The Facebook code generator is a security mechanism that assists in limiting unauthorized login to the account through an unknown device. A six-digit confirmation number must be entered each time you or anyone else uses your account from an unfamiliar device.
When users log in to Twitter via a web browser, they must confirm their identity by entering a six-digit code that Twitter delivers to their smartphones. To access the service through applications for PCs and smartphones, users must use an automatically generated temporary password for each of the programs.
It was evident that something had gone wrong from the tweets the hacker sent from Honan's Twitter account and Gizmodo's account, to which it was linked. (He used to work there.) Honan went public on 3 August 2012 in a blogpost: Yes, I was hacked. Hard. At the time, he blamed his old seven-digit alphanumeric password.
With two-factor authentication, security depends on two different things. Often these are something you have, such as a credit card, and something you know, such as a four-digit pin (personal identification number). The "something you have" could also be a dongle or, with biometrics, your face, fingerprints, or iris patterns. With online services, it's usually a mobile phone. Set up two-factor authentication with Gmail, for example, and when you ask for your forgotten password to be reset, Google will send a verification code to your mobile.
I have heard a story, which possibly may be apocryphal, that we are saddled with four-digit PINs because the engineer who originally invented the ATM asked his wife how long the card security codes should be, and she was quite unshakably certain that she could never POSSIBLY remember a number longer than four digits.
--Some services such as Gmail even give you the option of using two passwords when you use a particular computer or device for the first time. If you have that feature turned on, the service will send a text message with a six-digit code to your phone when you try to use Gmail from an unrecognized device. You'll need to enter that for access, and then the code expires. It's optional, and it's a pain -- but it could save you from grief later on. Hackers won't be able to access the account without possessing your phone. Turn it on by going to the account's security settings.
It is a dreadful mess. Two-factor authentication, which involves a secondary mechanism such as a security token, card reader, or an SMS confirmation code, is more secure; but best reserved for a few critical accounts otherwise it becomes impractical. Two-factor authentication plus single sign-on is an even better approach. 2b1af7f3a8