GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.
The new policy was announced Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.
“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”
Even though multi-factor authentication provides significant additional protection to online accounts, GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts — a surprisingly low figure given that the platform’s user base should be aware of the risks of password-only protection.
By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge.
“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”
In response, GitHub made two-factor authentication mandatory for the maintainers of the 100 most popular NPM packages as of February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.
Insights from this smaller trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialog about what good [practice] looks like with them.”
Broadly speaking, this means setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to nudge users towards adoption well before the 2024 deadline, Hanley said.
Securing open-source software is still a pressing concern for the software industry, particularly after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate against some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap has been seen as a major problem for the tech industry as a whole.
If you want to verify your Google login and make it harder to access by anyone but yourself (always a good idea), one way is to use your iPhone or Android smartphone as a physical security key. While you can set up a third-party 2FA app such as Authy or even use Google’s own Authenticator, these require that you enter both your password and a code generated by the app. Google’s built-in security allows you to access your account by just hitting “Yes” or pressing your volume button after a pop-up appears on your phone. You can also use your phone as a secondary security key.
Use your phone to sign in
To set this up, your computer should be running a current version of Windows 10, iOS, macOS, or Chrome OS. Before you start, make sure that your phone is running Android 7 or later and that it has Bluetooth turned on.
While it’s unlikely you have an Android phone that doesn’t have a Google account associated with it, if you’re one of the few, you need to add a Google account to your phone by heading into Settings > Passwords & accounts, scroll down to and select Add account > Google
Once that’s done, open a Google Chrome browser on your computer
Enter your account password. You’ll be asked to satisfy three steps: choose a phone (if you have more than one), make sure you have either Touch ID (for an iPhone) or a screen lock (for an Android), and add a recovery phone number.
You’ll then be run through a test of the system and invited to turn it on permanently.
Use your phone as a secondary security key
You can also use your phone as a secondary security key to ensure that it is indeed you who are signing into your account. In other words, to get into the account, it will be necessary to be carrying the correct phone with a Bluetooth connection.
If you don’t have two-step verification set up yet, go back to your account security page, click on 2-Step Verification and follow the instructions. The TL;DR is that you’ll need to log in, enter a phone number, and select what secondary methods of verification you’d like.
Scroll down the list of secondary methods and select Add security key.
And again, select Add security key.
You’ll be given the choice of adding your phone (or one of your phones, if you have more than one) or a physical USB or NFC key. Select your phone.
You’ll get a warning that you need to keep Bluetooth on and that you can only sign in using a supported browser (Google Chrome or Microsoft Edge).
That’s it! You’ve set up your phone as a security key and can now log in to Gmail, Google Cloud, and other Google services and use your phone as the primary or secondary method of verification.
Just make sure your phone is in close proximity to your computer whenever you’re trying to log in. Your computer will then tell you that your phone is displaying a prompt. Follow the directions to verify your login, and you’re all set!
Update March 29th, 2021, 11:20AM ET: This article was originally published on April 12th, 2019, and has been updated to account for changes in the Google interface.
In May, Google announced plans to enable two-factor authentication (or two-step verification as it’s referring to the setup) by default to enable more security for many accounts. Now it’s Cybersecurity Awareness Month, and Google is once again reminding us of that plan, saying in a blog post that it will enable two-factor for 150 million more accounts by the end of this year.
In 2018, Google said that only 10 percent of its active accounts were using two-factor authentication. It has been pushing, prodding, and encouraging people to enable the setting ever since. Another prong of the effort will require more than 2 million YouTube creators to turn on two-factor authentication to protect their channels from takeover. Google says it has partnered with organizations to give away more than 10,000 hardware security keys every year. Its push for two-factor has made the technology readily available on your phone whether you use Android or iPhone.
A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu.
Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.
