Yes, you should switch your passwords for services affected by the Heartbleed security vulnerability. But you can do better than that.

Some of today’s most popular web services let users enable a two-step, or two-factor, sign-on process that can apply an additional layer of authentication by asking for a code from a text message, a smartphone application, or a key fob.

That looks like a brilliant idea now that lots of companies have fessed up about being affected by Heartbleed since media outlets and bloggers first hit their emergency alarms about it.

Grabbing a one-time password off a device other than the main one you’re using in order to log in won’t prevent all risks, but it can make the job¬†harder for people looking to grab key information from you, Paul Ducklin of security vendor Sophos wrote in a post yesterday on company blog Naked Security.

“[W]hile it wouldn’t have made heartbleed less of a bug, it would have made any passwords harvested by means of the bug much less useful, perhaps even useless,” Ducklin wrote.

Indeed, file-sharing company Box is encouraging people to set up two-factor authentication, following its introduction of the feature in 2012.

“If I could ask you to do one thing — turn on two-factor authentication today,” Box security director Joel de la Garza wrote in a blog post on Friday.

He went on to encourage people to use single sign on for Box, too.

Get more stories like this on Twitter & Facebook