GitHub will require all code contributors to use two-factor authentication

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.

The new policy was announced Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts — a surprisingly low figure given that the platform’s user base should be aware of the risks of password-only protection.

By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge.

“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”

GitHub has already established a precedent for the mandatory use of 2FA with a smaller subset of platform users, having trialled it with contributors to popular JavaScript libraries distributed through the package management software NPM. Since widely used NPM packages can be downloaded millions of times per week, they make a very attractive target for malware gangs. In some cases, hackers compromised NPM contributor accounts and used them to publish software updates that installed password stealers and crypto miners.

In response, GitHub made two-factor authentication mandatory for the maintainers of the 100 most popular NPM packages as of February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.

Insights from this smaller trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialog about what good [practice] looks like with them.”

Broadly speaking, this means setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to nudge users towards adoption well before the 2024 deadline, Hanley said.

Securing open-source software is still a pressing concern for the software industry, particularly after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate against some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap has been seen as a major problem for the tech industry as a whole.

Repost: Original Source and Author Link


How to use your phone as a two-factor authentication security key

If you want to verify your Google login and make it harder to access by anyone but yourself (always a good idea), one way is to use your iPhone or Android smartphone as a physical security key. While you can set up a third-party 2FA app such as Authy or even use Google’s own Authenticator, these require that you enter both your password and a code generated by the app. Google’s built-in security allows you to access your account by just hitting “Yes” or pressing your volume button after a pop-up appears on your phone. You can also use your phone as a secondary security key.

Use your phone to sign in

To set this up, your computer should be running a current version of Windows 10, iOS, macOS, or Chrome OS. Before you start, make sure that your phone is running Android 7 or later and that it has Bluetooth turned on.

  • While it’s unlikely you have an Android phone that doesn’t have a Google account associated with it, if you’re one of the few, you need to add a Google account to your phone by heading into Settings > Passwords & accounts, scroll down to and select Add account > Google
  • Once that’s done, open a Google Chrome browser on your computer
  • Head into on Chrome and click on Use your phone to sign in

  • Enter your account password. You’ll be asked to satisfy three steps: choose a phone (if you have more than one), make sure you have either Touch ID (for an iPhone) or a screen lock (for an Android), and add a recovery phone number.

You’ll be asked to satisfy three steps.

You’ll be asked to satisfy three steps.

You’ll then be run through a test of the system and invited to turn it on permanently.

Use your phone as a secondary security key

You can also use your phone as a secondary security key to ensure that it is indeed you who are signing into your account. In other words, to get into the account, it will be necessary to be carrying the correct phone with a Bluetooth connection.

  • If you don’t have two-step verification set up yet, go back to your account security page, click on 2-Step Verification and follow the instructions. The TL;DR is that you’ll need to log in, enter a phone number, and select what secondary methods of verification you’d like.
  • Scroll down the list of secondary methods and select Add security key.
  • And again, select Add security key.

You can choose your phone, a USB drive or an NFC key to act as a security key.

You can choose your phone, a USB drive or an NFC key to act as a security key.

  • You’ll be given the choice of adding your phone (or one of your phones, if you have more than one) or a physical USB or NFC key. Select your phone.
  • You’ll get a warning that you need to keep Bluetooth on and that you can only sign in using a supported browser (Google Chrome or Microsoft Edge).

That’s it! You’ve set up your phone as a security key and can now log in to Gmail, Google Cloud, and other Google services and use your phone as the primary or secondary method of verification.

When you sign in to your Google account, your phone will ask you to confirm the sign-in.

When you sign in to your Google account, your phone will ask you to confirm the sign-in.

Your phone will then confirm your ID with your computer using Bluetooth.

Your phone will then confirm your ID with your computer using Bluetooth.

Just make sure your phone is in close proximity to your computer whenever you’re trying to log in. Your computer will then tell you that your phone is displaying a prompt. Follow the directions to verify your login, and you’re all set!

Update March 29th, 2021, 11:20AM ET: This article was originally published on April 12th, 2019, and has been updated to account for changes in the Google interface.

Repost: Original Source and Author Link


Google is about to turn on two-factor authentication by default for millions of users

In May, Google announced plans to enable two-factor authentication (or two-step verification as it’s referring to the setup) by default to enable more security for many accounts. Now it’s Cybersecurity Awareness Month, and Google is once again reminding us of that plan, saying in a blog post that it will enable two-factor for 150 million more accounts by the end of this year.