Google added the feature in 2013 so that you can set a timeout period for your account between three and 18 months of disuse before the Inactive Account Manager protocols take effect. Just in case you only switched accounts or forgot about your login, Google will send an email a month before the limit is up. At that point, you can choose to have your information deleted or have it forwarded to whatever trusted contacts you want to have handling things on your behalf. Google’s blog post notes that an inactive account led to the massive Colonial Pipeline attack earlier this year, and just for security’s sake, you probably don’t want your digital life simply hanging around unused for whatever hackers are bored in the future.
Earlier this week, Australian developer Chris Lacy tweeted about a curious experience while logging into a rarely used Google account. When Google texted his two-factor authentication code, the message popped up along with an ad including a link for VPN services. Considering the downsides of phishing or malware distribution attached to a code that’s specifically intended to keep your account secure, this didn’t go over well.
While Lacy did not name the carrier who delivered the text, Google Identity and Security senior director Mark Risher clarified that the ad didn’t come from his company.
Google’s official statement on the matter is that “These are not our ads and we are currently working with the wireless carrier to understand why this happened.” The Messages app on Android didn’t display a preview, flagging it as possible spam, but it’s a less than ideal implementation of two-factor authentication.
9to5Google points out that at least in some countries, Google uses Verified SMS to authenticate and secure messages, but it’s not clear if that would be possible here. I’ve never seen any spam attached to verification on texts, but until RCS and end-to-end encryption are widespread, it’s just one more reason to opt for code generators, hardware keys, or push notifications for login security instead of a text.
Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your phone is lost or breached. Hardware security keys can offer an additional layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.
Security keys can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s 5C Nano key, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. The best thing to do is to check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
A setup process is necessary before you can use a security key. After that, securely accessing your online profile on a site is a simple matter of entering your password, inserting the key, and tapping the button.
Keep in mind that you can’t copy, migrate, or save security-key data between keys (even if the keys are the same model). That is by design, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use two-factor authentication on your cellphone or an authenticator app. Then, if you want to use a new key, you will have to go through the process of reauthorizing your accounts all over again.
Which security key should I use?
Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan, which comes in three versions: USB-C, USB-A / NFC, or Bluetooth / NFC / USB. Other U2F keys include Kensington’s USB-A fingerprint-supporting key, and the Thetis USB-A key.
For this how-to, we used the YubiKey 5C NFC security key, which fits into a USB-C port but also works with phones via NFC. The process is pretty similar for all hardware security keys, though.
Pairing a key with your Google account
In order to use a security key with your Google account (or any account), you need to have already set up two-factor authentication.
Log in to your Google account, and select your profile icon in the upper-right corner. Then choose “Manage your Google Account.”
In the left-hand menu, click on “Security.” Scroll down until you see “Signing in to Google.” Click on the “2-step Verification” link. At this point, you may need to sign in to your account again.
Scroll down until you see the “Add more second steps to verify it’s you” heading. Look for the “Security Key” option and click on “Add Security Key.”
A pop-up box will list your options, which include devices that have built-in security keys and the option to use an external security key. Select “USB or Bluetooth / External security key.”
You’ll see a box telling you to make sure the key is nearby but not plugged in. You’ll also see an option to use only the security key as part of Google’s Advanced Protection Program (which is for users with “high visibility and sensitive information”). Assuming you don’t fall into that category, click “Next.”
The next box lets you register your security key. Insert your key into your computer port. Press the button on the key, then click “Allow” once you see the Chrome pop-up asking to read the make and model of your key.
Give your key a name.
Now you’re set! You can come back to your Google account’s 2FA page to rename or remove your key.
Pairing a key with your Twitter account
Log in to your Twitter account and click on “More” in the left-hand column. Select “Settings and privacy” from the menu.
Under the “Settings” heading, select “Security and account access” > “Security” > “Two-factor authentication.”
You’ll see three choices: “Text message,” “Authentication app,” and “Security key.” Click on “Security key.” You’ll probably be asked for your password at this point.
