How to use Google two-factor authentication

How to use Google two-factor authentication

Summary: If you use Google services, and you don't want anyone raiding or wrecking your account and services--not to mention your life--Google two-step verification security is for you.

SHARE:

Do you really think security is too much trouble? That no one is ever going to bother with your accounts? Ask former Gizmodo employee Mat Honan if he feels that way after his accounts and devices were wiped clean. That could have been you, and it could have been worse. There are several ways to try to protect your online accounts and one of the more important of these is two-factor authentication.

Two-factor authentication is ancient IT technology. If you've ever worked in a shop that required you both to show an ID card and enter a pin to go through a door, you've used it. As the name suggests it requires you to both show you know something, typically a password, and have a unique item that identifies you. On the Web, two-factor authentication typically requires you have both a password and a phone with its unique number, which can be used as the item.

Since Google played a role in the Honan case and almost everyone uses some Google service or the other--and Apple doesn't support two-factor authentication—let's go over how to turn on Google's version of two-factor authentication:  two-step verification.

Before jumping in that though here are some other basics. First, don't use passwords, use passphrases. “Always color outside the lines!” is both much easier to remember and far harder to break than say "Tr)ub4DORm1."

Second, use different passphrases for each of your accounts. These days, as in both the Honan situation and the recent Dropbox breach, a major reason things went bad was that one password was used for multiple accounts. If you use a different passphrase for each account, you limit your damage to that one service.

And, if you have trouble remembering all those passphrases—as we all do—I suggest you invest in a password management program. I use, and like, LastPass myself. I have many tech. savvy friends, however, who swear by 1Password.

Got all that? Good.

What Google two-step verification adds to your security blanket is to get access to your Google account and all its services is that to break in a cracker needs not only your password but your phone as well.

GoogleTwoFactor
To use Google 2 step verification, you'll need your phone as well as your PC.


Here's how to set Google's two-step verification up. The first thing you'll need is a phone that will accept anonymous SMS (aka text) messages or voice calls. You're going to need that because Google uses your unique phone and its number as its second factor. Google recommends that you use a mobile phone number as opposed to a landline or Google Voice number.You can use either, but I suggest you don't use a Google Voice number since that could trap you in a situation where you couldn't easily access any of your Google services  

Next, you need to sign-in to your Google account and head to the two-step verification settings page. Once there, you'll need to choose “Using 2-step verification” from the menu. From here, you'll enter the country your phone is registered I and enter your phone  number. You can also choose whether to get your verification code by voice or SMS on your phone. In a matter of seconds, you'll get a call with your verification number. You then enter this code into the data entry box provided by your Web browser. Your computer will then ask you if you want it to remember the computer you're using. If you answer, “yes” that computer will be authorized for use for 30-days. Finally, you turn on 2-step verification and you're done.

Well, not really. You see, you're not really authorizing your computer,as you might think from the instructions, you're authorizing the use of a particular Web browser on that computer with 2-step verification. If, like me, you run more than one browser you'll need to go through this process with every browser. You'll also need to go through it with every computer you use. Since on an average day I use half-a-dozen different computers that adds up to a lot of time for the initial setup.

Also, while most Google services work with 2-step authenticaiton, not all of them do. Services that don't support the 2-step authentication dance include:

POP and IMAP email clients such as Outlook, Mail and Thunderbird
Gmail and Google Calendar on smartphones
ActiveSync for Windows Mobile and iPhone
YouTube Mobile on Apple devices
Cloud Print
IM clients for Google Talk and Adium
3D Warehouse, Sketchup, and installed applications
AdWords Editor
Sync for Google Chrome
Gmail Notifier

So, if like me, you use a smartphone and clients for email and IM, you'll also need to set up application specific passwords. This will not, can not, be the same as your master Google password.

GoogleAppSpecific
Google, not you, generates your application specific passwords.

