In the security realm, two-factor authentication is often seen as a godsend. It more thoroughly proves authenticity of the person making a request, because it requires more than just something a person knows, but also something a person has or is.

We should discuss the “password problem,” to better understand the need for two-factor authentication in the first place. Passwords technically prove authenticity because they are “something only you know.” Passwords require usernames–which seems like two unknown things at first–until you realize most usernames are public knowledge which eliminates them from the “secret” part of the equation. Now, the only part of the equation that is a secret is the password. Passwords could be adequate in a perfect world, where everyone creates strong, long, complex passwords, and never writes them down, but this rarely happens. Oh yeah, they shouldn’t be memorable, either. Are you starting to see the issue with passwords now?

Most passwords are weak, simple, and short. According to a recent article by the Telegraph (a UK-based new site) the top five most common passwords are: “123456,” “password,” “12345678,” “qwerty,” and “12345.” (If any of these are your password, you need to go change your password. Now!) This represents a huge problem in the world of security. Due to dictionary and brute force attacks, these passwords can be guessed in fractions of a second.

In order to increase security across the web a lot of service providers, especially for email, shopping, and banking, have been implementing two-factor authentication. These are services that typically require a higher level of authentication for their users, and for good reason.

But, even with this push towards better security, most people don’t know about two-factor authentication. Even if they do know about two-factor authentication, there are often other aspects that hold them back from enabling it on their accounts. These roadblocks are legitimate and stop people from protecting their accounts with two-factor authentication all the time. To prove that two-factor authentication still has roadblocks to overcome we will visit the process of how to enable two-factor authentication on three major service providers’ platforms and how to make the all-important app-passwords that most client software requires when two-factor authentication is enabled for an account.

Google

Google is “the Internet” for many people. Google allows you to use their service without an account, but having an account enables so many extra features that users want such as  email, documents, photos, personalized search, and messaging–not to mention YouTube. If a person owns an Android phone, a Google account is also required. This is a double-edged sword in and of itself. Including the ownership of an Android phone, if someone gains access to a Google account through a weak password they also have a lot of control over your phone and complete digital life. That is why we begin with Google, since it is the one account that most people have that has the most control over their entire digital life.

Enabling Two-Factor Authentication

1. Load Google’s dedicated landing page. You may be asked to login to your account.
2. You will be presented with some benefits of enabling two-factor authentication. Just click Getting Started.
3. Re-verify your account password.
4. Input your phone number. Select call or text. Click Try it.
5. Google will call or text you with a token. Type in the token and click Next.
6. It will then ask you to verify if you want to enable two-factor authentication. Just click, Turn on.
7. You are then presented with a configuration page. I highly recommend setting up a backup device and writing down the backup codes. (I have had to use them before.) You can also setup an alternative authenticator app or create a USB key.
8. You’re done.

Create App-Passwords

Google already has a pretty good support page on how to generate an app-password, so I will just re-print that below. No need to reinvent the wheel.

1. Visit Google’s App passwords page. You may be asked to sign in to your Google Account.
2. At the bottom, click Select app and choose the app you’re using.
3. Click Select device and choose the device you’re using.
4. Select Generate.
5. Follow the instructions to enter the App password (the 16 character code in the yellow bar) on your device.
6. Select Done.

Yahoo!

Yahoo! is still a hold-out for many people. Often, if someone does not use Google, the odds are good they use Yahoo! for their search and email needs. Yahoo! is where we see a lot of accounts attacked because of its popularity in the early days of the Internet and all of the dormant accounts they still maintain. They also seem to not believe in security the same way Google does, but they do have a help article on how to configure two-factor authentication, albeit it is a little vague.

Enabling Two-Factor Authentication

1. Load Yahoo’s Account Information page.  You may be asked to login.
2. On the left side menu select Account security.
3. There are multiple configuration items, but slide the switch for Two-step verification.
4. You will be prompted to input a phone number and select Text or Call.
5. Input your token and select Verify.
6. If the token is successfully verified you will be presented with an option to create app-passwords, otherwise you can skip this step.
7. Done!