Insert your security key into your computer’s port, then press the key’s button.
The window should refresh to say, “Security key found.” Type in a name for your key and click “Next.”
The window will now read “You’re all set.” It will also give you a single-use backup code to use if you don’t have access to any of your other log-in methods. Copy that code and put it somewhere safe.
If you’ve changed your mind and want to remove the security key, go back to the “Two-factor authentication” page and select “Manage security keys.”
Click on the name of the key, and then choose “Delete key.” You’ll need to enter your password and verify that you want to delete the key.
Pairing a key with your Facebook account
Log in to your Facebook account. Click on the triangle icon on the upper-right corner and select “Settings & Privacy” > “Settings.”
Now you’re at “General Account Settings.” Select the “Security and Login” link from the left sidebar.
Scroll down until you see the section labeled “Two-Factor Authentication.” Click “Edit” on the “Use two-factor authentication” option. You may be asked for your password.
If you don’t have 2FA set up, you’ll be given three choices: “Authentication App,” “Text Message (SMS),” and “Security Key.” It’s recommended that you use an authenticator app as your primary security, but if you prefer, you can just click on “Security Key.”
If you do have 2FA set up, then you’ll find the “Security Key” option under “Add a Backup Method.”
Either way, you’ll get a pop-up box; click on “Register Security Key.” You’ll be instructed to insert your security key and press its button.
And that’s it. If you don’t use 2FA, you’ll now be asked for the security key if you log in from an unrecognized device or browser. If you do, you can use your key if you don’t have access to your authentication app.
If you no longer want to use the key, go back to “Two-Factor Authentication,” find “Security Key” under “Your Security Method,” and click on “Manage my keys.”
If you aren’t already protecting your most personal accounts with two-factor or two-step authentication, you should be. An extra line of defense that’s tougher than the strongest password, 2FA is extremely important to blocking hacks and attacks on your personal data. If you don’t quite understand what it is, we’ve broken it all down for you.
Two-factor-authentication: What it is
Two-factor authentication is basically a combination of two of the following factors:
Something you know
Something you have
Something you are
Something you know is your password, so 2FA always starts there. Rather than let you into your account once your password is entered, however, two-factor authentication requires a second set of credentials, like when the DMV wants your license and a utility bill. So that’s where factors 2 and 3 come into play. Something you have is your phone or another device, while something you are is your face, irises, or fingerprint. If you can’t provide authentication beyond the password alone, you won’t be allowed into the service you’re trying to log into.
So there are several options for the second factor: SMS, authenticator apps, Bluetooth-, USB-, and NFC-based security keys, and biometrics. So let’s take a look at your options so you can decide which is best for you.
What it is: The most common “something you have” second authentication method is SMS. A service will send a text to your phone with a numerical code, which then needs to be typed into the field provided. If the codes match, your identification is verified and access is granted.
How to set it up: Nearly every two-factor authentication system uses SMS by default, so there isn’t much to do beyond flipping the toggle or switch to turn on 2FA on the chosen account. Depending on the app or service, you’ll find it somewhere in settings, under Security if the tab exists. Once activated you’ll need to enter your password and a mobile phone number.
How it works: When you turn on SMS-based authentication, you’ll receive a code via text that you’ll need to enter after you type your password. That protects you against someone randomly logging into your account from somewhere else, since your password alone in useless without the code. While some apps and services solely rely on SMS-based 2FA, many of them offer numerous options, even if SMS is selected by default.
How secure it is: By definition, SMS authentication is the least secure method of two-factor authentication. Your phone can be cloned or just plain stolen, SMS messages can be intercepted, and by nature most default messaging apps aren’t encrypted. So the code that’s sent to you could possibly fall into someone’s hands other than yours. It’s unlikely to be an issue unless you’re a valuable target, however.
How convenient it is: Very. You’re likely to always have your phone within reach, so the second authentication is super convenient, especially if the account you’re signing into is on your phone.