In 2018, Google said that only 10 percent of its active accounts were using two-factor authentication. It has been pushing, prodding, and encouraging people to enable the setting ever since. Another prong of the effort will require more than 2 million YouTube creators to turn on two-factor authentication to protect their channels from takeover. Google says it has partnered with organizations to give away more than 10,000 hardware security keys every year. Its push for two-factor has made the technology readily available on your phone whether you use Android or iPhone.

A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu.

Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.

Google Inactive Account Manager

Google Inactive Account Manager
Image: Google

Google added the feature in 2013 so that you can set a timeout period for your account between three and 18 months of disuse before the Inactive Account Manager protocols take effect. Just in case you only switched accounts or forgot about your login, Google will send an email a month before the limit is up. At that point, you can choose to have your information deleted or have it forwarded to whatever trusted contacts you want to have handling things on your behalf. Google’s blog post notes that an inactive account led to the massive Colonial Pipeline attack earlier this year, and just for security’s sake, you probably don’t want your digital life simply hanging around unused for whatever hackers are bored in the future.

Repost: Original Source and Author Link


Google investigates why a carrier linked VPN ads to an SMS two-factor code

Earlier this week, Australian developer Chris Lacy tweeted about a curious experience while logging into a rarely used Google account. When Google texted his two-factor authentication code, the message popped up along with an ad including a link for VPN services. Considering the downsides of phishing or malware distribution attached to a code that’s specifically intended to keep your account secure, this didn’t go over well.

While Lacy did not name the carrier who delivered the text, Google Identity and Security senior director Mark Risher clarified that the ad didn’t come from his company.

Google’s official statement on the matter is that “These are not our ads and we are currently working with the wireless carrier to understand why this happened.” The Messages app on Android didn’t display a preview, flagging it as possible spam, but it’s a less than ideal implementation of two-factor authentication.

9to5Google points out that at least in some countries, Google uses Verified SMS to authenticate and secure messages, but it’s not clear if that would be possible here. I’ve never seen any spam attached to verification on texts, but until RCS and end-to-end encryption are widespread, it’s just one more reason to opt for code generators, hardware keys, or push notifications for login security instead of a text.

Repost: Original Source and Author Link


How to use a two-factor security key

Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your phone is lost or breached. Hardware security keys can offer an additional layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.

Security keys can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s 5C Nano key, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.

When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.

Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. The best thing to do is to check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.

A setup process is necessary before you can use a security key. After that, securely accessing your online profile on a site is a simple matter of entering your password, inserting the key, and tapping the button.

Keep in mind that you can’t copy, migrate, or save security-key data between keys (even if the keys are the same model). That is by design, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use two-factor authentication on your cellphone or an authenticator app. Then, if you want to use a new key, you will have to go through the process of reauthorizing your accounts all over again.

Which security key should I use?

Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan, which comes in three versions: USB-C, USB-A / NFC, or Bluetooth / NFC / USB. Other U2F keys include Kensington’s USB-A fingerprint-supporting key, and the Thetis USB-A key.

For this how-to, we used the YubiKey 5C NFC security key, which fits into a USB-C port but also works with phones via NFC. The process is pretty similar for all hardware security keys, though.

Pairing a key with your Google account

In order to use a security key with your Google account (or any account), you need to have already set up two-factor authentication.

  • Log in to your Google account, and select your profile icon in the upper-right corner. Then choose “Manage your Google Account.”
  • In the left-hand menu, click on “Security.” Scroll down until you see “Signing in to Google.” Click on the “2-step Verification” link. At this point, you may need to sign in to your account again.

Go to “Security” > “Signing in to Google” > “2-step Verification.”

Go to “Security” > “Signing in to Google” > “2-step Verification.”

  • Scroll down until you see the “Add more second steps to verify it’s you” heading. Look for the “Security Key” option and click on “Add Security Key.”
  • A pop-up box will list your options, which include devices that have built-in security keys and the option to use an external security key. Select “USB or Bluetooth / External security key.”
  • You’ll see a box telling you to make sure the key is nearby but not plugged in. You’ll also see an option to use only the security key as part of Google’s Advanced Protection Program (which is for users with “high visibility and sensitive information”). Assuming you don’t fall into that category, click “Next.”
  • The next box lets you register your security key. Insert your key into your computer port. Press the button on the key, then click “Allow” once you see the Chrome pop-up asking to read the make and model of your key.
  • Give your key a name.
  • Now you’re set! You can come back to your Google account’s 2FA page to rename or remove your key.