You'll get these application specific passwords by first giving it a name, such as e-mail, Android, and so on, and then Google will automatically generate a password for you. You then enter this new password in for the application and your application will be good to go. There are also a handful of applications, such as Google TV Gallery, that don't work with any version of 2-step verification.

From this same page you can also see all the services you've authorized to use your Google ID as your identification. So long as you're cleaning up your security act anyway, you might as well go through the list and Revoke Access to any service you're no longer using.

Let's say though that you don't have your phone, or you're somewhere without a signal when your laptop's 30-days of grace are up. No problem. Google gives you two answers.

The first is to download the Google Authenticator app for Android, Apple and Blackberry tablets and smartphones. With this you can generate a PC/browser password. You can also create a batch of ten backup codes, which you can use to authorize a computer.

Is this perfect? No. There's no such thing as perfect security. A man in the middle attack can still grab your password and your authentication number. And, a good old fashioned people hack led to CloudFlare CEO's losing control of his Google account even with two-factor authentication.

Even so, if you don't want  your personal security disaster you should follow all these suggestions. Yes, setting Google, or any other two-factor authentication, up can be a pain but you'll be far safer with it than without it.

Related Stories:

Black cloud looms over Apple online service after high-profile hack

How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

Is two-factor authentication Dropbox’s security answer?

You're not in control of your own security

Google's two-factor sign-in: Use it

Topics: Security, Browser, Enterprise Software, Google, Networking, Smartphones, Tablets, PCs

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Google two-factor authentication

    Kudos Google
    RickLively
  • You'd think Google would do what Gaming companies did ages ago.

    Write an app for that. I've got a couple of authenticator apps I use to access various gaming accounts. No reason Google can't do it also.
    Aerowind
    • They did

      Google Authenticator app for Android, Apple and Blackberry tablets and smartphones. With this you can generate a PC/browser password. You can also create a batch of ten backup codes, which you can use to authorize a computer.
      Fofer
  • Give Google my telephone number?

    And set up my phone to accept anonymous text messages? In what universe are those two things a good idea separately, much less together?
    Vesicant
    • Don't forget to close the bunker windows at night

      and check the off grid septic system in the morning...
      T1Oracle
  • So.....

    If I have Gmail set up on my phone (account name is saved and visible, and the password is saved), and my phone is stolen, all that needs to be done is have Google send a password recovery message to my phone, and even WITH 2-step authentication, the thief now controls my account.

    YOU CAN'T TIE THE RECOVERY MECHANISM TO THE DEVICE WITH THE ACCOUNT FOR 2-STEP TO WORK.
    aep528
    • It's not supposed to.

      Physical access to your device is a killer. It doesn't matter what kind of security is on your computer, if they steal the computer itself, there's not really much you can do about it.
      Aerowind
    • Make it harder

      for the miscreants to access your accounts.

      “and the password is saved)” Don't save password on phone

      Auto lock phone.
      RickLively
    • Which is why propose thre factor authentication!

      When you recieve your 6 digit pin from Google, just write it down on paper, roll that paper up, and send it to Google HQ via courier pidgeon. A quick DNA check will verify that it's the right pidgeon and therefore it must be you.

      Just make sure it's a fast pidgeon because that pin has a timeout...
      T1Oracle
  • 2FA nothing Less

    Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.
    Branden_B
  • Demand IT

    Brenna Lenior who works for telesign.com the leader in phone-based verification and authentication services made these comments in her blog: “Turn on two-factor authentication or demand”. And the other comment was, “Respond quickly - if you think your account has been compromised, report it immediately.” These to me are two of the points that people need to be made aware they must to do.
    http://www.telesign.com/news-and-events/blog/5-easy-password-best-pratices-to-protect-yourself-from-a-hack
    Tanya_T
  • "A man in the middle attack can still grab your password..."

    Doesn't Google encrypt its logon communications with our browsers (https), and ALL communications for certain pages, like Gmail or GV? (Even client accessed POP & IMAP have encrypted server options for Gmail.) If that is so, how is a man-in-the-middle going to get your credentials?
    xb77