Something you have and something you know – that’s the heart of two-factor, sometimes called multi-factor, authentication. RSA was for years the most common. You use either the key fob hardware device or the software app to get a ‘code’ that you enter in addition to your ID and your (hopefully) strong password. The code changes every minute. Assuming the host site/app correctly implements it a stolen password isn’t enough for your account to be compromised. More recently the cell phone has become the second “factor” as a device you typically always have with you. I’ve been using Google Authenticator on my Android phone and it seems to work reasonably well. Visit a site that supports two-factor, enable it, then use the phone app to scan the QR barcode and finally enter the code that shows up on the phone. It allows you to mark certain devices as trusted, meaning that once you authenticate from say your work computer you only need your ID/password on that device going forward. The initial set up isn’t bad, I think the biggest downside (aside from having to lookup the code to login!) is when you get a new phone. I’ve read – but not tried – that you can save the images of the QR codes to make it easier to set up again. I’m not recommending that, but if you do, secure the images well.

Before you get started, remember that security is always about risk management – you can use two factor everywhere it’s available, or decide to only use it in places you consider high-value/high-risk.

There’s a small list on Lifehacker, and a more extensive list here of sites that support two-factor. Give one a try and see what you think.