Pairing a key with your Twitter account

  • Log in to your Twitter account and click on “More” in the left-hand column. Select “Settings and privacy” from the menu.
  • Under the “Settings” heading, select “Security and account access” > “Security” > “Two-factor authentication.”
  • You’ll see three choices: “Text message,” “Authentication app,” and “Security key.” Click on “Security key.” You’ll probably be asked for your password at this point.
  • Select “Start.”

Once your security key is registered, you receive a just-in-case backup code (deleted here).

Once your security key is registered, you receive a just-in-case backup code (deleted here).

  • Insert your security key into your computer’s port, then press the key’s button.
  • The window should refresh to say, “Security key found.” Type in a name for your key and click “Next.”
  • The window will now read “You’re all set.” It will also give you a single-use backup code to use if you don’t have access to any of your other log-in methods. Copy that code and put it somewhere safe.
  • If you’ve changed your mind and want to remove the security key, go back to the “Two-factor authentication” page and select “Manage security keys.”
  • Click on the name of the key, and then choose “Delete key.” You’ll need to enter your password and verify that you want to delete the key.

Pairing a key with your Facebook account

  • Log in to your Facebook account. Click on the triangle icon on the upper-right corner and select “Settings & Privacy” > “Settings.”
  • Now you’re at “General Account Settings.” Select the “Security and Login” link from the left sidebar.
  • Scroll down until you see the section labeled “Two-Factor Authentication.” Click “Edit” on the “Use two-factor authentication” option. You may be asked for your password.
  • If you don’t have 2FA set up, you’ll be given three choices: “Authentication App,” “Text Message (SMS),” and “Security Key.” It’s recommended that you use an authenticator app as your primary security, but if you prefer, you can just click on “Security Key.”

You can use a security key as your main authentication method.

You can use a security key as your main authentication method.

  • If you do have 2FA set up, then you’ll find the “Security Key” option under “Add a Backup Method.”
  • Either way, you’ll get a pop-up box; click on “Register Security Key.” You’ll be instructed to insert your security key and press its button.
  • And that’s it. If you don’t use 2FA, you’ll now be asked for the security key if you log in from an unrecognized device or browser. If you do, you can use your key if you don’t have access to your authentication app.
  • If you no longer want to use the key, go back to “Two-Factor Authentication,” find “Security Key” under “Your Security Method,” and click on “Manage my keys.”

Repost: Original Source and Author Link

Tech News

Two-factor authentication explained: How to choose the right level of security for every account

If you aren’t already protecting your most personal accounts with two-factor or two-step authentication, you should be. An extra line of defense that’s tougher than the strongest password, 2FA is extremely important to blocking hacks and attacks on your personal data. If you don’t quite understand what it is, we’ve broken it all down for you.

Two-factor-authentication: What it is

Two-factor authentication is basically a combination of two of the following factors:

  1. Something you know
  2. Something you have
  3. Something you are

Something you know is your password, so 2FA always starts there. Rather than let you into your account once your password is entered, however, two-factor authentication requires a second set of credentials, like when the DMV wants your license and a utility bill. So that’s where factors 2 and 3 come into play. Something you have is your phone or another device, while something you are is your face, irises, or fingerprint. If you can’t provide authentication beyond the password alone, you won’t be allowed into the service you’re trying to log into.

So there are several options for the second factor: SMS, authenticator apps, Bluetooth-, USB-, and NFC-based security keys, and biometrics. So let’s take a look at your options so you can decide which is best for you.

Two-factor-authentication: SMS

2fa smsMichael Simon/IDG

When you choose SMS-based 2FA, all you need is a mobile phone number.

What it is: The most common “something you have” second authentication method is SMS. A service will send a text to your phone with a numerical code, which then needs to be typed into the field provided. If the codes match, your identification is verified and access is granted.

How to set it up: Nearly every two-factor authentication system uses SMS by default, so there isn’t much to do beyond flipping the toggle or switch to turn on 2FA on the chosen account. Depending on the app or service, you’ll find it somewhere in settings, under Security if the tab exists. Once activated you’ll need to enter your password and a mobile phone number.

