s notification feature. Fig. 10 shows how you can enable TFA for Apple accounts—a screenshot from Apple’s TFA tutorial (Apple now offers optional TFA to lock-down iTunes, iCloud and Apple Store accounts).

Google/Gmail
Most users have a lot of data stored in their Google accounts, such as Gmail and Google drive, and it is obvious that they would definitely want to secure it by turning on TFA. Figs 11.1 through 11.3 show how to activate TFA for Google accounts.

READ
Fog Detection: The Optical Route
Fig. 11.3: Step 2 in two-step verification for a Google account (Credit: Google/Gmail)
Fig. 11.3: Step 2 in two-step verification for a Google account
(Credit: Google/Gmail)
Fig. 12.1: Two-step authentication for a Twitter account (Credit: Twitter)
Fig. 12.1: Two-step authentication for a Twitter account (Credit: Twitter)

Twitter

Fig. 12.2: Twitter sends a one-time password to the user’s mobile number (Credit: Twitter)
Fig. 12.2: Twitter sends a one-time password
to the user’s mobile number (Credit: Twitter)

In May 2013, Twitter introduced TFA to protect user accounts with a more sophisticated log-in system—a new login-verification feature where a user has to enter a six-digit pass code, in addition to the standard password. This pass code (second level) is used after a user has successfully entered the user name and password in the first level. To make sure that it is the same user who entered the first credentials, Twitter sends a six-digit pass code via an SMS to the user’s mobile phone. This feature can be activated from the user’s Account Settings page, where he or she can check the box for Require A Verification Code When I Sign-Up. The user then needs to enter his or her mobile phone number to use TFA (Figs 12.1 and 12.2).

Fig. 13: Two-step authentication for a Facebook account (Credit: Facebook)
Fig. 13: Two-step authentication for a Facebook account (Credit: Facebook)
Fig. 14.1: Activation of TFA for Microsoft’s online services: Outlook, Skype and Xbox (Credit: Microsoft)
Fig. 14.1: Activation of TFA for Microsoft’s online services: Outlook, Skype and Xbox (Credit: Microsoft)
Fig. 14.2: Security code received on Windows phone (Credit: Microsoft/Windows Phone)
Fig. 14.2: Security code received on Windows phone (Credit: Microsoft/Windows Phone)

Facebook

Fig. 14.3: E-mail client Microsoft Outlook (Credit: Microsoft Outlook)
Fig. 14.3: E-mail client Microsoft
Outlook (Credit: Microsoft Outlook)

TFA for Facebook can be activated under Settings to protect an account (Fig. 13). If a user has activated TFA successfully, Facebook sends a one-time pass code to his or her mobile phone. By entering the pass code, the user can prove that it is really he or she who is trying to log-in.

Microsoft
Microsoft has already added the option of TFA across its many online services, such as Windows 8/RT, Outlook, Skype, OneDrive, Windows phone and Xbox 360/Xbox LIVE. A user can enable this feature at https://account.live.com/proofs/Manage. After enabling this service, Microsoft stops millions of fraud attempts every day.

Fig. 14.1 shows how to activate TFA for Microsoft accounts.

There are two ways in which TFA can rear its head—a security code or an app password. If a user has enabled TFA, after logging-in with Microsoft account credentials (user name and password), you might be prompted to enter a security code or an app password. A security code is needed if a user is using a trusted PC to sign-in to Windows 8 with a Microsoft account. Microsoft will send an SMS that contains the pass code to the user’s mobile phone (Fig. 14.2). You must enter this pass code on the website or in Windows.

READ
element14 announces Engineering Trends and Innovation Event 2016
Fig. 14.4: Activating TFA for a Microsoft account (Credit: Microsoft)
Fig. 14.4: Activating TFA for a Microsoft account (Credit: Microsoft)
Fig. 14.5: Pairing an authenticator app with a Microsoft account (Credit: Microsoft)
Fig. 14.5: Pairing an authenticator app with a Microsoft account (Credit: Microsoft)
Fig. 14.6: Logging into the account with a secret key (Credit: Microsoft)
Fig. 14.6: Logging into the
account with a secret key
(Credit: Microsoft)

An app password is needed for those apps or devices that do not work with the security code system. For example, for Microsoft Outlook 2013 (Fig. 14.3), if you had previously configured Outlook for Hotmail or Outlook.com and then configured the underlying Microsoft account, the next time you use the application, you will be prompted to enter your credentials again. And you will need an app password because your normal password will not work.

You can get an app pass code in the security info section (https://account.live.com/proofs/Manage) on Microsoft account management website (https://account.live.com/) as shown in Fig. 14.4. Just click on Create A New App Password under App password. When you do that, you will be provided with an app password that you can type (or copy and paste) into the application.

Microsoft provides a mobile app called Authenticator that can generate these codes even where there is no network coverage (offline mode).

In the Authenticator app on a Windows phone, click on Add (+) App to add your account. Then, click Scan. The app will quickly scan the QR code, which is shown at step 3 in Fig. 14.5. Now, click Pair to complete the process. The app will generate a new pass code automatically after every 30 seconds. If you ever need to use a code to sign-in to your Microsoft account and the phone is offline, you can use this app to get the code.

Fig. 15: Enabling two-step verification for a Dropbox account (Credit: Dropbox)
Fig. 15: Enabling two-step verification for a Dropbox account (Credit: Dropbox)
Fig. 16: Enabling two-step verification for a Yahoo! account (Credit: Yahoo!)
Fig. 16: Enabling two-step verification for a Yahoo! account (Credit: Yahoo!)
Fig. 17: Enabling two-step verification for an Amazon account (Credit: Amazon)
Fig. 17: Enabling two-step verification for an Amazon account (Credit: Amazon)

Dropbox
Dropbox is a great source for storing data and sharing information across the Internet. An extra layer of security can be activated in Dropbox security settings, where a user has to register his or her mobile phone number to do so (Fig. 15).

READ
NVR64P: 64 CHANNEL NETWORK VIDEO RECORDER
Fig. 18.1: Two-step verification for a WordPress account (Credit: WordPress)
Fig. 18.1: Two-step verification for a WordPress account (Credit: WordPress)
Fig. 18.2: Two-step verification for a WordPress account (Credit: WordPress)
Fig. 18.2: Two-step verification for a WordPress account (Credit: WordPress)

Yahoo!

FFB_Table

Most of the popular mail websites, such as Yahoo! and Gmail, have already integrated TFA for accessing user accounts and their mailboxes. You can enable TFA in Yahoo! Mail by simply selecting Check This Box To Turn-On The Second Sign-In Verification as shown in Fig. 16. Once this is done, you can register your mobile phone number to get further pass codes from Yahoo! during the login process.

Amazon web services
If you use Amazon’s web services, such as Amazon S3 or Glacier storage, you can protect your accounts by enabling TFA via Google’s Authenticator app for Android, iOS, Windows Phone and BlackBerry (Fig. 17). This app can be downloaded on a mobile to access Amazon services securely.

WordPress
If you are a blogger and do not want anyone getting unauthorised access to your account, the WordPress blogger website provides an extra layer of security. It also supports Google Authenticator app for Android, iOS, Windows Phone and BlackBerry. This feature can be activated in WordPress account settings as shown in Figs. 18.1 and 18.2.

In the concluding part of this article, next month, we will see how much does TFA cost, with an exhaustive list of the various tokens/services available.

To be concluded next month

LEAVE A REPLY