What is two-step authentication?

There’s been a big red exclamation point at the top of my WordPress dashboard over the last couple of weeks. This is the type of thing I usually ignore, but starting around week two curiosity got the better of me. I clicked on the notification and it asked me if I wanted to “Activate Two Step Authentication.” Two-step authentication, eh? What’s that?

WordPress activate two step authentication

First off, you should know that two-step authentication, two-factor verification or any similarly worded variation on the theme all refer to the same thing. It is often explained in terms of something you know and something you have. Think about it like this: When you take money out of the ATM you use your debit card (something you have), and enter your PIN number (something you know). If someone were to obtain just your PIN, they wouldn’t be able to do much about it without your debit card.

So in short, two-step authentication helps protect your accounts from unauthorized access if someone manages to obtain your password. An additional layer of security (or a second step, if you will), requires a verification code to be entered along with your username and password, which is accessible only via something you have on you, like your mobile phone.

There isn’t much of a downside, except that two-step authentication can sometimes be a bit of a pain to activate. To set it up on my WordPress account, for instance, I needed to provide my mobile phone number, download the Google Authenticator app to my iPhone, scan a barcode on my computer screen to get a verification code, enter said verification code on WordPress, generate a list of ten backup codes in case my phone is lost or stolen, print the list of backup codes, and voilà, I was two-step authenticated. Now if someone manages to get my WordPress password, they’ll also need to enter the authentication code, which only I can access via Google Authenticator on my phone or through my list of backup codes.

The problem is — that’s kind of a lot of up-front work. And while it’s a relatively simple process, I feel like it still lacks some clarity. For instance, you don’t have to go through the whole two-step authentication process every time you want to log into a site or an app. Instead, you can usually change the settings to deem a particular machine or device to be recognized, so only need to authenticate your account once.

WordPress two step authentication activated

Many services, however, will require you to re-authenticate yourself every 30 days, no matter where you sign in. For some people (myself included) that’s enough to make the whole process seem like it’s more trouble than it’s worth.

On the other hand, I really don’t want to wake up one day to find that a fraudulent Alex Colon has hijacked my WordPress account. And between WordPress, Google(s goog) and Evernote, it seems like an awful lot of the services I use lately feel like just one password isn’t enough.

So while I don’t appreciate the added step, I do like the added sense of security. I’m going to activate two-step authentication on all of my accounts that support it and give it a shot. Now I just need to make sure I never lose my phone.

Disclosure: Automattic, maker of WordPress, is backed by True Ventures, a venture capital firm that is an investor in the parent company of GigaOM/paidContent. Om Malik, founder of GigaOM, is also a venture partner at True.