how to use two-factor authentication?

Two factor authentication is indeed a way to add significant security to your online accounts that offer the option. Once enabled for a given account, the second factor comes into play during the login process. Once you enter your typical username and password, you will then be prompted for another factor that equates to something that only you will physically have possession of. Three common 2nd factors in use today are: 1) a one-time number that is sent to your phone via SMS or iMessage, 2) a one-time number that is generated by an application such as Google Authenticator, or 3) a physical usb "key" that provides a token to your computer.

Additional information is available from a trusted source: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201509_en.pdf

Different services that offers 2FA do so in different ways. Apple has their own way, Google, Microsoft, Amazon, and many others use a standards-based application like Google Authenticator, and other sites only offer the less secure SMS messages. The best way to get started is by visiting a major service like a Google account, and then search their help for "two factor". Then read the documentation for that particular service until you understand how it works well. Then follow the instructions carefully to enable it.

If you have good attention to detail and rarely if ever have lost your phone, then 2FA will greatly enhance your security and should be used on every account that offers it. If you have a hard time keeping track of passwords (such as 2FA recovery passwords), or don't have a good track record with lost or stolen phones, then 2FA may not be for you as it may threaten you own access to your accounts.

Good luck.

dinhr ~ I have the same concerns as you and haven't yet enabled two-factor authentication. These two articles may be of interest to you:

Doing the two-step: Switching to Apple’s two-factor authentication

More on Apple’s two-factor authentication: Apple Watch, app passwords, more

õ¿õ¬

Your concerns and caution are a good thing. You should be taking 2FA slowly and only when you are comfortable with it on a given service.

I'm glad that you seem to be successfully using Apple's 2FA implementation. It's makes your account far more secure than without it.

As far as Google accounts, here is a bunch of information about how it works:

https://support.google.com/accounts/topic/7189195?hl=en&ref_topic=3382253

In it's simplest form, you will install the Google Authenticator app on your iPhone. Then, during the process of enabling 2FA, you will be walked through adding your Google account to the Google Authenticator app. Once added, your Google account will be listed in that app along with a 2FA code that is listed for 1 minute before a new code is generated and the cycle repeats. Once 2FA is enabled on your Google account, you will login to Google from a browser like you always have, but will then be prompted for a 2FA code. You will then open the Authenticator app on your iPhone, read the current code for your Google account, and then type it into the browser to complete the login. You can also choose to "trust" the computer for a while so you don't need to do that every time.

During the process of enabling 2FA for Google accounts, you will also be prompted to create several special application specific passwords to use when setting up your Google accounts in email clients like the Mail app on your phone. You will substitute the application specific password for you actual password in the Mail app settings on your iPhone. The benefit of these special application specific passwords is that if you ever lose your iPhone, you can log into your Google account using a web browser, and then cancel the application specific password that is used on your phone.

Yes, it is confusing. But if you read through their information you may eventually feel confident enough to enable it. You will then find that it's not as cumbersome as you think, yet is adding significant security to your Google account or any other account. Lastly, once you have used the Google Authenticator app for one service, you will find that many other services allow the same app for their 2FA implementations. I currently have over a dozen services in my Google Authenticator and it works the same for all of the services -- login normally using a username and password, and then get prompted for a 2FA code before the login can be completed.

2FA is about adding a second factor. In most cases (including Apple 2FA) your username/password is considered the first factor and is something you "know". Your device is the second factor and is something you "have". If someone gets a hold of your device, they still cannot login because they don't "know" your password.

In some cases, for convenience, you can choose to have a service "remember" your device, or your password. This makes things slightly less secure. However, in all of these cases you can log into the service at any time and "untrust" or "remove" a device from the list to immediately revoke this.

You are forgetting one important thing. If you have a passcode set on your iPhone then nobody has access to your device even if it is lost (everyone should have at least a 6-digit passcode set). Not being able to gain access to your iPhone is indeed important.

No matter how you think about it though, using a passcode on your iPhone, and then having 2FA enabled is always better than someone being able to gain access to your accounts from anywhere on the globe through a password alone. 2FA is simply an additional security layer that enhances your security.