Should you use it? Any two-factor authentication is better than none, but if you’re serious about security, SMS won’t cut it.
Two-factor-authentication: Authenticator apps
What it is: Like SMS-based two-factor authentication, authenticator apps generate codes that need to be inputted when prompted. However, rather than sending them over unencrypted SMS, they’re generated within an app, and you don’t even need an Internet connection to get one.
How to set it up: To get started with an authentication app, you’ll need to download one from the Play Store or the App Store. Google Authenticator works great for your Google account and anything you use it to log into, but there are other great one’s as well, including Authy, LastPass, Microsoft and a slew of other individual companies, such as Blizzard, Sophos, and Salesforce. If an app or service supports authenticator apps, it’ll supply a QR code that you can scan or enter on your phone.
How it works: When you open your chosen authenticator app and scan the code, a 6-figure code will appear, just like with SMS 2FA. Input that code into the app and you’re good to go. After the initial setup, you’ll be able to go into the app to get a code without scanning a QR code whenever you need one.
How secure it is: Unless someone has access to your phone or whatever device is running your authenticator app, it’s completely secure. Since codes are randomized within the app and aren’t delivered over SMS, there’s no way for prying eyes to steal them. For extra security, Authy allows you to set pin and password protection, too, something Google doesn’t offer on its authenticator app.
How convenient it is: While opening an app is slightly less convenient than receiving a text message, authenticator apps don’t take more than few seconds to use. They’re far more secure than SMS, and you can use them offline if you ever run into an issue where you need a code but have no connection.
Should you use it? An authenticator app strikes the sweet spot between security and convenience. While you might find some services that don’t support authenticator apps, the vast majority do.
Two-factor authentication: Universal second factor (security key)
What it is: Unlike SMS- and authenticator-based 2FA, universal second factor is truly a “something you have” method of protecting your accounts. Instead of a digital code, the second factor is a hardware-based security key. You’ll need to order a physical key to use it, which will connect to your phone or PC via USB, NFC, or Bluetooth.
You can buy a Titan Security Key bundle from Google for $50, which includes a USB-A security key and a Bluetooth security key along with a USB-A-to-USB-C adapter, or buy one from Yubico. An NFC-enabled key is recommended if you’re going to be using it with a phone.
How to set it up: Setting up a security key is basically the same as the other methods, except you’ll need a computer. You’ll need to turn on two-factor authentication, and then select the “security key” option, if it’s available. Most popular accounts, such as Twitter, Facebook, and Google all support security keys, so your most vulnerable accounts should be all set. However, while Chrome, Firefox, and Microsoft’s Edge browser all support security keys, Apple’s Safari browser does not, so you’ll be prompted to switch during setup.
Once you reach the security settings page for the service you’re enabling 2FA with, select security key, and follow the prompts. You’ll be asked to insert your key (so make sure you have an USB-C adapter on hand if you have a MacBook) and press the button on it. That will initiate the connection with your computer, pair your key, and in a few seconds your account will be ready to go.
How it works: When an account requests 2FA verification, you’ll need to plug your security key into your phone or PC’s USB-C port or (if supported) tap it to the back of your NFC-enabled phone. Then it’s only a matter of pressing the button on the key to establish the connection and you’re in.
How secure it is: Extremely. Since all of the login authentication is stored on a physical key that is either on your person or stored somewhere safe, the odds of someone accessing your account are extremely low. To do so, they would need to steal your password and the key to access your account, which is very unlikely.
How convenient it is: Not very. When you log into one of your accounts on a new device, you’ll need to type your password and then authenticate it via the hardware key, either by inserting it into your PC’s USB port or pressing it against the back of an NFC-enabled phone. Neither method takes more than a few seconds, though, provided you have your security key within reach.