How it works: When you turn on SMS-based authentication, you’ll receive a code via text that you’ll need to enter after you type your password. That protects you against someone randomly logging into your account from somewhere else, since your password alone in useless without the code. While some apps and services solely rely on SMS-based 2FA, many of them offer numerous options, even if SMS is selected by default.

2fa sms setupIDG

With SMS-based authentication, you’ll get a code via text that will allow access to your account.

How secure it is: By definition, SMS authentication is the least secure method of two-factor authentication. Your phone can be cloned or just plain stolen, SMS messages can be intercepted, and by nature most default messaging apps aren’t encrypted. So the code that’s sent to you could possibly fall into someone’s hands other than yours. It’s unlikely to be an issue unless you’re a valuable target, however. 

Repost: Original Source and Author Link


How to set up two-factor authentication on your online accounts

Just about any account you own on the internet is prone to being hacked. After numerous widespread breaches through the past few years, tech companies have been working together to develop a standard that would make passwords a thing of the past, replacing them with more secure methods like biometric or PIN-based logins that do not require transferring data over the internet.

But while those standards are still being adopted, the next best way to secure your accounts is two-factor authentication, or 2FA. This a process that gives web services secondary access to the account owner (you) in order to verify a login attempt. Typically, this involves a phone number and / or email address. This is how it works: when you log in to a service, you use your mobile phone to verify your identity by either clicking on a texted / emailed link or typing in a number sent by an authenticator app.

What are authenticator apps?

Authenticator apps are considered more secure than texting. They also offer flexibility when you are traveling to a place without cellular service. Popular options include Authy, Google Authenticator, Microsoft Authenticator, or Hennge OTP (iOS only). These apps mostly follow the same procedure when adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.

While 2FA — via text, email, or an authenticator app — does not completely cloak you from potential hackers, it is an important step in preventing your account from being accessed by unauthorized users. Here’s how to enable 2FA on your accounts across the web.


Two-factor authentication is currently offered to Apple users on iOS 9 and later or macOS X El Capitan and later.


The steps are slightly different depending on how updated your iOS software is. For those using iOS 10.3 or later, you can enable 2FA on your Apple ID by going to Settings > [Your Name] > Password & Security. Turn on 2FA to receive a text message with a code each time you log in.

For those using iOS 10.2 or earlier, the settings are under iCloud > Apple ID > Password & Security.


Again, steps are slightly different depending on your version of macOS. If you’re using Catalina, click the Apple icon on the upper-left corner of your screen, then click System Preferences > Apple ID. Click on Password & Security under your name, and then select “Turn On Two-Factor Authentication.”

For Mojave and earlier, after you click the Apple icon, click System Preferences > iCloud > Account Details. (You can shorten this step a bit by typing in “iCloud” using Spotlight.) Click on Security, and you’ll see the option to turn 2FA on.

The remainder of the steps, from either iOS or Mac, are the same. You can opt for Apple to send you a six-digit verification code by text message or a phone call. You can also set up a physical security key here.


Instagram added 2FA to its mobile app in 2017, but now you can also activate it through the web.

To activate 2FA on your mobile app, head over to your profile and click the hamburger menu on the upper-right corner. Look for “Settings” > “Security,” where you’ll find a menu item for Two-Factor Authentication.

Here, you can choose between text message-based verification or a code sent to your authentication app.

GIF by Amelia Krales / The Verge

To turn on 2FA using the web, log in and head to your profile. Next to your profile name and the Edit Profile button, there is a gear icon. Clicking this will pop open a settings menu, where you can find the same Privacy and Security section as on the app. From here, you can turn on 2FA and, just as in the app, choose your method for verification.

Clicking on the gear icon will pop open a settings menu.

Clicking on the gear icon will pop open a settings menu.


The way to access Facebook’s 2FA settings is a bit different on the app and the web (and Facebook tends to update both layouts often).

You can access your privacy settings on the mobile app on both iOS and Android by clicking the hamburger icon on the upper-right corner and scrolling down to the bottom to find the “Settings & Privacy” menu. Tap “Settings” > “Security and Login” and scroll down to “Use two-factor authentication.”

Like Instagram (they are part of the same company, after all), you can opt for a text message or an authentication app.

