clock menu more-arrow no yes mobile

Filed under:

Too Embarrassed to Ask: What Is Two-Factor Authentication and Why Do I Need It?

You should really be using two-factor authentication when you log in to your various online accounts. Here's why.

Dave Clark/Shutterstock

Too Embarrassed to Ask is a Re/code feature in which our reviewers answer any and all of your burning tech questions — including the ones you might be too embarrassed to ask your tech-savvy friends. Today, senior editor Bonnie Cha cracks the code behind two-factor authentication. Don’t worry. It’s not as scary as it sounds.

Given the prevalence of security breaches and Internet fraud these days, you probably know the importance of having strong, unique passwords for all your various online accounts. (And no, 123456 is not a good password.) I’ve reviewed several solutions, like LastPass and 1Password, that can help you with this.

But even if you’re being smart about your passwords, hackers are still finding ways to crack them. There’s one more step you should take to protect yourself, and that’s a process called two-factor authentication.

Two-factor authentication adds an extra layer of security by asking you to provide two forms of identification before you can access your personal information. The first is your usual user ID and password. The second is typically a unique code that is sent to your phone or some other physical device, that you then enter during the second stage of the login process.

Because the second identifier is sent to something that you physically carry with you, it makes it harder for hackers to access your information.

Some companies distribute key fobs, card readers or other physical tokens to their employees that provide one-time passwords to access their accounts. But mobile phone two-factor authentication is becoming an increasingly popular method.

For example, Apple and Yahoo will send PIN codes to your phone via text message when you try to access those respective accounts. There are also apps like Google Authenticator that generate passcodes for other services like WordPress and Google.

Two-factor authentication isn’t a new idea. You may not think of it this way but your ATM card uses a multi-authentication method. The physical card represents one form of identification, and your PIN number is the second. The same idea applies when you use your credit card at the gas pump and you’re asked to enter your billing Zip code.

But there are certainly some pain points that come with two-factor authentication.

If you’re using a key fob or other physical token, it’s another thing you have to carry around and keep track of. For companies, it can also be costly and time-consuming to purchase and distribute the devices.

Two-factor authentication also requires an extra step in the setup and login process. Some services will allow you to save your password for 30 days, or only ask you for a new passcode when you log in from a new machine, but others may require you to to enter a code every time you log in.

Also, two-factor authentication isn’t immune to security threats. Last year, hackers were able to bypass Google’s two-factor authentication. In a separate incident, a system failure allowed hackers to access account information from J.P. Morgan Chase’s servers. There’s also the risk that comes with losing your phone or physical token.

Still, enabling two-factor authentication offers an extra layer of protection, and makes it harder for hackers to access your accounts. I highly recommended you do it. To get you started, here are some links on how to enable it on a few popular services. For a more comprehensive list of sites that do and do not support two-factor authentication, check out Two Factor Auth.

Apple: Apple sends a four-digit code via SMS or Find My iPhone to register your machine as a trusted device. Anytime you try to access your iCloud or iTunes account from a new device, you’ll be required to enter a new four-digit passcode. Instructions on how to enable two-step verification for your Apple ID are here.

Google: Google can send verification codes in several different ways: SMS, voice call, or through its Google Authenticator app. During initial sign-in, you can tell Google to remember your device for 30 days. But a new code is required anytime someone tries to log in from a new machine.

Yahoo Mail: Once two-step authentication is activated, Yahoo will send a passcode via text or voice call. The verification process will only occur whenever you’re logging in from a new computer or mobile device, or if you’ve cleared your browser’s cache.

Facebook: Facebook offers login approvals, which require you to enter a passcode anytime you try to log in from an unrecognized computer or mobile phone. Codes are sent via text message.

Twitter: Twitter will send a verification code via text or as a push notification on iOS and Android devices. The company also provides a backup code, so that in the event that you lose your phone, you can enter the backup code to log in to your account. This isn’t saved anywhere, so be sure to write it down someplace.

Dropbox: Like the others, you’ll receive a code anytime you try to access Dropbox from a new machine. They can be sent via text, or you can use an app like Google Authenticator or Duo Mobile. The company also provides a 16-digit backup code in case you lose your phone or for some reason can’t receive a PIN using the aforementioned methods. Again, write it down somewhere safe.

OneDrive: You can receive codes from Microsoft via text, email or authenticator app. A PIN is only required when you sign in from an untrusted device. Instructions on how to enable two-step verification are available here.

Send us your questions or topic ideas for Too Embarrassed to Ask to Your identity will not be revealed, unless you indicate that you’d like it to be.

This article originally appeared on