Two-factor authentication: Google Advanced Protection Program
What it is: If you want to completely lock down your most important data, Google offers the Advanced Protection Program for your Google account, which disables everything except security key-based 2FA. It also limits access your emails and Drive files to Google apps and select third-party apps, and shuts down web access to browsers other than Chrome and Firefox.
How to set it up: You’ll need to make a serious commitment. To enroll in Google Advanced Protection, you’ll need to purchase two Security Keys: one as your main key and one as your backup key. Google sells its own Titan Security Key bundle, but you can also buy a set from Yubico or Feitian.
Once you get your keys, you’ll need to register them with your Google account and then agree to turn off all other forms of authentication. But here’s the rub: To ensure that every one of your devices is properly protected, Google will log you out of every account on every device you own so you can log in again using Advanced Protection.
How it works: Advanced Protection works just like a security except you won’t be able to choose a different method if you forgot or lost your security key.
How secure it is: Google Advanced Protection is basically impenetrable. By relying solely on security keys, it makes sure that no one will be able to access your account without both your password and physical key, which is extremely unlikely.
How convenient it is: By nature, Google Advanced Protection is supposed to make it difficult for hackers to access your Google account and anything associated with it, so naturally it’s not so easy for the user either. Since there’s no fallback authentication method, you’ll need to remember your key whenever you leave the house. And when you run into a roadback—like the Safari browser on a Mac—you’re pretty much out of luck. But if you want your account to have the best possible protection, accept no substitute.
Two-factor authentication: Biometrics
What it is: A password-free world where all apps and services are authenticated by a fingerprint or facial scan.
How to set it up: You can see biometrics at work when you opt to use the fingerprint scanner on your phone or Face ID on the iPhone XS, but at the moment, biometric security is little more than a replacement for your password after you login in and verify via another 2FA method.
How it works: Like the way you use your fingerprint or face to unlock your smartphone, biometric 2FA uses your body’s unique characteristics as your password. So your Google account would know it was you based on your scan when you set up your account, and it would automatically allow access when it recognized you.
How secure it is: Since it’s extremely difficult to clone your fingerprint or face, biometric authentication is the closest thing to a digital vault.
How convenient it is: You can’t go anywhere without your fingerprint or your face, so it doesn’t get more convenient than that.
Two-factor authentication: iCloud
What it is: Apple has its own method of two-factor authentication or your iCloud and iTunes accounts that involves setting up trusted Apple devices (iPhone, iPad, or Mac—Apple Watch isn’t supported) that can receive verification codes. You can also set up trusted numbers to receive SMS codes or get verification codes via an authenticator app built into the Settings app.
How to set it up: As long as you’re logged into into your iCloud account, you can turn on two-factor authentication from pretty much anywhere. Just go into Settings on your iOS device or System Preferences on your Mac, PC, or Android phone, then Security, and Turn On Two-Factor Authentication. From there, you can follow the prompts to set up your trusted phone number and devices.
How it works: When you need to access an account protected by 2FA, Apple will send a code to one of your trusted devices. If you don’t have a second Apple device, Apple will send you a code via SMS or you can get one from the Settings app on your iPhone or System preferences on your Mac.
How secure it is: It depends on how many Apple devices you own. If you own more than one Apple device, it’s very secure. Apple will send a code to one of your other devices whenever you or someone else tries to log into your account or one of Apple’s services on a new device. It even tells you the location of the request, so if you don’t recognize it you can instantly reject it, before the code even appears.
If you only have one device, you’ll have to use SMS or Apple’s built-in authenticator, neither of which is all that secure, especially since it’s likely to both be done using the same device. Also, Apple has a weird snafu that sends the 2FA access code to the same device when you manage your account using a browser, which also defeats the purpose of 2FA.
How convenient it is: If you’re using an iPhone and have an iPad or Mac nearby, the process takes seconds, but if you don’t have an Apple device within reach or are away from your keyboard, it can be tedious.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Just about any account you own on the internet is prone to being hacked. After numerous widespread breaches through the past few years, tech companies have been working together to develop a standard that would make passwords a thing of the past, replacing them with more secure methods like biometric or PIN-based logins that do not require transferring data over the internet.
