To enable, you enter the two-step verification page from the account section. Note that you'll need to confirm your password before you can do any manipulation to the two-step verification settings.
To enable, you simply pick the method of verification you want to use:
- Verification code via app - this will use an app on your phone (such as Google Authenticator or Authy) to generate a 6 digit code. This code changes every 30 seconds.
- Email confirmation - this will send a unique, one-time-use code to the email address associated with your account. This method is not preferred over the app-based verification because if an attacker has access to your account, they may also have access to your email. However, it's certainly better than nothing.
To enable any method, you will need to go through the verification process to ensure that everything works as expected. This prevents you from being locked out by a system you didn't successfully complete once.
You can enable multiple two-step verification methods.
Two-Step Verification: Login
If you have enabled two-step verification.
After verifying your password, if two-step verification is required, you'll be taken to a page such as the one shown above. By default, the highest priority, currently enabled two-step verification method will be triggered. If you wish to use an alternative method, you can choose to do so for this login.
This also gives you the option to trust this device for 30 days. You may be familiar with this approach with other two-step verification systems. If you trust this device, you can log out and log in without being prompted to complete two-step verification for 30 days. This helps to mitigate the annoyance that two-step verification can create.
Once the 30 days are up, you will be prompted to complete the two-step verification again (even if you have chosen to stay logged in).
In the event that you want to stop trusting a device or you need to revoke that trust for other devices, you can do this from the two-step verification setup page in the account system:
Two-Step Verification: Losing Access
A common concern with two-step verification is what happens if you lose access to all of your two-step verification methods. We have attempted to mitigate that as much as possible.
- Backup codes are really generated for this exact situation. If you lose your phone or your email is no longer valid, the backup codes will still work. However, this does require saving them once they're generated. This is something that not all users will do.
- Disabling two-step verification only requires access to the password when you're already logged in. If users choose to trust a device, this very likely means that they will still have access to their account. Once they verify their password, they'll be able to change their two-step verification settings as necessary.
- Administrators will be able to disable Two-Step in an emergency on your account in order for you to set it up again.