Multi-factor authentication for busy people

Multi-factor authentication (aka “two-factor,” or “two-step,” or 2FA) is a really great way to protect yourself (and anyone you’ve ever emailed). There are excellent and detailed guides out there, but the sheer amount of information about how to do things properly can be daunting for someone who has other important things to get done. I’m not saying don’t read all the nuanced details about security, just don’t put off setting it up right now if it seems too complicated.

If you do nothing else to protect your privacy, do this. (If you do two things, start using a password manager.)

You should set up multi-factor authentication on every account that offers it, but because each of those accounts all have a “password reset email” feature, securing your email account is extra important. If you use Gmail, it’s really easy, and you should literally stop and do this right now if you haven’t already. (I use FastMail as my email service provider, and they also support multi-factor authentication.)

Enable it!
Enable it!
  1. Go to myaccount.google.com and click “Sign-in & security”
  2. Scroll to the box that includes the “2-Step Verification” button and click on it
  3. Follow the steps to confirm your phone number (gotcha: it’s easy to confuse the “from” phone number with the code you need to type in)
  4. Click the “Turn on” link to activate the telephone-based confirmation step
  5. Print the backup security codes and stash them somewhere safe (in case future-you loses a phone)
Turn On 2-step verification
Turn On 2-step verification

What happens next? From now on you will need your phone to sign in with your Google account. This can be inconvenient, but it will make your account much harder to hack.

Do you use an email client like Mail.app? Did that email client stop working suddenly? You may need to configure your mail client to use App Passwords. If you changed the mail client to use the App Password and it still doesn’t work, try deleting the account and setting it up from scratch. I know all of this feels like a big hassle right now, but it’s mostly something you can set up and forget about.

Extra-credit (do this later if you don’t have time right now)

There is an known attack on SMS- or phone call-based multi-factor authentication where an adversary can trick your cell phone provider into assigning your phone number to a different phone (this falls into the category of hacking called social engineering). This tactic has been used on high profile activists, so you should consider taking one additional step to improve your security.

Setup an Authenticator app
Setup an Authenticator app
  1. Install the Google Authenticator app or Authy
  2. Go back to that 2-Step Verification page and scroll down to the “Set up alternative second step” section
  3. Click on the “Setup” link for Authenticator App
  4. Open the app you just installed on your phone and take a photo of the QR code
  5. Your phone will show a code and a countdown timer, type that code into the web form

Well done, you did it! Or maybe you got stuck? Please get in touch and let me know what gave you trouble. And then get back to all of your amazing work.