On the web, click the down arrow in the upper-right corner, and select “Settings & Privacy” > “Privacy Shortcuts.” Look for the “Account Security” heading and click on “Use two-factor authentication.”

Facebook lets you authenticate via text message or authentication app.

Facebook lets you authenticate via text message or authentication app.

Additionally, for apps that don’t support 2FA when logging in with a Facebook account (such as Xbox and Spotify), you can generate a unique password specifically associated with that account. From the original down arrow, select “Settings & Privacy” > “Settings” and then, from the menu on the left, “Security & Login” > “App passwords” (under the “Two-Factor Authorization” subhead). After resubmitting your Facebook password, you’ll be able to name the app, click generate, and save that password for the next time you have to log in.


On the Twitter mobile app, tap the three-line “hamburger” icon at the top left of the screen and find the “Settings and privacy” selection. Go to “Account” > “Security.” Click on “Two-factor authentication” and follow the directions.

On the web, click on “More” in the left-hand menu and find “Settings and privacy.” Click on “Security and account access” (or you can just follow this link). Select “Security” > “Two-factor authorization.”

Once you’re all set up, Twitter will either ask for verification through an authentication app, or you will text a code number to your phone number when you want to log in. Twitter has also added security key support.

Twitter 2FA

As with other services mentioned above, you can generate a backup code to use when you’re traveling and will be without internet or cell service. You may also see an option to create a temporary app password that you can use to log in from other devices. This can be used to log in to third-party apps if you have them linked to your Twitter account. Note that the temporary password expires one hour after being generated.


Go to the Amazon homepage and log in. Hover over “Accounts & Lists” and click on “Account.” A box labeled “Login & security” will be at the top of the page; click on that and then click the Edit button on “Two-Step Verification (2SV) Settings.” (You may be asked to reenter your password first.) You can also navigate directly to that page by following this link.

Click Get Started, and Amazon will walk you through the process of registering your phone number, or you can opt to use your preferred authenticator app by syncing it through a QR code.

You can activate 2FA on both the Android and iOS Amazon app by tapping the hamburger menu on the left side and finding “Your Account” > “Login & security.” The same “Two-Step Verification (2SV) Settings” selection should be available for you to edit and toggle on 2FA.

Once your phone number or authenticator app has been verified, you can select trusted devices to bypass 2FA or generate a code to log in via a mobile app.


The easiest way to turn 2FA on across your Google accounts (i.e., Gmail, YouTube, or Google Maps) is by heading over to the main 2FA landing page and clicking “Get Started.” You’ll be asked to log in then select your mobile device from a list. (If you have an iPhone, you may have to download a separate app.) Google will try to send a message to that phone; if it succeeds, you will be asked to enter a phone number; you can then choose whether you want to receive verification codes by text message or phone call. Again, Google will try out your chosen method.

After that, Google will first send prompts that allow you to simply click “Yes” or “No” when a login attempt occurs. If that doesn’t work, it will send the text message or phone call.

You can also generate backup codes for offline access. Google generates 10 at a time and they’re designed to be single-use, so once you’ve successfully used one, cross it out (assuming you’ve printed them out) as it will no longer work.


From the app’s main camera screen, tap your profile icon and find the gear icon to access your settings. Select “Two-Factor Authentication” and choose whether to receive a text message verification or hook it up to your authenticator app.

Once 2FA has been enabled on your Snapchat account, you can add trusted devices or request a recovery code for when you’re planning to be somewhere without cellular service. Snapchat does not seem to currently support security key logins.


To enable 2FA, you’ll first need to find the Account Settings page. There are two ways to access this:

  • Click on your username on the upper-right corner of the Slack app to open a drop-down menu and select “View profile.” Your account information will now display on the right side of the chat window. Under your avatar and next to the “Edit Profile” button, click the three-dotted icons for additional actions, and find “Account settings.” You can also head straight to
  • You should immediately see the selection for “Two-Factor Authentication.”

If you do not see the option for 2FA, check whether your Slack account is for work. Some employers may use single sign-on services that bypass the need for 2FA, which eliminates this from Slack’s Account Settings page.

Like most other apps, Slack lets you use either SMS or an authentication app.

Like most other apps, Slack lets you use either SMS or an authentication app.

If this is a personal Slack, however, then click “Expand” on “Two-Factor Authentication” to verify your information by an SMS or authenticator app. If you have multiple email addresses, you may need to select a default one before you can decide on your preferred 2FA method.


