Amazon Enables Two-Step Verification For Protection Against Hacking

Amazon users can now better protect their accounts with the added option of two-step verification. The second-factor code will come from software tokens or SMS tokens and will be required every time you sign in from a new "device," which can be another computer, smartphone, or even another browser.

Lately, there has been increased interest in two-step verification solutions for websites, after some highly publicized data breaches that could have been protected by such a security solution. Google has been one of the first companies to implement two-step verification for its accounts, but it wasn't until the iCloud account hacking that more people awakened to the need to enable this option for all of the important services they use.

U.S. government agencies have also been criticized during security audits that they aren't using two-step verification solutions, which could have minimized the damage in data breaches such as in OPM's case.

The easiest way to use two-step verification is through SMS, which should provide a relatively strong extra layer of security in case a user's password is stolen or bruteforced. However, it's well known that wireless carriers use security technologies that are either too old or broken (on purpose) for law enforcement's benefit, which means they are also highly vulnerable to more sophisticated attackers. Therefore, SMS-based second factor authentication is likely not too secure against targeted attacks.

Amazon offers the option to use a software token, through apps such as Google Authenticator or Authy. These apps create random six digit codes, which are tied to your Amazon account. The security codes are generated locally on the device. However, Amazon, and more recently Google, are allowing users to fall back to SMS-based verification if the app-based verification fails for whatever reason.

This is done for convenience purposes, but ultimately it just means the security of the software token is as good (or weak) as the security of the SMS token -- an attacker could pretend he doesn't have the app in order to fall back on the weaker SMS token system.

In this case, the app-based verification system may not be rendered completely useless by this fallback mechanism, because some users may prefer relying on the app if they change their phone numbers often.

To enable the two-step verification system for your Amazon account, you have to follow these steps:

Go to Your Account > Change Account SettingsAdvanced Security Settings > EditGet Started to start the two-step verification setupAdd a phone number or choose an appSend code > Verify code and continueFor backup, add phone number or app (in case you chose the SMS option initially)


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Not currently available in the UK.
  • Colin Lee
    Ahh, I wish I'd seen your comment before I wasted 5 minutes trying to find the setting...
  • quicksand10
    Not currently available in Canada either. The Advanced Security Settings page exists, and it is titled Two-Step Verification, but the page is empty.