Underlying all the articles about Internet security (and naked movie-star pictures), you can hear a single, unspoken theme:
“… and if you’re not careful, this could happen to YOU!”
Actually, it almost certainly won’t happen to you, because you’re not a hot starlet. Yes, online accounts have been hacked, but they were hacked because their owners were attractive targets.
Still, it makes sense to be safe. But how? There’s something else you read all the time:
“Turn on two-factor authentication!”
That advice makes me crazy, for two reasons. First of all, what normal person has any idea what that is? It’s the most user-hostile, intimidating tech term ever invented. “Two-factor authentication” sounds like made-up movie jargon.
Apple and Google call it “two-step verification,” which is one step in the right direction. I vote for “cellphone confirmation.”
Second, two-factor authentication sounds like a royal pain. Bloomberg describes it this way: “After a password is entered, an additional code will be sent to a person’s mobile phone.”
Ugh. Who’d want to have to enter two passwords at every login?
And what happens if you don’t have your phone with you? Or don’t own a cellphone at all?
Just goes to show you how much misinformation and confusion surrounds two-factor authentication.
As it turns out, two-factor or two-step authentication provides a lot of protection against your account getting hacked. No, it wouldn’t have helped Jennifer Lawrence. But it can stop a lot of other hackers from getting into your account, even if they manage to get your password.
How it works
Suppose you fire up a new laptop. The first time you try to log into your existing Gmail account, Yahoo account, or iCloud account, the website sends a text message to your cellphone, containing a code like “02394.” You’re not allowed to access your account from the new laptop without your password and that code. And each code you get sent is only valid for a few minutes at a time.
If you have both your password and this short-term code, the service is twice as sure you are legit, because you know your password, and you have your personal phone (which you have previously registered to your account).
That’s the first beauty of it: A hacker’s computer looks just like a new laptop to the service you’re logging in to. It’s a machine the service (like Google) has never seen before. So unless the hacker also has your cellphone, he won’t get into your account. He’s shut down.
The second beauty of it: You won’t have to mess with the cellphone code again, at least on that new laptop. It’s a one-time thing. In fact, you’ll probably be surprised at how rarely you ever encounter the cellphone code.
Ready? You may as well turn it on right now. It’s a lot of steps, but they’re not difficult — and this is a one-time deal.
The process is a little different for various services, so let’s start with the big one in the news: Apple’s iCloud.
Turn on two-factor authentication for iCloud
Go to iCloud.com and sign in. Click your name in the top-right corner; from the shortcut menu, choose Account Settings. Click your Apple ID (the email address below your photo).
You wind up in a new Web window.
Click Manage your Apple ID. Sign in again.
On the My Apple ID page, click Password and Security.
Answer your security questions. Click Continue. On the Manage Your Security Settings screen, where it says Two-Step Verification, click Get Started. Read the three screens that explain how this will all work.
Finally, click Get Started.
Now it’s time to tell Apple your cellphone number. Click Add a phone number; on the next screen, type in your number. Click Next.
After a minute or two, your phone gets a text message containing a four-digit code. Type it into the box on your computer screen.
Your computer is now a “trusted device” — Apple knows it’s yours.
You can now walk down the list of your iPhones and iPads (if any) in the lower list, verifying each (proving it’s yours). Each time you click Verify, Apple sends another four-digit code to its screen, which you must type into your computer in the waiting boxes.
Once you click Continue, you’re shown a cryptic code like the fake one pictured here. Apple calls it your recovery key; you might call it a “save-my-bacon serial number.”
If you ever lose your phone, you’ll still be able to get into your account using this code. Write it down or print it. Don’t lose it!
Click Print Key if you like, and then click Continue. Now Apple makes you type in the recovery key manually to prove that you’ve got it stored.
On the final screen, Apple explains one more time what’s going to happen:
The deed is done. From now on, whenever you’re using a new computer, phone, or tablet to manage your Apple account (or to make a purchase from one of Apple’s online stores), you’ll have to enter your password and a four-digit code that Apple texts to your verified gadget.
You will have no access to your account without two of these three things:
• your password
• your cellphone
• your recovery key
On the other hand, you’ll never need the old security questions or answers. Nobody will ever ask for them again.
For more information, click here.
Take a break, now. When you’re ready to continue locking things down, move on to enabling two-step verification for other key services:
Turn on two-step verification for Google
Start by clicking here.
