Do you really think security is too much trouble? That no one is ever going to bother with your accounts? Ask former Gizmodo employee Mat Honan if he feels that way after his accounts and devices were wiped clean. That could have been you, and it could have been worse. There are several ways to try to protect your online accounts and one of the more important of these is two-factor authentication. Two-factor authentication is ancient IT technology. If you've ever worked in a shop that required you both to show an ID card and enter a pin to go through a door, you've used it. As the name suggests it requires you to both show you know something, typically a password, and have a unique item that identifies you. On the Web, two-factor authentication typically requires you have both a password and a phone with its unique number, which can be used as the item. Since Google played a role in the Honan case and almost everyone uses some Google service or the other--and Apple doesn't support two-factor authentication--let's go over how to turn on Google's version of two-factor authentication: two-step verification. Before jumping in that though here are some other basics. First, don't use passwords, use passphrases. "Always color outside the lines!" is both much easier to remember and far harder to break than say "Tr)ub4DORm1." Second, use different passphrases for each of your accounts. These days, as in both the Honan situation and the recent Dropbox breach, a major reason things went bad was that one password was used for multiple accounts. If you use a different passphrase for each account, you limit your damage to that one service. And, if you have trouble remembering all those passphrases--as we all do--I suggest you invest in a password management program. I use, and like, LastPass myself. I have many tech. savvy friends, however, who swear by 1Password. Got all that? Good. What Google two-step verification adds to your security blanket is to get access to your Google account and all its services is that to break in a cracker needs not only your password but your phone as well.
Here's how to set Google's two-step verification up. The first thing you'll need is a phone that will accept anonymous SMS (aka text) messages or voice calls. You're going to need that because Google uses your unique phone and its number as its second factor. Google recommends that you use a mobile phone number as opposed to a landline or Google Voice number.You can use either, but I suggest you don't use a Google Voice number since that could trap you in a situation where you couldn't easily access any of your Google services Next, you need to sign-in to your Google account and head to the two-step verification settings page. Once there, you'll need to choose "Using 2-step verification" from the menu. From here, you'll enter the country your phone is registered I and enter your phone number. You can also choose whether to get your verification code by voice or SMS on your phone. In a matter of seconds, you'll get a call with your verification number. You then enter this code into the data entry box provided by your Web browser. Your computer will then ask you if you want it to remember the computer you're using. If you answer, "yes" that computer will be authorized for use for 30-days. Finally, you turn on 2-step verification and you're done. Well, not really. You see, you're not really authorizing your computer,as you might think from the instructions, you're authorizing the use of a particular Web browser on that computer with 2-step verification. If, like me, you run more than one browser you'll need to go through this process with every browser. You'll also need to go through it with every computer you use. Since on an average day I use half-a-dozen different computers that adds up to a lot of time for the initial setup. Also, while most Google services work with 2-step authenticaiton, not all of them do. Services that don't support the 2-step authentication dance include: POP and IMAP email clients such as Outlook, Mail and Thunderbird Gmail and Google Calendar on smartphones ActiveSync for Windows Mobile and iPhone YouTube Mobile on Apple devices Cloud Print IM clients for Google Talk and Adium 3D Warehouse, Sketchup, and installed applications AdWords Editor Sync for Google Chrome Gmail Notifier So, if like me, you use a smartphone and clients for email and IM, you'll also need to set up application specific passwords. This will not, can not, be the same as your master Google password.