Tumblr beefs up security with two-factor authentication


Tumblr has now joined its evolutionarily, ever-more security-conscious brethren by plugging in 2FA, it announced on Monday.

Two-factor authentication (2FA) is also known as multi-factor or two-step verification and is the process of verifying someone’s identity with two out of three possible identifiers:

  • Something you know
  • Something you have
  • Something you are

Good for Tumblr. 2FA is a smart security step.

The point of 2FA is to make it tough for anybody – hackers, exes, overly dexterous pets, you name it – to get into your Tumblr account.

Tumblr 2FA

Once set up, users will need to enter a unique single-use code every time they log in to Tumblr.

That code will be generated by an authenticator app – it recommends Google Authenticator – or received via SMS to a phone (which, as Tumblr wisely nagged/asked, you’ve already password-protected, right? … Ahem! Right? That security step is smack-dab at the top of Naked Security’s 10 tips for protecting your smartphone!).

2FA is already being used, to varying extent and in varying ways, by an ever-expanding list of sites, including Facebook, Google, Apple, WordPress, LinkedIn, and Twitter.

Tumblr put up a posting explaining how to set up and manage 2FA.

Here’s how to turn it on:

  1. Visit your account settings.
  2. Click the “Enable” checkbox.
  3. Enter your phone number.
  4. Decide whether you’d like to receive the code via text or through the authenticator app. Tumblr recommends both, in case you need to use one as a backup. (It’s worth noting that Paul Ducklin, when he was setting up 2FA for accessing the WordPress platform that Naked Security runs on, chose to get his codes sent via SMS, “thus ensuring that my login codes are delivered neither to my laptop nor my tablet, but to a vanilla mobile phone.”)
  5. Follow the steps laid out in the settings page.

And there you have it.

Just like you need two keys to launch a nuclear missile (says Tumblr, in one of the scarier analogies of the day), you’ll have two keys to launch Tumblr: your password and either your phone or the authenticator app.

Good luck keeping safe and, well, you know, not blowing us all to kingdom come.

Want to learn more about 2FA? I dug through the treasure trove of TechKnow podcasts to pull out one that Paul Ducklin and Chet Wisniewski recorded on the subject about a year ago:

Listen now:

Listen later:

Download Techknow podcast