You’ll need to go back to the Accounts Security page and select the Edit button next to “Authorizing Applications and sites” to set up disposable passwords for each device and app. You can also use this tool to manage your list of trusted devices and applications, and revoke access to them at any time.
So that covers Google. What about Facebook? Here, too, you can beef up your security settings with two-factor authentication. This will prompt you to enter a similar SMS code whenever you log onto Facebook from a new device. The drill is remarkably similar:
1. Go to your Facebook Account Settings page (found under the down arrow next to the Home tab).
2. Select Security from the menu on the left.
3. Under “Login Approvals” click edit and put a check in the box that appears (see below). You may have to adjust your browser settings to accommodate the cookie that Facebook wants to deposit.
4. In the dialog box that appears, click “Set up now.” You may be prompted again for your Facebook password and to add your mobile phone number if you haven’t provided one already.
5. Click Continue. If you’ve done this correctly you should receive a six-character PIN. Enter that and the name of your device into the dialog boxes that appear.
Like Google, this won’t work with every device or application Facebook supports (like the Xbox or Skype). So again you’ll have to generate a disposable app password, which you can do via the same Security Settings dialog box. If you have an android device, you can download a free Code Generator app that can produce usable passcodes without having to send you a text.
Twitter does not offer two-factor authentication at this time. But you can make it harder for attackers to reset your password by changing a setting in your profile that requires you to provide additional info, such as an email address or phone number, when requesting a new password.
From your Twitter profile page, click Edit your profile. Then go into your Account settings, scroll to the bottom, and put a checkmark in the box next to “Require personal information to reset my password.”
The flaw in all of these schemes: If the attackers manage to get hold of your phone as well as your log-ons. Then, my friend, you’re totally screwed.