Q: Some sites with two-step verification ask me for a code every time I log in. Others hardly ever do it. Why the difference?
A: This is a trust issue: Do the people running a site worry that any log-in could be compromised, or do they want that extra layer of defense only for attempts that look unusual? And do they trust themselves to flag suspicious access correctly?
Sites offering two-step verification — where you confirm that it was you who entered the password by either entering a one-time code sent to your phone or vouching for the log-in through a feature in the site's mobile app — don't all agree on how to do this.
Some of largest adopters of this feature, such as Google, Facebook, Microsoft, Yahoo and Twitter, ask you to verify a log-in through two-step verification only if it looks unusual. That could mean logging in from a new computer or new location, as determined by looking at the numerical Internet Protocol address your computer connects from at the time.
Most of these sites also let you designate some computers as "trusted" and therefore exempt from two-step verification. Please don't use that option unless the computer in question never leaves your house — and is set to have its screen lock automatically when idle.
In other cases, enabling two-step verification means you have to reach for your phone every time you type in a password. At PayPal, for example, I have to type in a code sent in a text message after every log-in — which, in turn, requires me to click a "Send SMS" button instead of having that text sent automatically.
The popular blogging site WordPress.com demands two-step verification on every log-in as well — although it now lets you exempt a computer from that check for 30 days.
In general, I'd prefer that sites not nag their users for a numeric code every single time. If the perceived annoyance factor leads users to stick with password-only security, then we're worse off overall. (Seriously, enable this option for any services you value. It can protect your account even from security holes as huge as Heartbleed.)
But situational two-step verification has risks of its own. If the algorithms watching over log-in attempts think one fits into a user's usual pattern when it actually represents a hacking attempt, then the entire system breaks down. To avoid that, sites will have to develop a deep acquaintance with your activities and whereabouts, much as credit-card issuers have to know your spending habits to flag unusual transactions accurately.
And if a site uses only text messaging or phone calls to send verification codes (as opposed to an app such as Google Authenticator that works offline), a user might forget that they enabled this option until they travel overseas.
Then any attempt to log-in should trip the two-step verification requirement — but getting that code to their phone will either be impossible (by virtue of the device, like some Verizon and Sprint phones not being compatible with any carriers in that country) or will cost extra. Most sites running two-step verification also permit you to type in a longer backup code generated in advance, but then you need to remember to print that out or write it down and keep it with you.
TIP: SPRING CLEANING FACEBOOK, TWITTER APPS
Both Facebook and Twitter let other sites write apps that can connect to those services with your permission. Much of the time, granting this access makes sense — you're getting some new feature or function or sparing yourself from having to remember a separate log-in.
But "much of the time" isn't "forever." You should go through the list of authorized apps at Twitter and Facebook (at each site, go to your Settings page and click the "Apps" link) to see which ones you still use. If they've fallen out of favor, why continue giving them access to your data?
My Twitter account had one discussion site I hadn't even visited in at least a year, so I clicked the "Revoke access" button. At Facebook, the list of long-dormant apps was a lot longer — including one from a site that doesn't exist anymore.
If I could make one suggestion to the people at Twitter and Facebook: Don't just tell me when I authorized an app, tell me when I last used it.