Networking optimize

Secure your Google Account with two-step authentication

Two-step authentication significantly increases the security of your Google account and it takes less than three minutes to setup.

You're already familiar with what security professionals call one-factor authentication. You provide "something you know" to access your Google account: your username and password. That's one-factor authentication.

You're also likely familiar with two-factor authentication. You access your bank's ATM with your ATM card and four-digit PIN. That's two-factor authentication: "something you know" (the PIN) combined with "something you have" (the ATM card).

Two-factor authentication increases security, but decreases convenience. You can't simply get cash out of the ATM by remembering your PIN; you also need to have your ATM card.

Google's two-step authentication is similar. Once enabled, you'll enter your username and password (something you know). That's one factor. Then, Google will send a 6-digit code to your mobile phone (something you have). You enter this 6-digit code to gain access to the account. That's two factor, or two-step, authentication.

Before you begin

First, you'll need a mobile phone. If you don't consistently carry your phone with you, think carefully before enabling two-factor authentication.

Second, if your account is a Google Apps account, the administrator must enable users to turn on two-step verification for the domain.

Administrators: To enable two-step authentication for users, log in to your Google Apps control panel at http://google.com/a/yourdomain.com, go to the Advanced tools tab, then click the checkbox to "Allow users to turn on two-step authentication".

Figure A

Enable Google Apps two-step authentication

1. Open a browser to http://accounts.google.com/login. Enter your complete email address and password.

Figure B

2. Click on the "Edit" button to the right of "two-step verification, Status: OFF".

Figure C

Click the "Start setup" button to continue.

Figure D

3. Is your computer secure?

Figure E

You should setup two-step verification only from a secure computer. Typically, this would be a work or home system.

Click "Proceed anyway" to continue.

4. Specify your phone number and confirmation method

Figure F

You'll see "Which phone should we send codes to?" Choose your country, and then enter your complete phone number. In the United States, enter your entire 10-digit phone number.

You can choose to receive the 6-digit codes either by text message (SMS) or voice call. You can change methods, if needed, each time you login. I recommend the text message option for most users, as it tends to be simpler.

5. Verify your phone number

Google will then send a 6-digit code to your phone.

Figure G

Enter the 6-digit code, and then click "Verify".

6. Trust this computer?

Figure H

You can now choose whether to "Trust this computer" or not. Enabling "trust this computer" means that you'll need to enter two-step verification just once a month.

I recommend you enable "Trust this computer" only on desktop systems in secure locations, such as your office or home. If you use a laptop or share your computer with other users, I recommend you don't enable this. This means you'd need to enter the 6-digit code every time you access your Google account on your laptop.

Is that inconvenient, yes? That's the inherent security trade-off: you've increased security, but decreased convenience.

Click "next" to continue.

7. Confirm settings

Figure I

Next, you'll be prompted to confirm your settings. Click the "Confirm" button to complete the process and turn on two-step verification.

You'll then see a confirmation that "two-step authentication is ON" for your account.

Figure J

8. Print backup codes

I strongly recommend you print the backup codes. Google provides a set of ten one-time use codes that will enable you to access your account. These can be used in the event you are unable to receive a text message or voice call on your phone.

Click on "Show backup codes" on the confirmation page. Print these codes and store them in a secure place.

Figure K

We're finished configuring two-step authentication for your Google Apps account!

Login with two-step authentication

Now, let's test it. Log out of your Google Account (click on your name in the upper right of the browser, and then choose "sign out").

Go to http://accounts.google.com/login. Enter your complete email address and password.

You'll be prompted to enter the six-digit code received on your phone. Enter the code, and then click "Verify".

Figure L

You're all set. two-step authentication is now enabled for your Google account. Remember to keep your phone with you so you can access your Google account.

Two more important things to know

Most applications work well with two-step authentication. Some mobile apps and third-party web apps may require you to use an application-specific password. To get an application-specific password, log in to your Google account. Look for "Authorizing applications and sites" and click "Edit". (You may be required to re-authenticate, just to be secure.) See Google's help pages to learn more about application-specific passwords.

Figure M

Google also makes Google Authenticator applications for Android, iOS, and Blackberry devices. The Authenticator app provides the frequently changing 6-digit number needed for verification. The nice thing about the mobile apps is that they work even without cell coverage. Download and configure the Google Authenticator app only after enabling two-step authentication as described above. Follow Google's instructions for your device to configure the app.

Are your Google Apps users secure?

two-step authentication should be standard procedure for all corporate users of Google Apps.

An increasing number of other sites offer two-factor authentication (including Facebook). I recommend you enable two-factor authentication whenever and wherever possible. The increased security is worth the decreased convenience.

Have you rolled-out two-step authentication for your users? Do you have any tips to share from your experience?

Also read:

About

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

11 comments
Branden_B
Branden_B

Nice step by step summary. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.

sfsmadrush
sfsmadrush

Just curious. Would this mean that every time my phone refreshes to get new messages that I will have to enter the access code?

Michael Kassner
Michael Kassner

Chrome bookmark syncing between Android Chrome and the Computer version in most cases does not work.

dragonbite
dragonbite

After having my account frozen for "questionable activity" a couple of times, I set up this 2-step authentication and haven't had any issues since. While it is not fool-proof, it is better than just a password. I've even had my phone ring and give me a verification code that I didn't request which leads me to believe somebody got my password but still could not get in. Needless to say, I changed the password after that. I don't see a mention about the Application Codes, passwords that can be used by native clients like Thunderbird, that can only be used to access application, like Thunderbird, but not through your browser or into your settings. These codes are easy to get and easy to revoke when logged into your Dashboard with 2-step authentication. The trick is to record them somewhere because once generated, you can't pull it up again afterwards.

frylock
frylock

On the Gmail app for Android (and I suspect other phone email clients) you'll need to generate an Application code as described in the article. You can save this just like your old password so it doesn't ask every time.

AnsuGisalas
AnsuGisalas

Because many smartphone apps that don't run in a full browser can't request the confirmation code... for those you have to generate a service specific code to use instead of the password.

andy
andy

Glad your experience has been good. And really glad to know that it seems like the 2-step authentication likely prevented unauthorized access to your account! Good point about "authorized application" codes. I mentioned them only briefly in the section "two more important things to know". They can be a bit confusing for users first setting this up, so I wanted to mention them -- but not go into too much detail. I know I end up reviewing the Authorized Application list every other month or so. I try lots of online software, so I'm always adding permissions and approvals. Probably should add to my monthly checklist to review these approvals in Google Apps, Facebook -and- Twitter. Thanks for reading! Andy

mckinnej
mckinnej

My U.S. cell phone doesn't work over there (Asia). I don't do it enough to justify the (really high) cost of an international plan, but I do it enough to eliminate 2-factor over a cell phone (or anything else that would depend on a cell phone). I'd be locked out for at least a couple of weeks at a time. I wish I could put the codes on an encrypted USB drive and it ask for those. Not sure how I could use those on my Nexus 7 though. I think I'd have to root it and use an adapter cable to connect a USB drive to it.

frylock
frylock

I believe you can use the Google Authenticator app to cover situations where you don't have voice/SMS access. I haven't tried this, but I think it's supposed to work for that (ie it doesn't need data access once it's bee set up).

andy
andy

Correct. The Google Authenticator app works if you do not have cell connection. Another "offline" option is to use one of your backup codes. They are one-time use only, but would provide access. Andy