How to set up two-factor authentication

Updated on Oct. 10, 2018: Updated instructions for Instagram accounts.

Updated on April 18, 2017: Added instructions for Instagram accounts.

Updated on Nov. 23, 2015: Added instructions for Amazon.com accounts.

When it comes to making it harder for the bad guys to break into your accounts, using a password security technique called two-factor authentication is a good place to start. The good news is that if you have an ATM card, you already use it in the real world. The bad news? Chances are, you’re not using it everywhere online—and the burden of setting it up is on you.

Whenever you withdraw money from an ATM, you’re using two-factor authentication. The concept is based on using at least two out of three pieces of information to access an account: Something you have, such as a bank card; something you know, such as a password or PIN; and something that is part of you, such as a fingerprint.

Security experts have long considered standard passwords risky and two-factor authentication a strong deterrent to account break-ins. “If an attacker gets access to your credentials,” said Mary Landesman, a senior security researcher and password expert at Norse Security, “with two-factor, [he] still can’t get access to your account.”

As with ATM withdrawals, a second authentication step is often enough to block someone from breaking into an online account. Anybody trying to access the account from an unrecognized Internet Protocol address or device—including you—must receive and enter a second, one-time-use access code, in addition to using the standard account password.

“Hackers are still getting in from the first factor. It’s almost not even hacking at that point; you’re just stealing somebody’s password.” — Steve Manzuik, security research director, Duo Security

The additional protection that two-factor authentication can provide from data breaches is increasingly important, said Steve Manzuik, security research director at Duo Security. Some breaches affect tens of millions of people and accounts at a time.

“Hackers are still getting in from the first factor,” he said. “It’s almost not even hacking at that point; you’re just stealing somebody’s password.”

Newer two-factor techniques include preloading authentication on a USB stick or Internet-connected wearable, such that the user simply taps a button or screen to approve account access. Companies ranging from Apple to Yubikey are working to improve the technology’s ease of use.

They have their work cut out for them. Studies from Forrester Research and 451 Research indicate that a majority of U.S. businesses haven’t implemented two-factor authentication and don’t plan to do so in the near future.

The good news is that consumers can activate two-factor authentication for the vast majority of accounts they use today. Below we’ve compiled a list of instructions for major Web services. You can also check this longer list of how to activate two-factor authentication for your favorite government services, banks, and Internet services.

Amazon.com

Given that so many people store their credit card numbers and home addresses with Amazon, it’s shocking that the massive online retailer didn’t introduce its two-factor authentication system until mid-November. But when it comes to proven security you can use, late is better than never.

Amazon’s two-step verification.

To set up two-step verification for your Amazon account, go to the Your Account page after logging in. Scroll down to Settings, and click on Change Account Settings. Next to Advanced Security Settings, select Edit and then Get Started. You can choose to receive a text message every time you want to log on to Amazon, or use a smartphone authenticator app like the one Google provides (see Google instructions below). Whichever you decide to go with, you’ll be asked to verify the device, either through the app or by text message.

Apple

The iPhone maker offers two-factor authentication for its devices through Apple ID, which includes your Apple username and password. The first time you log on to a new Mac, iPhone, or iPad, it may ask you to verify your account by entering in a six-digit code, which it sends to another Apple device or phone number associated with your account. You won’t have to verify your Apple ID again unless you completely wipe the device, log out of your Apple ID, or need to change your password for security reasons. Read the full instructions for Apple ID two-factor authentication.

Apple also offers what it calls two-step verification for Apple ID. It is essentially the same service, used to authenticate users of its software services. Once activated, Apple ID two-step verification will send you a four-digit, one-time-use code to use whenever you sign into iCloud, login at My Apple ID, or buy something from iTunes, iBooks, or the App Store.

To activate two-step verification, go to the My Apple ID management site, select Manage your Apple ID, then Password and Security. You’ll have to answer your personal security questions, then click Continue. Locate Two-Step Verification on-screen and follow the instructions. Here are the full instructions for Apple ID two-step verification.

Dropbox

The online-storage service offers a veritable plethora of options for two-factor authentication to accommodate a variety of business needs, so we’ll cover the basics.

Sign in to the Dropbox website, then go to the Security menu. Under “Two-step verification,” choose Enable, then Get Started. That will prompt you to enter your password again, and you’ll have to choose whether you want to receive your security code by mobile app or text message. Dropbox works with several mobile authentication apps, including Google’s.