But while those standards are still being adopted, the next best way to secure your accounts is two-factor authentication, or 2FA. This a process that gives web services secondary access to the account owner (you) in order to verify a login attempt. Typically, this involves a phone number and / or email address. This is how it works: when you log in to a service, you use your mobile phone to verify your identity by either clicking on a texted / emailed link or typing in a number sent by an authenticator app.
What are authenticator apps?
Authenticator apps are considered more secure than texting. They also offer flexibility when you are traveling to a place without cellular service. Popular options include Authy, Google Authenticator, Microsoft Authenticator, or Hennge OTP (iOS only). These apps mostly follow the same procedure when adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.
While 2FA — via text, email, or an authenticator app — does not completely cloak you from potential hackers, it is an important step in preventing your account from being accessed by unauthorized users. Here’s how to enable 2FA on your accounts across the web.
Two-factor authentication is currently offered to Apple users on iOS 9 and later or macOS X El Capitan and later.
The steps are slightly different depending on how updated your iOS software is. For those using iOS 10.3 or later, you can enable 2FA on your Apple ID by going to Settings > [Your Name] > Password & Security. Turn on 2FA to receive a text message with a code each time you log in.
For those using iOS 10.2 or earlier, the settings are under iCloud > Apple ID > Password & Security.
Again, steps are slightly different depending on your version of macOS. If you’re using Catalina, click the Apple icon on the upper-left corner of your screen, then click System Preferences > Apple ID. Click on Password & Security under your name, and then select “Turn On Two-Factor Authentication.”
For Mojave and earlier, after you click the Apple icon, click System Preferences > iCloud > Account Details. (You can shorten this step a bit by typing in “iCloud” using Spotlight.) Click on Security, and you’ll see the option to turn 2FA on.
The remainder of the steps, from either iOS or Mac, are the same. You can opt for Apple to send you a six-digit verification code by text message or a phone call. You can also set up a physical security key here.
Instagram added 2FA to its mobile app in 2017, but now you can also activate it through the web.
To activate 2FA on your mobile app, head over to your profile and click the hamburger menu on the upper-right corner. Look for “Settings” > “Security,” where you’ll find a menu item for Two-Factor Authentication.
Here, you can choose between text message-based verification or a code sent to your authentication app.
To turn on 2FA using the web, log in and head to your profile. Next to your profile name and the Edit Profile button, there is a gear icon. Clicking this will pop open a settings menu, where you can find the same Privacy and Security section as on the app. From here, you can turn on 2FA and, just as in the app, choose your method for verification.
The way to access Facebook’s 2FA settings is a bit different on the app and the web (and Facebook tends to update both layouts often).
You can access your privacy settings on the mobile app on both iOS and Android by clicking the hamburger icon on the upper-right corner and scrolling down to the bottom to find the “Settings & Privacy” menu. Tap “Settings” > “Security and Login” and scroll down to “Use two-factor authentication.”
Like Instagram (they are part of the same company, after all), you can opt for a text message or an authentication app.
On the web, click the down arrow in the upper-right corner, and select “Settings & Privacy” > “Privacy Shortcuts.” Look for the “Account Security” heading and click on “Use two-factor authentication.”
Additionally, for apps that don’t support 2FA when logging in with a Facebook account (such as Xbox and Spotify), you can generate a unique password specifically associated with that account. From the original down arrow, select “Settings & Privacy” > “Settings” and then, from the menu on the left, “Security & Login” > “App passwords” (under the “Two-Factor Authorization” subhead). After resubmitting your Facebook password, you’ll be able to name the app, click generate, and save that password for the next time you have to log in.
On the Twitter mobile app, tap the three-line “hamburger” icon at the top left of the screen and find the “Settings and privacy” selection. Go to “Account” > “Security.” Click on “Two-factor authentication” and follow the directions.
