Make your cloud safer: How to enable two-factor authentication for the most popular cloud services
Two-factor authentication is no longer optional
The risks of having important cloud credentials compromised is too great to risk protecting them with nothing more than a password.
An attacker who can get access to an important cloud service can commit espionage or sabotage, or he can just wreak havoc.
The solution is to turn on two-factor authentication for every crucial cloud service you use, especially those that are tied to business accounts.
Yes, 2FA increases the hassle factor slightly. But the assurance that your secrets will remain safe even in the event of a password breach is worth a few seconds of extra verification.
This gallery includes steps to help you enable two-factor authentication in six important cloud services. Do it now.
Microsoft account (OneDrive, Outlook.com, and more)
Microsoft accounts are attached to a lot of high-value information, including settings and passwords from Windows 8 accounts, OneDrive file storage, and Outlook.com email.
Given the value of that information, it's crucial that you turn on two-step verification for your Microsoft account.
The controls are here, on an account management page that also includes some other interesting security settings.
You can use an authenticator app to make the process simpler and cut down the need for text messages. Google's Authenticator app for Android or for iOS will work. So will Microsoft's Authenticator app for Windows Phone.
Two-factor authentication (Google calls it 2-step verification) isn't just for Gmail, although that's where most people will run into it.
Instead, setting up extra security applies to every service that requires you to sign in to a Google account. You'll find all your security options at this Google Account Settings page.
When you enable 2-step verification, signing in to your account requires an extra step after you enter your username and password. If your credentials are accepted, you then have to enter a verification code sent to your phone via text or voice call or generated by a mobile app.
This official explainer offers more details.
Google Apps (the paid service) uses the same mechanism as free Google accounts, except that you sign in with an address in your custom domain instead of a free @gmail.com address.
In any event, be sure to set up a recovery address. That option helps you quickly regain control in the event someone is able to bypass security and take over your account.
Office 365 (Enterprise accounts only)
Microsoft has offered multi-factor authentication for Office 365 administrator accounts for years, but the ability to enable this feature for ordinary users is new. (I wrote about the changes back in February, in "Microsoft expands multi-factor authentication for Office 365.")
Alas, what was true then is still true today: This crucial security feature is only available if you've signed up for an Office 365 Enterprise plan. Lowly Office 365 Small Business customers are shut out.
The feature is available from the Office 365 Admin center, as shown above. Note that you must be an administrator to enable two-factor authentication, and it can be enabled on a per-user basis.
If you have a Windows Phone, don't use the Authenticator app that works with Microsoft accounts. Instead, track down the Microsoft Azure Multi-Factor Authentication app, which is available for Windows Phone, Android, and iOS.
Dropbox
Dropbox has suffered its share of embarrassing security mishaps through the years. Roughly two years ago, in one of several security related steps, the insanely popular online file storage system enabled a very robust two-factor authentication system.
With that feature enabled, each time you sign in on a new PC or mobile device, Dropbox will require a code. Wisely, it supports authenticator apps, which can be configured by aiming your mobile device's camera at a barcode like the one shown here.
To jump directly to the setup page for this feature, sign into Dropbox and then click here.
Facebook isn't just for birthday wishes. Lots of businesses use it for communicating with customers and building brand identity. Don't let a compromised account undo that work.
On Facebook's well-hidden Security Settings page, you'll find options to receive notifications each time you (or, worse, someone pretending to be you) logs in to Facebook. But the second option, Login Approvals, is the one to pay attention to.
You need to add your mobile phone number to your Facebook profile before you can turn this option on. (You can hide the number so it's visible only to you, if you prefer.) With that step out of the way, set up security code delivery by having a code sent to your mobile phone. Any future login requests from untrusted machines will trigger a request for you to enter a code received on the same device.
Facebook allows you to use codes generated by its own mobile app. A well-hidden option also supports third-party authenticator apps. From the Security Settings page, open the Code Generator section and then click "Set up another way to get security codes."
Nothing's quite as painful (and occasionally comical) as watching someone else's Twitter account get hacked.
Unless it's yours, that is, and you use the account to promote your business or your brand.
In addition, Twitter is increasingly used as an identity check, so the ripple effects of a hacked account can extend well beyond 140 characters.
Twitter allows two secure options in the Login Verification section: You can have verification codes sent to a mobile phone as SMS messages, or you can install the Twitter app on an iOS or Android device and accept verification requests in those apps.
To turn on either setting, visit the Twitter security settings page.
For more details about Twitter's security settings, see this official explainer.