Before someone hijacks your Facebook or Gmail, here’s what you need to turn on

Patrick Norton

Think about it: If somebody wants to really wreck your life, all they need is access to your personal email account. Because all too often, a single email address can grant access to your bank account, all the shopping sites you keep your credit card stored on, not to even mention all your personal private emails.

Worse yet, imagine if your ex or somebody that just flat out hated you had access to your Facebook. Not only would they see all your private messages, but they could pretend to be the worst possible version of you they could imagine. I shudder to think of the fad a few years ago of teenagers sharing their passwords to “prove” their love.

There’s a solution. Facebook calls it Login Approvals, Twitter calls it Login Verification, Amazon and Google prefer the phrase Two ­Step Verification, and security geeks call it Two Factor or Multi­Factor Authentication. Whatever you call it, it means there’s an extra step beyond typing in your password that’s necessary to access your account.

If you’ve used a debit card, it’s something you’re already used to. First you put the card in the ATM, then you enter in your PIN. Most online services prefer sending you a fresh code via text message every time you log in somewhere new, rather than having you use the same code over and over.

If that doesn’t sound like much, remember: If you’ve got your phone, they can’t log into your account, even if they have access to your computer. That might buy you the time to get online and change your passwords, so they can’t even access your accounts on that PC.

Two-step authentication isn’t perfect. If the online service gets hacked, they might find away around it. If somebody has access to your phone and your password and you blast all your SMS messages to your lock screen, they’ll get in. But if you’re concerned about somebody hacking into your accounts, whether it’s a family member or an online thief, it’ll make things that much harder for them.


It’ll also make things that much harder for you. Leave your phone behind and you’ll be jumping through hoops: Twitter and Google, for example, give you the option of generating backup codes in case you lose your phone.

Ready to try it?

In Facebook, click on the triangle in the upper right-hand corner, then click on “security” on the left side of the page, and click on “login approvals.” Check the box that says “require a security code to access my account from unknown browsers” and enter your phone number. For Google, go to, click on “sign ­in & security,” scroll down to “password & sign ­in method,” and click on two-step verification. This will launch a new window. You’ll have to click on “start setup” to get things rolling… then you can enter your number and choose to receive your codes via text message or voice calls.

Google will send you a code to verify that the number works, then you can choose to “trust this computer,” which means you won’t need a code every time you log in. Finally, you can turn on two-step verification. I suggest you try it for one service, whichever service you’re the most concerned about, then see if you’re ready to roll it out across all the services you use online. That’s what I did.

Paranoid? Maybe, but I’d rather not be staring at somebody using my Facebook page while I think, “Maybe I should have turned on the whole two step thing…”