On the web, click on “More” in the left-hand menu and find “Settings and privacy.” Click on “Security and account access” (or you can just follow this link). Select “Security” > “Two-factor authorization.”
Once you’re all set up, Twitter will either ask for verification through an authentication app, or you will text a code number to your phone number when you want to log in. Twitter has also added security key support.
As with other services mentioned above, you can generate a backup code to use when you’re traveling and will be without internet or cell service. You may also see an option to create a temporary app password that you can use to log in from other devices. This can be used to log in to third-party apps if you have them linked to your Twitter account. Note that the temporary password expires one hour after being generated.
Go to the Amazon homepage and log in. Hover over “Accounts & Lists” and click on “Account.” A box labeled “Login & security” will be at the top of the page; click on that and then click the Edit button on “Two-Step Verification (2SV) Settings.” (You may be asked to reenter your password first.) You can also navigate directly to that page by following this link.
Click Get Started, and Amazon will walk you through the process of registering your phone number, or you can opt to use your preferred authenticator app by syncing it through a QR code.
You can activate 2FA on both the Android and iOS Amazon app by tapping the hamburger menu on the left side and finding “Your Account” > “Login & security.” The same “Two-Step Verification (2SV) Settings” selection should be available for you to edit and toggle on 2FA.
Once your phone number or authenticator app has been verified, you can select trusted devices to bypass 2FA or generate a code to log in via a mobile app.
The easiest way to turn 2FA on across your Google accounts (i.e., Gmail, YouTube, or Google Maps) is by heading over to the main 2FA landing page and clicking “Get Started.” You’ll be asked to log in then select your mobile device from a list. (If you have an iPhone, you may have to download a separate app.) Google will try to send a message to that phone; if it succeeds, you will be asked to enter a phone number; you can then choose whether you want to receive verification codes by text message or phone call. Again, Google will try out your chosen method.
After that, Google will first send prompts that allow you to simply click “Yes” or “No” when a login attempt occurs. If that doesn’t work, it will send the text message or phone call.
You can also generate backup codes for offline access. Google generates 10 at a time and they’re designed to be single-use, so once you’ve successfully used one, cross it out (assuming you’ve printed them out) as it will no longer work.
From the app’s main camera screen, tap your profile icon and find the gear icon to access your settings. Select “Two-Factor Authentication” and choose whether to receive a text message verification or hook it up to your authenticator app.
Once 2FA has been enabled on your Snapchat account, you can add trusted devices or request a recovery code for when you’re planning to be somewhere without cellular service. Snapchat does not seem to currently support security key logins.
To enable 2FA, you’ll first need to find the Account Settings page. There are two ways to access this:
Click on your username on the upper-right corner of the Slack app to open a drop-down menu and select “View profile.” Your account information will now display on the right side of the chat window. Under your avatar and next to the “Edit Profile” button, click the three-dotted icons for additional actions, and find “Account settings.” You can also head straight to my.slack.com/account/settings
You should immediately see the selection for “Two-Factor Authentication.”
If you do not see the option for 2FA, check whether your Slack account is for work. Some employers may use single sign-on services that bypass the need for 2FA, which eliminates this from Slack’s Account Settings page.
If this is a personal Slack, however, then click “Expand” on “Two-Factor Authentication” to verify your information by an SMS or authenticator app. If you have multiple email addresses, you may need to select a default one before you can decide on your preferred 2FA method.
Log in to your Microsoft account and find the “Security settings” menu (there are several ways to get there; click on the link for the easiest). Look for the “Two-step verification” section and click on the setup link. You’ll be walked through the steps needed to use either the Microsoft Authenticator app or use a different authentication app. You’ll also be able to create passwords for apps that don’t accept 2FA.
