If you don’t already have two-step authentication enabled on your all your accounts, you really need to turn it on for anything sensitive. Here’s how.

If you’re not worried about the security of your accounts, you’re ignoring a serious threat that’s confirmed by a neverending deluge of security breaches. Two-step authentication is one of the best ways to prevent unauthorized access to your accounts, even if somebody manages to steal your password. Here’s how to do it.

Two-step, or two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password to get into your account. In the most common implementation, after correctly entering your password, an online service will send you a text message with a unique string of numbers that you’ll need to punch in to get access to your account.

The idea is that you’re drastically more secure if somebody needs both your password and the physical phone to get access to your accounts. Add a passcode to your phone, and you’re safeguarded against someone stealing both.

Is it perfect? No. But it’s way better than just irrationally hoping nobody ever gets a hold of your password.


Below we’ve outlined the steps for locking down the most popular services that offer two-step authentication. Most of the services work basically the same way, but there’s a little nuance to each, which we guide you through below. After each description is a link to each service’s FAQ so you can get more detailed instructions if you want them.


Apple’s two-step verification adds extra security to your Apple ID, and will help prevent people from making purchases in iTunes as well as unauthorized access to your iCloud account. To turn it on, log into My Apple ID, click Passwords and Security, and navigate to Enable two-step verification.”


In addition to providing a phone number where you’ll receive texts, Apple will also force you write down a recovery key that you’ll need in the even that you forget your password. And write it down, because on the next page, you’ll be forced to prove you wrote it down. These codes, sometimes called backup codes, are important so you can access your account when you’ve lost your phone. [ Apple]


Login to your account and click Settings in the top right corner. Under the Security tab click Enable next to the line item that says Two-step verification. From the Security page you can also see which devices and desktop browsers have access to your account already, and revoke access if necessary. [ Dropbox]


Login into your account and click the settings cog. Under the Security Summery tab, click Enable beneath the Two-Step Verification line. Evernote, like Apple, will force you to store registration keys that’ll help you get into your account in the event that you forget your password or don’t have access to your phone. [ Evernote]


Login into your account and navigate to the settings page from the drop-down arrow in the top right corner of the page. Under the Security tab click Edit next to the Login Approvals line. As with other Twitter and Microsoft, you can choose to receive SMS verification codes, or use the Facebook mobile app the verify your identity.


Two-step verification on Google will protect you across all of Google’s many services as well as with that use APIs to pull in Google data.


While logged into your Google account, click your avatar in the top right corner of any Google page, and navigate to your Account. At the top of the following page click Security, and then click Enable next to 2-step verification.

Note that because you probably use your Google account with lots of third-party apps like Gchat, you’ll need to create an app-specific password for each of them. So if you want to log in to a new phone, or enable a new calendar application, you’ll need to head back to the security page, click on App passwords, and let the system generate a key for every app you’d like to link. You only get to see these passwords once, so if you need to enter one again for whatever. This is also where you disable apps that you no longer use or trust.

Also, make sure to setup some backup codes. Don’t get locked out of your email just because you left your phone at home.


Additionally, you can use the Google Authenticator app to generate codes for your account as well. That setup is a little more complicated so follow the preceding link to Google’s detailed instructions. [ Google]


Lastpass offers a number of third-party multi-factor authentication methods. For the sake of simplicity, you should probably use Google Authenticator.

First install the app using the detailed instructions provided by Google.

Then head to LastPass Vault > Account Settings > Multifactor Options. Select Google Authenticator. On the follow page, change the Enabled option to Yes. Then under the Barcode row, click View and then scan the barcode in the Authenticator app.


From there, whenever Lastpass prompts you to enter a code, simply open the Google Authenticator app and enter the temporary code that refreshes every 30 seconds. [Lastpass]

Microsoft Accounts

Login to your Microsoft account, and navigate to the tab for Security & password. Then, click Set up two-step verification and follow the instructions. In addition to an email/text message option, Microsoft will also give you the option of installing the Microsoft Account app on your phone, which will make authentication faster. If you only ever use one phone, this is probably worth doing. [ Microsoft]


PayPal’s Security Key works a little differently than the rest in that you’ve got an extra option. After logging into you account, click the settings cog in the top right corner of the page, and under the Security tab, click the Edit button next to the Security key line. Then click the link that says Get security key.


In addition to an option register your phone for standard text verification, PayPal also offers the option to purchase a physical hardware key that you use to unlock you account. That’s not totally necessary for everyday users, though. [PayPal]


Slack offers several two-step authentication options. For the sake of simplicity, we recommend just Google Authenticator.

First install the app using the detailed instructions provided by Google.

After logging in go to Your Account, and click Two factor authentication. Use the Google Authenticator app to scan the code on the following page. From there, whenever Slack prompts you to enter a code, simply open the Google Authenticator app and enter the temporary code that refreshes every 30 seconds. [Slack]


Log in to your account, click your avatar in the top right corner and navigate to Settings. Under the Security tab, you’ll be given two options for Login verification. Either you can use the standard text message method, or you can use the Twitter app to verify requests. [Twitter]


Login to your Yahoo account, and click your username in the top right corner to navigate to your profile information page. Under the Sign-in and Security heading, click Set up your second sign-in verification. As with your Google account, you’ll need to create app-specific passwords for your mail clients, calendars, and other apps that use you Yahoo account. [ Yahoo]

Banks, Amazon, etc.

By now you’ve probably recognized the patterns that govern these settings, and there are plenty more services you’ll want to set it up for. (Here’s a comprehensive listing of what offers extra security.) If you bank offers two-step authentication, you should definitely do it. Of course, not all do. And neither do some surprising services like Amazon. But hopefully, they get to it, before some nefarious hackers get to your data.

This post was originally published on October 14th, 2014. It’s updated occasionally as more services wise up and offer better security for their users. If you notice any information that’s out of date or want to suggest a popular service that should be included contact maguilar@gizmodo.com.