How to . . . keep your online accounts safe
From iCloud and Gmail to Snapchat and WhatsApp, do your best to keep intruders out
Two-factor authentication is easy, safe and sensible. Photograph: Bloomberg
While you are setting up your new smartphones and tablets in the post-Christmas lull, it might be worth considering security. More specifically, how you can protect your online accounts from being compromised.
A couple of weeks ago, I had a message from a close relative who wanted to know how to permanently lock someone out of her Snapchat account. The service had sent her an email to let her know someone had tried to gain access to it from the US; not only had they tried, they had succeeded, and she couldn’t enable two-factor authentication to ensure they stayed out.
The account itself was a mess, with hundreds of “friends” added, so it was easier to just shut it all down and start over. But not everybody is quite as calm about losing access to accounts, and it’s not always practical to have to change accounts at short notice.
So with that in mind, here are some tips on how to lock down your online accounts, from email to social media.
But Google also offers you two-factor verification that is easy to enable and straightforward enough to use: you sign in with your password as normal, then a code. You can get that code through a few different means: primarily a text message to your phone number attached to your Google account or a code delivered through a phone call to your registered mobile number. You can also link a smartphone to your account and install the Google app, which authenticates your log-ins and eliminates the need to type in codes.
An additional back-up method is a printable set of codes that you can bring with you while you’re travelling, for example, or use the Google Authenticator app to generate codes.
If you are using a computer, you can set up a USB security key, and simply plug it into the USB port when needed. Use that computer regularly? You can tell your account to remember that, so when you log in from that computer next, you’ll only need your password.
One caveat: there’s a heavy reliance on your phone to authorise your log-ins, so keep it close. However, you can set a back-up phone just in case you lose your primary number.
To enable two-step verification on Google, go to the two-step verification page (myaccount.google.com/security/signinoptions/two-step-verification). You may get a prompt to log in to your account.
Click Get started. You’ll be prompted to choose the method through which you want to receive your verification code (text or phone call). It will then send a code to your phone, which will allow you to turn on two-step verification.
You’ll then be prompted to check your settings and authorised phone numbers, or add some of the back-up options mentioned above.
You can also check which devices have trusted status - ie those you have requested not to ask for an access code after the initial log in - and remove those devices that you no longer use.
Facebook offers a couple of options to protect your account. The simplest is login alerts. Every time you log in from a new location, you will get an alert, so if it’s not you, you can change your password and boot the interloper out asap.
On your browser, go to the little drop-down arrow beside the padlock icon. Go to Settings>Security. Under Setting up extra security, you will see the option to turn on login alerts when someone logs into your account from a new device. You can choose to get Messenger alerts and email alerts, so you won’t miss any messages.
You can also see which devices are logged into your account, again under Settings> Security, giving you a handy way to remove unauthorised or old devices.
But there is also two-factor authentication, which allows you to use several different ways to approve login attempts when you are accessing your account from an unrecognised computer or mobile device. There are a few different options: texting codes over SMS; using security codes through code generator; a third-party security app; login approvals through a recognised device; or printed recovery codes.
To enable two-factor authentication on Twitter, you’ll need to have a confirmed email address and a phone number registered with the service.
To set up login verification through a web browser:
Go to twitter.com and sign in to your account. On the profile icon menu, click Settings>Account>Security and choose to verify login requests. You’ll have to verify your password, and then the site will send you a text message with your first login code. Enter the verification code when prompted and click Submit.
You’ll also be prompted to get a backup code, which you’ll need if you lose access to your phone or change your number. Print the code or write it down somewhere safe to make sure you don’t lose access to your account.
Go to the Me tab, and click the gear icon. Select Settings>Account>Security and enable login verification. Tap confirm. You’ll be prompted to send a code to your phone number, which you will need to verify your number
Tap your profile icon or the menu button, and select Settings>Account>Security. Check the box for login verification and follow the instructions to enrol your number and send the code to your phone.
Another option is to use a third party security app to authenticate your access - that can be Google’s Authenticator or another app of your choice.
Once you’ve enabled two-factor security on iCloud, you’ll have to have access to your nominated mobile number or device, or you’ll be unable to log into your account.
How does it affect the devices on which you use your iCloud sign in? Once you enable two-factor authentication, you’ll have to provide a code to log in to your account on new devices. On your iPhone, iPad or iPod Touch, for example, you’ll be asked for the code once, and that will be it unless you log out, change your password or erase the device.
On new browsers, you can opt not be asked for the code after the initial log in, but that’s not recommended if you share a device, or use a public PC.
To enable two-factor authentication through your iPhone or iPad running iOS 9 or later:
Open Settings>iCloud and select your Apple ID at the top of the screen. Select Password and security. Tap Two-factor authentication to turn it on. You’ll be prompted to set a password
To enable it on your Mac with OS X El Capitan or later:
Go to Apple menu >System Preferences >iCloud >Account Details. Click Security, then turn on Two-Factor Authentication.
The popular messaging app is end-to-end encrypted, which means nobody - not even WhatsApp employees - can gain access to your messages unless they are the intended recipient. That excludes the possibility that somebody will have access to your phone remotely through malware.
WhatsApp has two-factor authentication, which allows you to set a code that it will ask for occasionally to prevent unauthorised access to your account. It will also ask for the code when you are registering your number with WhatsApp again, so nobody can install your WhatsApp account on another phone without your knowledge. Go to Account>Two Step Verification to enable the security feature and choose your code. You can also choose an email address to help you reset the code should you forget it - preferably an address not linked to your smartphone, if you’re being really security conscious.
The one that caused all the problems in my family, SnapChat offers some simple ways to batten down the hatches on security.
Click on the ghost icon to call up your profile, and tap the gear icon in the corner. Scroll down to Login verification. You can choose from text verification, which will send a code to your mobile number, or Authentication app, such as Google’s Authenticator or similar. There’s also the option to generate a recovery code - take it, just in case the worst happens.
Click the account icon, then tap the settings cog. Scroll down to Two Factor Authentication. Enable Require security code. That will send a security code to your phone number on file with Facebook when you log in on a new device.
You’ll need access to that number to enable two-factor, but not to disable it; the app allows you to switch it off without any sort of secondary check.