Log in to your Microsoft account and find the “Security settings” menu (there are several ways to get there; click on the link for the easiest). Look for the “Two-step verification” section and click on the setup link. You’ll be walked through the steps needed to use either the Microsoft Authenticator app or use a different authentication app. You’ll also be able to create passwords for apps that don’t accept 2FA.


From your Dropbox homepage on the web, click your profile avatar and find Settings; then go to the Security tab. Find Two-Step Verification; it will tell you the status of your 2FA. Toggle to turn the feature on and choose to receive 2FA through a text or your authenticator app.


Open up WhatsApp, and find the Settings menu under the upper-right hamburger icon. Look under “Account” > “Two-step verification” > “Enable.” The app will ask you to enter a six-digit PIN to use as verification and optionally add an email address in case you forget your PIN.

Having an associated email with your WhatsApp account is important since the service won’t let you reverify yourself if you’ve used WhatsApp within the last seven days and have forgotten your PIN. So if you can’t wait a week to reverify for whatever reason, it’s helpful to have entered an email address so you can log yourself in or disable 2FA. In the same vein: be cautious of emails encouraging you to turn off 2FA if you didn’t request it yourself.


On the main Summary page, click the gear icon and find the Security tab. Look for the section called “2-step verification” and click on the Set Up link. You’ll get a choice to have a code texted to you or use an authenticator app. (PayPal also offers to find you an authenticator app if you want one.)

If you lose your phone, change numbers, or decide to revoke authorization rights, come back to this menu to make adjustments.

Note that the interface is different if you use PayPal as a business account. From the main Summary page, click the gear icon to be taken to the Settings page. Under Login and Security, look for the Security Key option to add your phone number or a security key as your 2FA method.


Smart home products like Nest are not exempt from getting hacked — in fact, Nest now strongly encourages its users to enroll in 2FA. For Nest, make sure your app is up to date on all of your devices. Then, on the home screen, go to Settings > Account > Manage account > Account security, and select two-step verification. Toggle the switch to on. A series of prompts will ask for your password, phone number, and the verification code that will be sent to your phone.

Keep in mind that all of your devices will be automatically signed out, so you’ll have to sign in again using the two-step verification.

If all your family members don’t have their own logins and have been using yours, it’s a good idea to set them up with separate logins using Family Accounts. Otherwise, when they try to log on using two-step verification, the necessary code will be sent to your phone, not theirs.


Like with Nest, make sure your Ring app is up to date. Swipe over from the left, then go to “Account” > “Two-Factor Authentication” (you’ll find it under “Enhanced Security”). Tap the big “Turn on two-factor” button. A series of prompts will ask for your password, phone number, and the verification code that will be sent to your phone.

From then on, you’ll need both your password and an SMS verification code whenever you want to log in to Ring from a new device.


Rather than traditional 2FA, Signal uses a PIN. Click your profile icon on the upper-left side and find “Privacy.” Look for “Registration Lock” to require your PIN (which you were asked for when you originally registered) to be entered each time you re-register your phone number. Signal requires your PIN to be at least four digits long, and up to a maximum of 20 digits.

When you first enable Registration Lock, Signal will ask you to type in your PIN in the first six and 12 hours after being enabled. The company says this is designed to help you to remember it through random repetition. So after the first day, it will ask you to enter it in the next day, then in three days, and finally one last time after a full week.

If you happen to forget your PIN and can’t log in to Signal, you will have to wait seven days of inactivity for your registration lock to expire, after which you can log in to your app again to set up a new PIN. Those who are already actively using Signal won’t have to worry about the Registration Lock resetting, as that clock only starts when the app isn’t open.

Did we miss your favorite apps?

For services not listed on this guide, check out to find the app or service in question. This helpful site links to every official guide for companies that support 2FA, and gives you the option to message the company on Twitter, Facebook, or email to add 2FA if it currently does not have it.

On a final note: while adding 2FA is great for an extra layer of security on all your accounts, remember that you should be changing and updating your passwords regularly even with 2FA enabled, just to stay in tip-top shape. If that’s not your style, you can also use a password manager to automatically take care of it for you.

Update January 7th, 2021: This article was originally published on June 19th, 2017, and has been checked and updated several times so that the instructions for adding 2FA to these apps remain current. This is the latest update.

Source link