How and Why to Turn On Two-Step Verification for Your Apple, Google, and Yahoo Accounts

David Pogue
Yahoo Tech

View photos

(Thinkstock)

Underlying all the articles about Internet security (and naked movie-star pictures), you can hear a single, unspoken theme:

“… and if you’re not careful, this could happen to YOU!”

Actually, it almost certainly won’t happen to you, because you’re not a hot starlet. Yes, online accounts have been hacked, but they were hacked because their owners were attractive targets.

Still, it makes sense to be safe. But how? There’s something else you read all the time:

“Turn on two-factor authentication!”

That advice makes me crazy, for two reasons. First of all, what normal person has any idea what that is? It’s the most user-hostile, intimidating tech term ever invented. “Two-factor authentication” sounds like made-up movie jargon.

Apple and Google call it “two-step verification,” which is one step in the right direction. I vote for “cellphone confirmation.”

Second, two-factor authentication sounds like a royal pain. Bloomberg describes it this way: “After a password is entered, an additional code will be sent to a person’s mobile phone.”

Ugh. Who’d want to have to enter two passwords at every login?

And what happens if you don’t have your phone with you? Or don’t own a cellphone at all?

Just goes to show you how much misinformation and confusion surrounds two-factor authentication.

As it turns out, two-factor or two-step authentication provides a lot of protection against your account getting hacked. No, it wouldn’t have helped Jennifer Lawrence. But it can stop a lot of other hackers from getting into your account, even if they manage to get your password.

How it works
Suppose you fire up a new laptop. The first time you try to log into your existing Gmail account, Yahoo account, or iCloud account, the website sends a text message to your cellphone, containing a code like “02394.” You’re not allowed to access your account from the new laptop without your password and that code. And each code you get sent is only valid for a few minutes at a time.

If you have both your password and this short-term code, the service is twice as sure you are legit, because you know your password, and you have your personal phone (which you have previously registered to your account).

That’s the first beauty of it: A hacker’s computer looks just like a new laptop to the service you’re logging in to. It’s a machine the service (like Google) has never seen before. So unless the hacker also has your cellphone, he won’t get into your account. He’s shut down.

The second beauty of it: You won’t have to mess with the cellphone code again, at least on that new laptop. It’s a one-time thing. In fact, you’ll probably be surprised at how rarely you ever encounter the cellphone code.

Ready? You may as well turn it on right now. It’s a lot of steps, but they’re not difficult — and this is a one-time deal. 

The process is a little different for various services, so let’s start with the big one in the news: Apple’s iCloud.

Turn on two-factor authentication for iCloud
Go to iCloud.com and sign in. Click your name in the top-right corner; from the shortcut menu, choose Account Settings. Click your Apple ID (the email address below your photo).

David Pogue's iCloud log-in screen
View photos
David Pogue's iCloud log-in screen

You wind up in a new Web window.

My Apple ID screen for iCloud
View photos
My Apple ID screen for iCloud

Click Manage your Apple ID. Sign in again.

On the My Apple ID page, click Password and Security.

My Apple ID screen for iCloud
View photos
My Apple ID screen for iCloud

Answer your security questions. Click Continue. On the Manage Your Security Settings screen, where it says Two-Step Verification, click Get Started. Read the three screens that explain how this will all work.

Screen explaining two-factor authentication
View photos
Screen explaining two-factor authentication

Finally, click Get Started.

Now it’s time to tell Apple your cellphone number. Click Add a phone number; on the next screen, type in your number. Click Next.

Add a Phone number screen for iCloud
View photos
Add a Phone number screen for iCloud

After a minute or two, your phone gets a text message containing a four-digit code. Type it into the box on your computer screen.

Verify Phone Number screen
View photos
Verify Phone Number screen

Your computer is now a “trusted device” — Apple knows it’s yours.

You can now walk down the list of your iPhones and iPads (if any) in the lower list, verifying each (proving it’s yours). Each time you click Verify, Apple sends another four-digit code to its screen, which you must type into your computer in the waiting boxes.

Once you click Continue, you’re shown a cryptic code like the fake one pictured here. Apple calls it your recovery key; you might call it a “save-my-bacon serial number.”

Window containing a recovery key
View photos
Window containing a recovery key

If you ever lose your phone, you’ll still be able to get into your account using this code. Write it down or print it. Don’t lose it!

Click Print Key if you like, and then click Continue. Now Apple makes you type in the recovery key manually to prove that you’ve got it stored.

On the final screen, Apple explains one more time what’s going to happen:

Enable two-step verification screen
View photos
Enable two-step verification screen

The deed is done. From now on, whenever you’re using a new computer, phone, or tablet to manage your Apple account (or to make a purchase from one of Apple’s online stores), you’ll have to enter your password and a four-digit code that Apple texts to your verified gadget.

You will have no access to your account without two of these three things:

• your password
• your cellphone
• your recovery key

On the other hand, you’ll never need the old security questions or answers. Nobody will ever ask for them again.

For more information, click here.

Click Done!

Take a break, now. When you’re ready to continue locking things down, move on to enabling two-step verification for other key services:

Turn on two-step verification for Google
Start by clicking here.

Click Get Started. On the next screen, click Start setup.

