How to Set Up Two-Factor Authentication

Keep your accounts secure with an extra login step.


No matter how secure your password is—even if you have a long, complex one created by a password manager—it is still a single point of failure. An attacker could crack it, steal it, or change it.

But take heart! To greatly improve the security of your login process, you can turn to multifactor authentication. It’s basically an extra security step—one more factor—that comes after entering your username and password. You may have encountered a version when, say, your bank or credit card company asks security questions (“Who was your third-grade teacher?”). Depending on the system, there may be multiple extra steps. Swipe a card. Scan your retina. Speak a phrase. All of these plus more.

But the second step that you’re most likely to encounter is a request to enter a numeric code.

Here’s what it looks like to use two-factor authentication in Gmail. You enter your username and password like always. Then, instead of being logged in, you get a screen asking for another code.

You get the verification code from an authentication-generating tool that’s connected to your account. Some sites send you the code via text. Some organizations issue people a keychain USB device (security key) with a little display that shows a code that changes frequently. Others use apps that run on your mobile device. Google Authenticator is very popular and is available for most mobile devices. Take this example:

You launch the authenticator app on your phone, and it shows a number like this:

Enter that code in the Gmail window, and you’re in. This is more secure than just using a password because the code changes every 30 seconds. That little Pac-Man–looking thing to the lower right of the code is actually a countdown timer. If hackers were to intercept a code you submitted, it would be no good to them at a later time. (That’s why I don’t feel nervous about showing an actual screenshot from the Authenticator app.) To get a valid code, they would need to physically steal your phone.

Now that you know what it is and how it works, the question is how to turn it on. This will vary from account to account, but it’s usually in a similar place. Go to your account settings and find the spot for security. It’s often near where you would change your password. If your service offers two-factor authentication, you will probably find it there. Here are links to the spot you can get it on popular sites:

If you turn on two-factor authentication and choose to receive your code via text, you will simply need to verify your phone number. Then, you will receive a text message from the service with your code every time you log in. If you use an app to generate codes, you need to link the app to your account. This is easy. When you turn on two-factor authentication and indicate you want to use an app, the site will show you a QR code. (I munged up this QR code and secret key so they aren’t actually usable.)

While that is on your computer screen, launch your authenticator app and click the button to add a new account. Then click the option to scan the barcode. Point your camera at the screen to scan the code, and you’re done. Your authenticator will instantly be set up to provide codes for that account

The benefit of using an authenticator app is that you have codes for all your accounts in the same place. And while it might seem like a pain to use two-factor authentication, you will find you rarely need to get those codes. Most people stay logged in to their accounts on the devices they use most often, so it is only an occasional nuisance.

The downsides: You have to have your phone or mobile device with you when you do log in. I admit to getting unreasonably frustrated when I’m just trying to log in to a different computer to get an urgent email and my phone is in the other room. Plus, if your phone is broken or offline for some reason, you can be stuck.

Fortunately, there is a backup plan for just that kind of situation. These services will all give you a list of one-time use codes that you can print out. I keep a photo of that on my phone in case I need to log in when my phone isn’t online (like when I’m overseas) and also keep a printout in my computer bag.

Overall, you get a lot more security for a little bit of effort. And when news breaks of the next massive password hack, you can smugly relax, knowing your password is useless without the second factor you have set up.

This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.