Online security: your two-factor authorization checklist

As Twitter gets ready to roll out two-factor authentication, here's a rundown of how other major online services use the security feature.

Twitter reportedly is getting ready to roll out two-factor authentication in the coming weeks--a development that comes not a moment too soon as the company's current security efforts fall short.

Take Tuesday, when the state of Twitter's account security was on full display as hackers took over the Associated Press Twitter account and falsely reported two explosions at the White House. The AP attack came just a few days after Twitter accounts controlled by CBS News--including ones for 60 Minutes, 48 Hours, and a network affiliate station in Denver--were taken over.

The malicious attacks would have been harder, if not impossible, to pull off had these Twitter accounts been protected with two-factor authentication. Wired reports that feature will roll out to Twitter accounts gradually in the coming weeks.

Two-factor authentication requires you to enter two login tokens before you can access an online account. The first token is your standard password (something you know), while the second is a login code randomly generated by a smartphone app or sent via SMS or email (something you have).

Two-factor authentication is becoming a common security feature for many online services you already use including Dropbox, Facebook, Google, and Microsoft. It may be a little inconvenient to deal with two-factor authentication, but anyone who's lost control of their Facebook or email account can tell you the extra security gain is worth the minor hassle.

Here's a quick look at how two-factor authentication currently works for the major online services you use every day.


The best account to start with if you're new to two-factor authentication is Google, because you can use the Google Authenticator smartphone app to generate random access codes for many other services.

To set it up, visit Google's two-step verification landing page and click the Get Started button on the top right-hand side of the window. Google will then guide you through the process for enabling two-factor authentication, which includes downloading and installing Google Authenticator for smartphone users.

The Google Authenticator app is available for Android, iOS, and BlackBerry 4.5-6.0 devices. If you don't have a smartphone you can still use Google's two-factor authentication by receiving access codes via SMS.

After Google's two-factor authentication is enabled, you will have to reauthorize any other accounts and devices that access your Google account. Using Google Authenticator is pretty straightforward: You sign in to your Google account with your regular password and then you enter a randomly generated verification code created by Google Authenticator.

At sign-in, regular Google accounts can click a check box so that trusted PCs, such as your laptop at home, won't require two-factor authentication every time you login. Google Apps users can authorize trusted devices for only 30 days at a time.

The problem with Google's two-factor authentication is that some programs--smartphone email clients that access Gmail, for example--don't work with it.

For these apps, you will have to use a randomly generated application-specific password instead of your regular password. These passwords bypass the need for two-factor authentication and can be revoked by you at any time. Application-specific passwords only have to be entered once per service and can be created by signing in to your Google account and clicking here.

Microsoft Account

Microsoft only added two-factor authentication to its online accounts earlier in April.

The easiest way to get started is to login to your account and visit an account management page.

Select Security Info from the left-hand navigation panel and click on Turn on Two-Step Verification toward the top of the page. Microsoft will then send an SMS to the phone number connected to your account with an approval code to begin using two-factor authentication.

As with Google, you can get your Microsoft login codes via SMS or you can authorize a two-step login smartphone application, including Google Authenticator.

Since we set-up Google Authenticator with our Google account, let's use it again for Microsoft.

Start on the Security Info page you were on before and under the Authenticator App heading click Set Up. You will then be shown a QR code that you scan and register with Google Authenticator. Next, you'll have to enter a logiin token generated by the app to make sure everything is working properly.

Two-factor authentication works with most Microsoft services including, SkyDrive, and Windows 8 PCs. Similar to other services, you can set devices as favorites so you don't have to use two-factor authentication every time you want to login to your PC. Some devices don't support the secure login method including the Xbox 360. To get around this Microsoft says will help you login to your machine with a unique app password instead.


Sign-in to your Dropbox account on the Web here and click on the Security tab. One of the first three options on this tab will be Two-Step Verification Disabled. Click on Change to enable Dropbox two-step authentication.

During the authorization process, you can choose to receive verification codes via SMS or you can authorize Google Authenticator to generate random login codes for you. Dropbox also supports other authenticator apps including AWS Virtual MFA, and Authenticator for Windows Phone.

For the most part, Dropbox's two-factor authentication is only used when you login to the service's website from an unknown machine. You will only have to authorize Dropbox desktop apps at installation or after setting up two-factor authentication.

The company's mobile apps require two-factor authentication every time you sign out of the app, which might happen if your tablet or smartphone powers down or reboots.

Check out PCWorld's hands on with Dropbox two-step verification for a more detailed walkthrough of the process.


Facebook doesn't use Google Authenticator for its two-factor authorization, which it calls Login Approvals. Instead, you receive login codes via SMS or you generate them with the Facebook mobile app.

To get started login to Facebook and go to the Security tab. Find the heading that says Login Approvals and click Edit on the far right side of the screen. Facebook will then send a security code to your smartphone via SMS to get started with the feature.

If you are ever in an area without cell reception, you can still use Facebook's login approvals via the Facebook mobile app for Android and iOS by opening the left-hand navigation bar and selecting Code Generator under Settings.

Facebook's login approvals work with almost anything that connects to your Facebook account including third-party mobile apps with Facebook logins and the company's own apps.

What other services need this?

Now you're all set-up with two-factor authentication for several of the major online services. But there are a ton of services out there also supporting two-factor authentication including major Web hosts such as Dreamhost, Blizzard Entertainment's, and LastPass.

If you're concerned about security, enabling two-factor authentication on these accounts will go a long way to making your online life more secure.

Join the CSO newsletter!

Error: Please check your email address.

Tags dropboxGoogleMicrosoftsecuritytwitter

More about BlackBerryBlizzardBlizzard EntertainmentCBS CorporationDropboxFacebookGoogleMicrosoftQRXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place