Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
AOL

Security update: AOL learns to two-step, and why your ISP may not

Rob Pegoraro
Special for USA TODAY
Two-factor authentication can help keep you more secure.

Q: My AOL account got hacked. I'd turn on two-step verification, but it's not an option. Will it be ever?

A: Yes, it will. The company has been working on a version of this security option and says it plans to bring it to customers very soon.

Two-step verification is not always the most intuitive concept, but here's what it does for you: It means you can stop feeling so guilty for using a password that doesn't exceed 12 characters and fails to include upper- and lower-case letters, a number, a space and at least two emoji characters.

It works by confirming your logins — often only those from a new location or a new device, but some implementations verify every sign-on attempt — with a one-time numeric code sent to a device you should always have with you, your phone.

That code can be delivered in a text message, or an app like Google's Authenticator can compute it for you even if your phone doesn't have a signal. It's unclear which approach AOL will take, or how often users of its service will be asked to confirm their logins with these codes.

AOL may seem a latecomer to this concept, not least since it's had to deal with repeated attacks on its users. Google introduced two-step verification in 2011 and has rolled out several upgrades since; for instance, last week it added an option to verify a sign-in with a special USB security key.

But way back in the 1990s, AOL offered an early, crude form of two-step verification: You could pay an extra fee for a "SecurID" token that, like Authenticator, computed real-time codes for you to enter at each login. Few users tried it — the only one I knew was a mishap-prone father whose daughter worked at AOL and signed him up for it after he'd been hacked too many times — and the company scrapped it in 2009.

Even as two-step verification has become widespread among Web services, most Internet providers have yet to deploy it. Comcast and Verizon would only say they're considering it.

Cable Internet providers have an extra issue: The same username and password that unlock your e-mail also grant access to Cable WiFi connectivity away from home and viewing privileges at video sites that only accept existing TV subscribers.

But even ISPs that don't double as TV providers can find two-step verification tricky to deploy if many of their customers use traditional mail clients instead of Web-mail sites. Programs like OS X's Mail can't accept one-time codes and instead require a separate, custom password for each copy you run, a process that Dane Jasper, CEO of the Santa Rosa, Calif., firm Sonic.Net, said yields "lots of complexity."

• Tip: A directory of sites that do two-step verification

Individual sites are not always good at telling their users if and how they support two-step verification, but patient efforts by Seattle-based coder Josh Davis and many contributors have yielded a comprehensive directory at Two Factor Auth.

This site lists widely used sites in 22 categories, from "Backup and Sync" to "Social" and reports how they offer two-step verification: via a text message, a phone call, a hardware device or in an app. Hint: If you travel overseas much or otherwise find yourself in situations where your phone doesn't have service, app-based verification is much better than text-based verification.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.

Featured Weekly Ad