How to Turn on Two-factor Authentication for Your Email Accounts

TFA header
Our email accounts contain a ton of information about ourselves. We sign up for bank accounts, buy things online, and communicate with others using our email addresses. And the only thing keeping the attackers out is the strength of our passwords.

No matter how complex the passwords are, they are not foolproof. The attackers have cracking tools at their disposal and other tricks to get access to our accounts. Two-factor authentication prevents attackers from getting in even when they’ve gotten our passwords.

Two-factor authentication makes the login process a bit more challenging for attackers by adding another layer of security to the normal username and password combination (“what you know”). The second factor could be “something you have,” such as a mobile device, smart card, or a hardware token, or “something you are,” such as fingerprints and other biometric data. Basically, if the attacker tries to log in to your account with your password from an unknown device or browser, the system demands a second verification. Unless the attacker has access to your mobile device or your fingerprints, the attack cannot proceed, and therefore your account remains safe.

Several web-based email services have rolled out two-factor authentication. If your mail provider is one of them, you should turn on the additional security protection immediately. Here is how.

Gmail
If you have a Google account, login to your account and click on your name in the upper right corner of the screen. In the resulting menu drop-down, click on Account to access the account settings page. Under Security, there is an option for 2-step verification. Click on Edit to start the sign-up process.

Gmail 2-step verification_1

The step-by-step setup process guides you through the process of associating a mobile number to your account. Essentially, whenever someone logs into your account from an unknown browser or device, Google sends a challenge code to your mobile device via SMS. You need to enter that code on the screen to be able to log in.

Gmail 2-step verification_2

Note that if you have an Android device, you can decide to download the Google Authenticator app, which will generate the code on your app instead of bothering with SMS messages.

Yahoo!
If you have a Yahoo! account, log in to your account, click on your name in the upper-right corner, and go to the your Account Info page. You may be prompted to enter in your password again.
Under Sign-In and Security, Look for Set up your second sign-in verification and follow the prompts to enter your mobile phone number. Yahoo! will send you a test message to your number via SMS, which you must enter to verify the process worked.

Yahoo Sign-In and Security

Add mobile phone

Verify code

Hotmail/Outlook
If you have a Hotmail/Outlook account, login to your account, click on your name at the upper right and click on Account settings. Under the menu to the left, click on Security info. Make sure to have your mobile device handy to set up the two-step verification. Once you’re in the Security info section, underneath Two-step Verification, click on Set up two-step verification and follow the instructions.

Security info_Two-step verification

There you have it. Your accounts are much more secure than they used to be. Perhaps it’s time to protect your Facebook account as well?

30 thoughts on “How to Turn on Two-factor Authentication for Your Email Accounts

  1. This will definitely help those who are still not very clear about what Two-factor authentication is all about.

  2. Great post, I definitely set up two factor authentication on my emails, after my mother’s was hacked. We had a hell of a time trying to change her bank accounts and such.

    • Unfortunately, not everything can be catered to everyone. Depending on your email provider, some may give you alternative options. You’ll have to dig around to see what alternative options they might have.

      • Today is Nov 15, 2014 and Zone Alarm is still giving this Sept 2013 answer that “Unfortunately, not everything can be catered to everyone.”

        Isn’t it time someone started exploring possibilities other than texts to mobile phones?

  3. It worked fine with Gmail and hotmail. It is useless with Yahoo for me, since I do not receive texts and it has no voice phone call feature like the other two.

  4. How would I handle this scenario: I loose my mobile phone while on holiday, and want to send a message?
    As far as I can see, I now can’t call (as all my numbers are in the phone), and I can’t email either.
    Don’t get me wrong, I like the concept of two factor authentication, but just want to clear up this part.

    • Depending on your email provider, some may give you alternative options. You’ll have to dig around to see what alternative options they might have.

  5. This is fine, but I could see it being a pain if travelling outside my home country (which I do, regularly). First the additional cost of international texting (which will become significant if you are logging into multiple accounts and/or more than once to the same account) and second, the delivery of such texts is not always speedy (think, hours, rather than seconds in some cases). Is there any way to do this without the whole SMS thing?

  6. I like the idea of ddbl authentication but I have to ask myself if I give my cell number out so yahoo or gmail can send me a sms what’s stopping them from targeting me with junk sms and or others they associate with now that they have my number?

  7. This is good advice but not very helpful to those that don’t have a cell phone for those that don’t have one since that seems to be the route in to turn 2nd authentication on. But I don’t use anything but Linux to access my web-mail accounts and financial data.

    • Depending on your email provider, some may give you alternative options. You’ll have to dig around to see what alternative options they might have.

  8. Very helpful blog. I did not know the facility existed, if my email provider did tell me then is must have been in very small print. A useful security extra.

  9. What about AOL. As you can see by my email address I use AOL. I really do not wish to change over to another email server because that means notifying all my contacts. Many of whom won’t pay any attention to the announcement, and then try sending to aol, only to find that we don’t respond. They will probably think we are dead.

    • Unfortunately, we cannot cover all email platforms out there. If you’re using AOL email, you can probably browse around your settings or preferences, that is if AOL offers two-factor authentication.

  10. Pingback: October is National Bullying Prevention Month: Take a Stand Against Bullying | ZoneAlarm Security Blog

  11. Hi – this was very helpful as with many of your newsletters, thanks. I have turned on my two-way verification on my Hotmail account but have had difficulty finding where to do it in my Microsoft Outlook 2007 account. It must be staring me in the face but I cannot see where to do this – can you give me a hint as to which folder/subsection it is in? (Yes, I know IT IS time to update my Outlook). Thanks again for your help.

    • Since Microsoft Outlook (not outlook.com) is a client-based email system, the only way to access your email is through the computer that the application was installed on. Unlike client-based email, Web-based email such as Hotmail, Gmail, and Yahoo mail can be access through their respective website. The ability to access web-based emails by you (or anyone who has the password) anywhere is where two-factor authentication comes into play to preventing unauthorized access.

  12. Thank you for a valuable tip.

    You can log in directly to a CPanel email address without logging into the web site.

    As far as I can see, there is no provision for recovery due to a forgotten password. I could find no such recovery. Is this true/

    • There may be alternative options such as hardware that provides two-factor authentication. We suggest you research on the web to see if any of those devices suit your needs.

  13. I’m not in the mood of giving my mobile phone number to a number of places. And what about the security question solution? Why is it ruled out? And why not use pass sentences instead of pass words? Don’t say that something like “granny moved to florida in 1956″ can be broken in minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *


× 7 = forty two

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>