The recent Sony email hack revealed sensitive and embarrassing private conversations. And this wasn’t the first time. Business Insider reports that many believe that not only were Sony’s IT security measures inadequate, but that the company also failed to learn from previous mistakes.

There is no absolute protection against getting hacked, but you can take measures to make it less likely; which is a lesson Sony should have learned by now. One very powerful weapon SMBs can use to protect their online accounts is two-factor authorization (variously called two-step verification or two-step authentication).

How Two-Step Authorization Works

Two-step authorization is not overly complicated, but it does add an extra step every time you log in to your account in addition to your password, you must also enter an authentication code (a string of numbers sent as a text message to your authorized phone). Lifehacker describes it as something you know, plus something you have. This way, even if hackers obtain your password, they still can’t look at your data because they don’t have the device that provides the authorization code (unless, somehow they also have your phone, there are back-up measures in case your phone is lost or stolen).

Two-step authorization has been around for a few years, but is getting increased attention due in part of the growing adoption of Apple Pay to make retail purchases with your phone instead of a credit card. As the Washington Post explains, one attraction of Apple’s mobile payment system is its protection against cybercriminals based in large part on two-step authentication. An iPhone held to a scanner confirms a purchase and the merchant receives two codes, one that identifies the credit card and the other a one-time authorization.

Numerous websites, banks, email providers and other vendors also offer two-step authorization. Visit for a current list and submit requests for two-step authorization to service providers who don’t (e.g., Spotify, Citibank).

Setting Up Two-Step Authorization

There’s no cost to using two-step authorization from any vendor that offers it. It’s also something you can set up on your own website, though not without some up-front (and potentially confusing) steps. Two-step authorization can be a hassle to set-up, Gigaom points out. To set it up on a WordPress site, for example, there are several steps:

Enter a mobile phone number.

  1. Download the Google authenticator app to your smartphone.
  2. Scan a barcode from computer screen to get a verification code.
  3. Enter the verification code where WordPress requests it.
  4. Generate a list of 10 backup codes in case your phone is lost or stolen.
  5. Print the list of backup codes for future reference, if needed.

For just a few minutes of your time, your business data gets an extra layer of protection. Users may balk that having to enter an authorization code on top of a password is extra work. It isn’t foolproof (what is?), but it can save a lot of time, expense and potential embarrassment if your account is hacked. Just ask any Sony executive what that’s worth.