We’re all familiar with multifactor authentication, even if not everyone knows immediately that they are. Break the phrase down: “multi,” more than one; “factor,” necessary component; “authentication,” way of validating identity. Usually, multifactor systems combine “something you have” with “something you know,” or multiples of one or the other. For example:
- Opening your house with a key is single-factor authentication: Something you have (the key).
- Swiping your debit card is two-factor authentication: Something you have (the card) and something you know (the PIN).
- Authorizing suspicious credit card transactions is often three or more factors of authentication: Your name, your credit card number, personal information questions (SSN, zip code, DOB, etc.), and a series of security questions (a large number of somethings you know).
Unfortunately, the biggest skeleton key in your life right now is most likely a single-factor authentication system: Not your bank website password, not your car key, not your Social Security Number, but your email password. Think about it for a moment: What do you use to sign up for accounts? Where would those accounts send password reset emails if you forgot your password? Exactly. If you’re like most people, your email account is the key to your entire life, and we’re talking more than just hijacking your account to send spam or send inappropriate tweets. These days, email access can get you into bank accounts, investment accounts, property deeds, passports, and everything else that could permanently ruin your life.
Now that I’ve scared you, let me help you. For starters, we’re going to assume you use Gmail for your email and thus Google accounts. If not, you’re SOL (especially if you use that company that rhymes with “mayo sell”), and you should think about switching. Sorry, them’s the chops. Now that I can assume you’re in the 21st century, let’s continue. (Not to say that no other email providers are in the 21st century. I acknowledge that they do, in fact, still exist now.)
Taken from Google’s blog post on the matter, the first step is visiting your Account Settings page. From this location, you’ll see a link to “Edit” your “2-step verification” — go ahead and click that.
At this point, Google will walk you through setting up multifactor authentication. You’ll be given the opportunity to generate and print backup codes, a good idea. These backup codes can be used in case you should lose access to your phone in the future (more on that later). You’ll also get to choose what phone (or phones) to use for verification, and be given download links for mobile apps. Take the time to read carefully and set up your account properly, because this is your personal security we’re talking about.
The next time you go to sign in to your Google accounts (Gmail, etc.), you’ll be prompted to enter a six digit code in addition to your password (the thing you know) — and here’s where the “something you have” aspect comes in. Depending on the settings you picked in Google’s wizard, you’ll either receive a text message, a phone call, or open the authentication app. The device receiving or generating that information is the “something you have,” and the code it enters (which Google also knows, on the other end) is proof of that fact. If you’re confident that the computer from which you’re logging in is secure, you can tell Google to remember you for 30 days, as well, which makes the additional layer of security almost invisible to you.
Setting up multi-factor authentication is a small additional step is a small step you can take yourself to ensure much greater security down the road. It may seem like a hassle every now and again when you need to enter an additional code to log in to your email, but then again, it would be painful to lose control over huge swaths of your life online, as well.