What two-factor authentication (2FA) is - and how to enable it
Simple instructions to activate two-factor authentication on Amazon, Facebook, Apple, Twitter and other popular sites and online services.
Even if you have the most complicated, uncrackable password in the history of passwords (and you don’t), a data breach can lay bare your most precious online information. If your password is your first, last and only line of defense against a cybercriminal intruding into your social media, online shopping or even email accounts, you’re potentially leaving yourself open to some very nasty attacks.
Fortunately, just about every major online service has embraced two-factor authentication (2FA). While the second factor can refer to any number of things — physical USB keys, static passcodes, even phone calls — it generally means a secondary layer of security that you enable on your smartphone.
- The best password managers to keep your accounts safe
- Sign in with Apple: How it works and how to use it
- You're probably doing 2FA wrong: Here's the right way
Here’s how it works: You’ll log into a service with your username and password on your computer, just like you always do. Then, you’ll either receive a notification on your smartphone — sometimes a text message containing a code, sometimes an app asking for verification — or you'll be prompted to plug in a USB security key.
Once you enter the code, approve the login or plug in the key, you can access your account. Dead simple for you; very nearly impossible for a cybercriminal who can’t access your smartphone. You'll need to do this only once for each account on each device you regularly use.
To help you get started, we’ve provided simple instructions for activating 2FA on some of the most popular sites and services online. If you need more information, we’ve included links to more comprehensive tutorials whenever possible.
Two words of warning: First, even if you find 2FA cumbersome, you should still activate it wherever you can. If you don’t, a thief who gets ahold of your password can, and probably will. Recovering your account once it’s locked behind two layers of security that a criminal set up instead of you is not impossible, but it’s an awful lot more difficult than just entering a second code every once in a while.
Second, it's becoming increasingly clear that texted codes aren't the best options for 2FA. That's because it's too easy to intercept codes sent via the regular SMS text-message standard, and too easy for crooks to steal your mobile phone number by having it transferred to their SIM cards.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
It's better to use an authenticator app — most major online services support Google Authenticator, and it works on both iOS and Android — or a USB security key, such as those made by Yubico, which cost as little as $20.
Amazon
Amazon’s 2FA system is pretty straightforward. Simply visit the site’s Advanced Security Settings, then selection the option to enable 2FA. You’ll receive a text message with a code. Input the code on your computer screen, and click to confirm.
The only wrinkle is that Amazon requires a backup verification method. You’ll either have to use a secondary phone number for a call or text message, or use an authenticator app, such as Google Authenticator. After a few disclaimers, Amazon will let you turn on 2FA for good.
Apple
If you use an iPhone or iPad, enabling 2FA for your Apple account is positively indispensable. You can’t do it from a website, though; you’ll need to use an iOS or macOS device. On an iPhone or iPad, tap on your Apple ID in the Settings menu. Under Password & Security, there will be a Two-Factor Authentication option. Turn it on, and Apple will walk you through the rest.
On a macOS computer, click on the Apple menu, then System Preferences and iCloud. Click Two-Factor Authentication in the Security menu, and have your smartphone handy. Unfortunately, there’s no way to activate this process from Apple’s website.
MORE: What to Do After a Data Breach
If you use Facebook a lot, a cybercriminal could wreak a surprising amount of havoc by compromising your account. Locking you out of your account, phishing your friends, spreading links to malware — need we go on? To activate 2FA, visit your Security and Login options under Settings. (Click the question mark in the upper-right corner of the screen; it’s near the bottom of the list.) Click Edit next to Use two-factor authentication, then select Turn On.
Facebook will walk you through the rest of the process. Note that you can use a tremendous variety of different 2FA options, including text messaging, in-app approvals or even a physical USB key.
Two-factor authentication on Google isn’t just simple; it’s also versatile. Activating the protocol will protect your Gmail, Drive, Photos — even your Music, Movies and TV.
Visit the Google 2-Step Verification page, enter your username and password, then follow the instructions onscreen. If you have a smartphone with the Google app installed, you can use a screen prompt to log in.
Now, every time you log into Google, you’ll need to tap an approval screen on your phone. Otherwise, you can use the Google Authenticator app or a physical USB security key, or you can have Google text you a code or even call you.
The process is pretty foolproof, but follow our instructions if you get lost.
Twitter’s 2FA protocols are a little old-school, but they’ll get the job done, provided you don’t have a cap on how many text messages you can receive in a given month. Click on your avatar picture in the upper-right corner, then navigate to Settings and Privacy. Click “Set up login verification” and verify your phone number. You’ll then receive a code via text message. Enter the code on your computer, and you’re done.
You can also get a backup code, in case you ever get locked out of your account, or set up 2FA via an app, if you prefer. Just click “Review your login verification methods” under the Security header.
Instagram is one of the few services that doesn’t let you set up 2FA through a website. You’ll have to download the app instead. (The app comes in Android, iOS and Windows flavors, at least.)
Once you’ve linked your phone number, access your Settings (click the icon that looks like the sun in the upper-right), then select Two-Factor Authentication. Select Require Security Code, then confirm that you want to turn it on. Enter the code you get via text, and you’re done.
You can also generate backup codes, which will help you log in, in case you get separated from your smartphone.
Microsoft
Microsoft’s two-factor authentication process could best be described as “confusing,” but if you use an Outlook email address, it’s probably worth taking a few minutes to configure it. Visit the Microsoft security page, then click more security options at the bottom. Look for the Two-step verification header, then turn it on.
Microsoft will ask for your phone number and send you a code to confirm your identity. After that, you’ll can either receive a text message or use an authenticator app, although you’ll never need to use two-step authentication on “trusted” devices — which is arguably a security risk in and of itself. Still, this safeguard is better than nothing.
Your online reputation can be just as important as your personal information. As such, if you’re a frequent Redditor, you should take a few minutes to secure your account. Click on Preferences in the upper-right corner, then choose the password/email tab. Way at the bottom of the screen, you can click to enable 2FA. Reddit will ask you to verify your e-mail address.
After that, you’ll need an authenticator program, such as Google Authenticator, which Reddit will help you set up by scanning a QR code. From now on, you’ll need a code from Google Authenticator every time you want to log into Reddit, which is a small price to pay for account security.
Steam
If you buy games through Steam, a cybercriminal getting ahold of your account would open you up to credit card fraud, among other things. Luckily, 2FA is easy to activate. Download the Steam app on either Android or iOS, then sign in. Tap the menu in the upper left corner, and select Steam Guard. Select Add Authenticator, and the app will walk you through the rest of the process.
You’ll have to enter your phone number, then confirm a code — all standard procedure. Now, every time you log into Steam, you’ll also have to enter a code from the Steam app, so keep your phone handy.
Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.