From your Dropbox homepage on the web, click your profile avatar and find Settings; then go to the Security tab. Find Two-Step Verification; it will tell you the status of your 2FA. Toggle to turn the feature on and choose to receive 2FA through a text or your authenticator app.
Open up WhatsApp, and find the Settings menu under the upper-right hamburger icon. Look under “Account” > “Two-step verification” > “Enable.” The app will ask you to enter a six-digit PIN to use as verification and optionally add an email address in case you forget your PIN.
Having an associated email with your WhatsApp account is important since the service won’t let you reverify yourself if you’ve used WhatsApp within the last seven days and have forgotten your PIN. So if you can’t wait a week to reverify for whatever reason, it’s helpful to have entered an email address so you can log yourself in or disable 2FA. In the same vein: be cautious of emails encouraging you to turn off 2FA if you didn’t request it yourself.
On the main Summary page, click the gear icon and find the Security tab. Look for the section called “2-step verification” and click on the Set Up link. You’ll get a choice to have a code texted to you or use an authenticator app. (PayPal also offers to find you an authenticator app if you want one.)
If you lose your phone, change numbers, or decide to revoke authorization rights, come back to this menu to make adjustments.
Note that the interface is different if you use PayPal as a business account. From the main Summary page, click the gear icon to be taken to the Settings page. Under Login and Security, look for the Security Key option to add your phone number or a security key as your 2FA method.
Smart home products like Nest are not exempt from getting hacked — in fact, Nest now strongly encourages its users to enroll in 2FA. For Nest, make sure your app is up to date on all of your devices. Then, on the home screen, go to Settings > Account > Manage account > Account security, and select two-step verification. Toggle the switch to on. A series of prompts will ask for your password, phone number, and the verification code that will be sent to your phone.
Keep in mind that all of your devices will be automatically signed out, so you’ll have to sign in again using the two-step verification.
If all your family members don’t have their own logins and have been using yours, it’s a good idea to set them up with separate logins using Family Accounts. Otherwise, when they try to log on using two-step verification, the necessary code will be sent to your phone, not theirs.
Like with Nest, make sure your Ring app is up to date. Swipe over from the left, then go to “Account” > “Two-Factor Authentication” (you’ll find it under “Enhanced Security”). Tap the big “Turn on two-factor” button. A series of prompts will ask for your password, phone number, and the verification code that will be sent to your phone.
From then on, you’ll need both your password and an SMS verification code whenever you want to log in to Ring from a new device.
Rather than traditional 2FA, Signal uses a PIN. Click your profile icon on the upper-left side and find “Privacy.” Look for “Registration Lock” to require your PIN (which you were asked for when you originally registered) to be entered each time you re-register your phone number. Signal requires your PIN to be at least four digits long, and up to a maximum of 20 digits.
When you first enable Registration Lock, Signal will ask you to type in your PIN in the first six and 12 hours after being enabled. The company says this is designed to help you to remember it through random repetition. So after the first day, it will ask you to enter it in the next day, then in three days, and finally one last time after a full week.
If you happen to forget your PIN and can’t log in to Signal, you will have to wait seven days of inactivity for your registration lock to expire, after which you can log in to your app again to set up a new PIN. Those who are already actively using Signal won’t have to worry about the Registration Lock resetting, as that clock only starts when the app isn’t open.
Did we miss your favorite apps?
For services not listed on this guide, check out TwoFactorAuth.org to find the app or service in question. This helpful site links to every official guide for companies that support 2FA, and gives you the option to message the company on Twitter, Facebook, or email to add 2FA if it currently does not have it.
On a final note: while adding 2FA is great for an extra layer of security on all your accounts, remember that you should be changing and updating your passwords regularly even with 2FA enabled, just to stay in tip-top shape. If that’s not your style, you can also use a password manager to automatically take care of it for you.
Update January 7th, 2021: This article was originally published on June 19th, 2017, and has been checked and updated several times so that the instructions for adding 2FA to these apps remain current. This is the latest update.