Facebook

Protecting your access to the most popular social network in the world is a must. Facebook calls its two-factor process Login Approvals. Unlike Apple and Google, Facebook has built a log-in code generator into its mobile apps, so once you’re set up on the desktop you don’t have to worry about receiving text messages with secret codes. It’s all contained in-app.

To activate two-step verification, go to Facebook’s security settings, and click on Login Approvals. Facebook will confirm your mobile-phone number by sending a verification code to your phone, which you then have to enter on your computer. From your computer, you have the option of activating the Code Generator. See Facebook’s full instructions on Login Approvals.

Google

The search giant’s two-step verification works in a similar way. It sends a one-time-use, four-digit code to your phone that you must be enter before you can access your account, though you also have an option to use the Google Authenticator app. This app, designed for Android and iOS, generates the one-time-code on your phone, without having to wait for the text message to arrive.

To activate two-step verification, sign in to your Google account. Under the Sign-in and Security section, choose Signing in to Google. Then select 2-Step Verification, and follow the instructions on-screen. To use the app for non-Google accounts, go to the app menu, and choose Set Up Account. From there, follow the instructions as each service (such as Amazon or Microsoft) indicates, as they will each vary slightly.

Instagram

Instagram ties its use of two-factor authentication to your phone number. Activating it is straightforward. Tap the Options menu in the upper-right corner of your Account Profile page (it looks like a gear on iPhones or three dots on Android), then look under the “Account” section, and tap “two-factor authentication.”Tap “Require security code,” then follow the instructions. The app will ask for your phone number, which it needs to text you the security code. Once Instagram has texted you the code, type it in, and you’re done.As of October 2018, Instagram supports a two-factor authentication app to generate a one-time code, which is safer than receiving a text message with the code. Go to Settings, Privacy and Security, choose Two-Factor Authentication, then select the Authentication App option. Instagram will scan your device for authentication apps (such as Google’s) already installed on your device. If it doesn’t detect one, it will suggest one for download.

LinkedIn

LinkedIn makes it very easy to switch on two-factor authentication. After you log in, go to your account’s Security settings, and click Turn On under Two-Step Verification. It’s the only option there. You’ll be asked to enter a phone number, which LinkedIn says it will not associate with your account, and you’ll soon receive a text message with the verification code. Type that code into the website, and you’ll have activated two-factor authentication. LinkedIn offers more details here.

Microsoft

To tighten security across multiple Windows and Xbox services at once, you can switch on your Microsoft account’s two-step verification. Go to Microsoft’s Security settings page, scroll down to Two-Step Verification, and choose Set Up Two-Step Verification. Then follow the on-screen instructions.

Some Microsoft services won’t allow you to log in immediately after activating two-step verification. The company recommends that you download its Microsoft Account app for  Android, iPhone, Windows Phone, or BlackBerry, which will create a one-time log-in for those services. After that, you’re home free.

Tumblr

Although Tumblr is now owned by Yahoo, it has a separate two-factor authentication process. At the top of the Tumblr Dashboard, click Account and then Settings. Go to the Security section, and click on “Two-factor authentication.” You’ll have to type in your phone number, then choose whether you want to receive your code via text message or Google’s Authenticator mobile app (see Google instructions above). Enter that code into Tumblr’s website or mobile app when you log in, and you can GIF away.

Twitter

In Twitter land, they call two-step authentication it Login Verification. But it’s a process that should by now be familiar: Enter your phone number, and you’ll be texted a security code.

Sign in to your Twitter account, and go to Settings. Choose “Require a verification code when I sign in,” then “add a phone” if you haven’t. After you’ve turned on Login Verification for Twitter, each time you sign out of and then sign back into the service, it will text you a six-digit code. More detailed instructions are available here.

Yahoo

While it’s important to have the extra protection of two-factor authentication turned on for all your mission-critical accounts, Yahoo’s chaotic mix of media interests, tech services, and legacy accounts makes it especially vulnerable to attack. Fortunately, it’s easy to flip the switch.

Sign into your Yahoo account, then click Security, Two-Step Verification, and follow the instructions. If you haven’t added a phone number to your Yahoo account, it’ll ask you to do so. It’s a step that’s required, since you can’t receive security codes in text messages without it. Similarly to Microsoft, some Yahoo services such as Messenger on Windows, and most Mail apps, will require a one-time “app password” after two-step verification has been activated. You can follow the app password instructions here.