Google two-step verification screen
View photos
Google two-step verification screen

On the next screen, log in to your Google account. On this screen, enter your cellphone number. (Very cool: Google doesn’t require a cellphone; if you choose Voice Call, you can use a regular landline phone, and a robot voice will tell you the code.)

Google Set up your phone screen
View photos
Google Set up your phone screen

Click Send code.

After a moment, Google texts a six-digit code to your cellphone (or calls you to speak it). Enter it into this box:

Google Verify Your Phone screen
View photos
Google Verify Your Phone screen

Click Verify.

The next screen asks if the computer you’re using right now is yours and private from snoopers. If so, click Next. (If not, turn off Trust this computer and then click Next.)

Google Trust This Computer screen
View photos
Google Trust This Computer screen

On the final screen, click Confirm.

Now you have a little problem. In essence, you’ve just disconnected your phone, tablet, and other computers from your Google accounts, as this message now informs you:

Google Reconnect your apps and devices screen
View photos
Google Reconnect your apps and devices screen

Click Reconnect my apps.

Now comes a tedious series of steps that none of these companies ever explain.

Two-step verification works great when you’re accessing a Web page, like Gmail, iCloud, or Yahoo. But when your email app tries to connect to the Internet, well, there’s no Web page involved. There’s no place to type in a cellphone code. How is Google, Apple, or Yahoo supposed to know if you’re really you?

To solve that problem, Google and Yahoo require that you change your email password to one that they provide. They’ll know it’s your email app trying to connect, because they supplied the password.

This password is ridiculously long and complicated—on purpose. These companies are hoping that you won’t write it down, won’t remember it, and won’t re-use it.

Why? Because a huge source of hacks is people like us re-using the same password on multiple online accounts; if the password is ridiculously long, Google and Yahoo doubt you’ll ever re-use them. 

Second, if you’re ever “phished” (a hacker sends you a fake email “from Google” asking you to enter your password “to clear up an account problem”), you won’t remember the password! Presto: You’re protected from yourself.

All right, so now you know the reason behind this new-password-for-email-apps step. (Rumor has it that this situation will get easier with iOS 8.) For now, here’s how to go about it. 

For each Google app you use (YouTube, Gmail, and so on), for each gadget you use to access it, you have to choose an app name from the first pop-up menu, choose your other gadget’s name from the second, and then recoil at the complicated password now presented to you:

Google app password screen
View photos
Google app password screen

You’re supposed to open Settings on your phone or tablet and replace the existing email-account password with this one. As Google points out, this is a one-time thing. You won’t have to remember this password, so there’s no need to record it anywhere.

Repeat for each app on each gadget. Look forward to the sunrise.

When you’ve set up all your apps on all your gadgets, click Done.

From now on, you won’t be able to log in to your Google account from a new gadget without both your password and the code Google sends to your phone.

(And what if your phone has no service? There’s an app for that — an app that can generate the code when the time comes. Click here for details. This page also lets you print or save some emergency codes that you can use when you don’t even have your phone.)

Wasn’t that fun? Let’s keep going.

Turn on two-factor authentication for Yahoo Mail
Click here and log in.

Yahoo Set up your second sign-in verification screen
View photos
Yahoo Set up your second sign-in verification screen

Click Get Started.

You’re asked for your phone number (or, if one is already on file with Yahoo, a box asks you to confirm that’s the one you want to use).

Yahoo Use current or new phone screen
View photos
Yahoo Use current or new phone screen

After a moment, your phone gets a text message from Yahoo bearing a six-digit code. Type it into the box:

Yahoo Verify code screen
View photos
Yahoo Verify code screen

Click OK.

And now, once again, you’ve cut off Yahoo Mail access from your phones, tablets, and computers. A new message lets you know that you’ll need a special password for each email app you use. (Read the Google section, above, to find out why this step is necessary. And by the way, it’s not necessary for Yahoo’s own Mail app—only for programs like Apple Mail and Outlook.)

Click Generate password.

Yahoo Generage app passwords screen
View photos
Yahoo Generage app passwords screen

On this screen, specify how you want to confirm your identity (for the purpose of generating the email password):

Yahoo Security Verification screen
View photos
Yahoo Security Verification screen

Make your selection; now you get another verification code. Type that into the box and click Submit.

On the next screen, type the name of your phone’s email program (like “iPhone mail”) and click Generate password.

Yahoo Generage password screen
View photos
Yahoo Generage password screen

Open your phone’s Mail settings, and, for your Yahoo Mail account, replace the password with the long, complicated one now on your computer screen. (You won’t ever have to type it again.)

Yahoo setup screen showing password
View photos
Yahoo setup screen showing password

Click Done.

If you have other mail apps on other phones or computers, then repeat the last couple of steps.

Your setup is complete. Whenever you try to access Yahoo Mail with a fresh gadget, Yahoo will send you a code to enter as your second verification step.

Other services
Here are the links to turn on two-step verification for Facebook, Twitter, Dropbox, LinkedIn, Evernote, PayPal, Steam, and Microsoft Accounts. The steps are similar to the ones you’ve just read.

Clearly, the bad guys are making life less convenient and less satisfying for the good guys. Take pleasure in knowing that the process you’ve just completed will, at the very least, make life a lot less satisfying for them.

You can email David Pogue here.