Click Get Started. On the next screen, click Start setup.
On the next screen, log in to your Google account. On this screen, enter your cellphone number. (Very cool: Google doesn’t require a cellphone; if you choose Voice Call, you can use a regular landline phone, and a robot voice will tell you the code.)
Click Send code.
After a moment, Google texts a six-digit code to your cellphone (or calls you to speak it). Enter it into this box:
The next screen asks if the computer you’re using right now is yours and private from snoopers. If so, click Next. (If not, turn off Trust this computer and then click Next.)
On the final screen, click Confirm.
Now you have a little problem. In essence, you’ve just disconnected your phone, tablet, and other computers from your Google accounts, as this message now informs you:
Click Reconnect my apps.
Now comes a tedious series of steps that none of these companies ever explain.
Two-step verification works great when you’re accessing a Web page, like Gmail, iCloud, or Yahoo. But when your email app tries to connect to the Internet, well, there’s no Web page involved. There’s no place to type in a cellphone code. How is Google, Apple, or Yahoo supposed to know if you’re really you?
To solve that problem, Google and Yahoo require that you change your email password to one that they provide. They’ll know it’s your email app trying to connect, because they supplied the password.
This password is ridiculously long and complicated—on purpose. These companies are hoping that you won’t write it down, won’t remember it, and won’t re-use it.
Why? Because a huge source of hacks is people like us re-using the same password on multiple online accounts; if the password is ridiculously long, Google and Yahoo doubt you’ll ever re-use them.
Second, if you’re ever “phished” (a hacker sends you a fake email “from Google” asking you to enter your password “to clear up an account problem”), you won’t remember the password! Presto: You’re protected from yourself.
All right, so now you know the reason behind this new-password-for-email-apps step. (Rumor has it that this situation will get easier with iOS 8.) For now, here’s how to go about it.
For each Google app you use (YouTube, Gmail, and so on), for each gadget you use to access it, you have to choose an app name from the first pop-up menu, choose your other gadget’s name from the second, and then recoil at the complicated password now presented to you:
You’re supposed to open Settings on your phone or tablet and replace the existing email-account password with this one. As Google points out, this is a one-time thing. You won’t have to remember this password, so there’s no need to record it anywhere.
Repeat for each app on each gadget. Look forward to the sunrise.
When you’ve set up all your apps on all your gadgets, click Done.
From now on, you won’t be able to log in to your Google account from a new gadget without both your password and the code Google sends to your phone.
(And what if your phone has no service? There’s an app for that — an app that can generate the code when the time comes. Click here for details. This page also lets you print or save some emergency codes that you can use when you don’t even have your phone.)
Wasn’t that fun? Let’s keep going.
Turn on two-factor authentication for Yahoo Mail
Click here and log in.
Click Get Started.
You’re asked for your phone number (or, if one is already on file with Yahoo, a box asks you to confirm that’s the one you want to use).
After a moment, your phone gets a text message from Yahoo bearing a six-digit code. Type it into the box:
And now, once again, you’ve cut off Yahoo Mail access from your phones, tablets, and computers. A new message lets you know that you’ll need a special password for each email app you use. (Read the Google section, above, to find out why this step is necessary. And by the way, it’s not necessary for Yahoo’s own Mail app—only for programs like Apple Mail and Outlook.)
Click Generate password.
On this screen, specify how you want to confirm your identity (for the purpose of generating the email password):
Make your selection; now you get another verification code. Type that into the box and click Submit.
On the next screen, type the name of your phone’s email program (like “iPhone mail”) and click Generate password.
Open your phone’s Mail settings, and, for your Yahoo Mail account, replace the password with the long, complicated one now on your computer screen. (You won’t ever have to type it again.)
If you have other mail apps on other phones or computers, then repeat the last couple of steps.
Your setup is complete. Whenever you try to access Yahoo Mail with a fresh gadget, Yahoo will send you a code to enter as your second verification step.
Here are the links to turn on two-step verification for Facebook, Twitter, Dropbox, LinkedIn, Evernote, PayPal, Steam, and Microsoft Accounts. The steps are similar to the ones you’ve just read.
Clearly, the bad guys are making life less convenient and less satisfying for the good guys. Take pleasure in knowing that the process you’ve just completed will, at the very least, make life a lot less satisfying for them.
You can email David Pogue here.