In the first part of this article, last month, we learnt what two-factor authentication (TFA) is and its three types. Now, let us see how we can activate TFA for various websites and applications.
As secure as TFA is, unfortunately till date, you cannot use it everywhere on the web. However, most websites have recently implemented it, especially banking-sector websites, Gmail, Facebook, Twitter, Dropbox, Microsoft products like XBox Live, OneDrive, Yahoo! Mail, Amazon web services, WordPress, DreamHost, LastPass, and many more.
In March 2013, Apple offered a consumer-oriented two-step authentication service to help customers secure their Apple IDs against hacking. This new feature disallows unauthorised changes to iCloud or iTunes accounts. It also disallows hackers, who steal Apple IDs, from purchasing digital content or hardware using credit card details stored in the customers’ iTunes and Apple Store accounts. Apple’s web services do not distribute tokens. Instead, they send pass codes (typically as SMSes) to users’ registered mobile phone numbers. Optional TFA sends the pass code to an iOS device (iPhone or iPad) via Find My iPhone app’s notification feature. Fig. 10 shows how you can enable TFA for Apple accounts—a screenshot from Apple’s TFA tutorial (Apple now offers optional TFA to lock-down iTunes, iCloud and Apple Store accounts).
Most users have a lot of data stored in their Google accounts, such as Gmail and Google drive, and it is obvious that they would definitely want to secure it by turning on TFA. Figs 11.1 through 11.3 show how to activate TFA for Google accounts.
In May 2013, Twitter introduced TFA to protect user accounts with a more sophisticated log-in system—a new login-verification feature where a user has to enter a six-digit pass code, in addition to the standard password. This pass code (second level) is used after a user has successfully entered the user name and password in the first level. To make sure that it is the same user who entered the first credentials, Twitter sends a six-digit pass code via an SMS to the user’s mobile phone. This feature can be activated from the user’s Account Settings page, where he or she can check the box for Require A Verification Code When I Sign-Up. The user then needs to enter his or her mobile phone number to use TFA (Figs 12.1 and 12.2).
TFA for Facebook can be activated under Settings to protect an account (Fig. 13). If a user has activated TFA successfully, Facebook sends a one-time pass code to his or her mobile phone. By entering the pass code, the user can prove that it is really he or she who is trying to log-in.
Microsoft has already added the option of TFA across its many online services, such as Windows 8/RT, Outlook, Skype, OneDrive, Windows phone and Xbox 360/Xbox LIVE. A user can enable this feature at https://account.live.com/proofs/Manage. After enabling this service, Microsoft stops millions of fraud attempts every day.