Create App-Passwords

1. Once again, load Yahoo’s Account Information page. You may be asked to login.
2. On the left side menu select Account security.
3. Click Manage app passwords from the list of options.
4. Click Select your app and click Generate.
5. Copy your app-password and click Done.

Apple

The reason I chose Apple as the third platform to discuss is due to their sprawling digital footprint, combined with their services. Many people use only Apple products, which comprises a lot of their digital life, just like we discussed about Google earlier. Apple stores contacts, emails, photos, documents, and a lot more nowadays. Enabling two-factor authentication for their services is just as important as Google, if not more important, depending on if you live in Apple’s walled-garden.

Enabling Two-Factor Authentication

Prerequisite: Apple’s two-factor authentication seems to require at least one iOS or OS X device.

iOS

1. Open the Settings app.
2. Touch iCloud and then touch your Apple ID.
3. Touch Password & Security.
4. Touch Turn on Two-Factor Authentication.

OS X

1. Click the Apple Menu (top-left)
2. Click System Preferences.
3. Click iCloud and then click Account Details.
4. Click Security.
5. Turn on Two-Factor Authentication.

Create App-Passwords

1. Load the Apple Account page. You may be required to login.
2. Under Security click Edit.
3. Under App-specific passwords click Generate Password…
4. Type in a chosen Label and click Create.
5. Copy the App-password and click Done.

What are the roadblocks?

Going It Alone

A lot of people are unaware of these help pages or landing pages that I mentioned as the first step of most of these procedures. In the past, when I first started using two-factor authentication on these services I went in unaware of these pages as well. It was hard to find where to change two-factor authentication settings or where to create app-passwords. In following the help articles, the process is greatly simplified, but this is not the experience most people go through. In order to have more people enable two-factor authentication, services will have to make these features more prominent. As of this writing, these features are buried, compared to other security settings like changing a password. App-passwords tend to be even more hidden, although they is used more often than resetting a password or enabling two-factor authentication altogether. This also speaks more to marketability, which we discuss below.

Misunderstandings

For a lot of people, one of the reasons they do not want to enable two-factor authentication is that they do not fully understand it. This falls back to user education. These services that offer this protection for their accounts need to do a better job of informing the people that use their service of how it works, why they should use it, and even of the drawbacks of using two-factor authentication. In order for someone to make the right decision they need to be fully informed. Then, if they choose not to enable two-factor authentication it is not for a lack of trying to persuade and educate. If the risk has been conveyed clearly, it is then transferred to the user, should they not enable two-factor authentication. That may sound harsh, but it is the truth.

App-Passwords

App-passwords somewhat fall back into the realm of misunderstanding, but it is also a problem all to itself. For example, if a person never uses client software, such as when using a banking website, a person might not ever experience using an app-password. The main issue with app-passwords is the fact they exist. This process can be mitigated by smart software developers that are able to build-in a two-factor authentication verification process into the way they add accounts, like Apple does when adding most accounts to their native Mail apps. But, for now, when using older software, app-passwords are a necessary evil.

Marketability of Security

Security can be used as a part of marketing. When security is marketed correctly it can also help raise awareness of two-factor authentication. A rising tide lifts all ships. Even if everyone else is “doing it,” it could still be presented to the mass public as a marketing device. Word of mouth is not enough when we are talking about services with hundreds of millions of users, if not billions of users, as in the case of Facebook. Were you aware that Facebook also offers a form of two-factor authentication? If not, do not blame yourself. Blame their marketing. You cannot enable something of which you are not aware.

Conclusion

Two-factor authentication is something that I believe everyone should have enabled. Even though it is a “headache” to use for some, the benefits far outweigh the hurdles that have to be overcome. I also believe that smart software developers can help alleviate the pain associated with using two-factor authentication with client software such as email. With time and innovation, combined with proper marketing, we can make accounts more secure across many different platforms. Most major providers already offer a form of two-factor authentication, you may just have to search for it. It is worth it! My most recent account for which I have enabled two-factor authentication is Amazon.com. I did not know they offered it until just a few months ago. It just goes to show that two-factor authentication, while burdensome and hard to find, is a necessity for the safety of our always-online, digital lifestyles.