Use Google Authenticator to securely login to non-Google sites

With two-step authentication enabled, you'll be prompted to enter a six-digit number after you provide your username and password.

Google's two-step authentication helps you restrict access to your accounts. Normally, you login to a website with your username and password. Without two-step authentication, you're done. Access to your account relies on the strength of your username and password.

With two-step authentication enabled, you'll be prompted to enter a six-digit number after you provide your username and password. Unlike a PIN number for an ATM, this six-digit number changes with every login.

Many sites send a text message to you containing the six-digit number. That's how things work if you've enabled two-step authentication at Facebook, Twitter and LinkedIn as of June 14, 2013. (Follow the links for each service to learn how to enable two-step authentication on each of these widely-used social media sites.) If you use these sites and have a cellphone, I strongly recommend you enable two-step authentication at each service.

Other sites let you use the Google Authenticator app to generate the six-digit number. The app generates a different six-digit number for each connected site, and these numbers change every 30 seconds. With the app, you don't have to wait a few seconds to receive a text message. Here's how to set up and use the Google Authenticator app with your Google account, along with a few other well-known sites.

Doing the two-step

1. Make sure two-step authentication is enabled for your Google account

Before you start using the app, make sure that two-step authentication is enabled and configured for your account. See my August 2012 article, "Secure your Google Account with two-step authentication" for details.

2. Install the app

Download and install the app on your Android device or on your iPhone, iPad or iPod Touch.

3. Connect Google Authenticator to your Google Account

Login to your Google account at Choose "Security" from the left-side menu, then look for "2-step verification" and click "Edit". You may need to login again.

Connect your Google Authenticator app to your Google account by following the prompts after "How to Connect" a Mobile Application.

The free Google Authenticator app helps secure your Google account.

The process will be similar when you enable 2-step authentication on other sites, and then link your Google Authenticator app with those sites, with these general steps:

  • You enable 2-step authentication at the website, and then
  • Indicate you want to use your Google Authenticator app to generate codes.
  • Next, you use the Google Authenticator app on your phone to scan a code displayed by the website on your computer screen, and then
  • The Authenticator app adds the account.
  • You enter a six-digit code generated by the Authenticator app to verify that the site and app are linked.

4. Connect Google Authenticator for 2-step authentication at other sites

Many companies have adopted the 2-step authentication process. For many users, discovering how to enable 2-step authentication at each site can be a bit time consuming. So here's a quick guide to a few of the most widely visited sites with which you can use the Google Authenticator app.

Secure your account by logging in to your account, then choosing "Settings", then "Security". Then enable 2-step authentication with Google Authenticator.

Secure your account with Google Authenticator.

Yes, you can use Google Authenticator for 2-step authentication of accounts. To enable 2-step authentication at, login, then choose "Account Settings", then "Security info". From this page you can enable 2-step authentication and manage your authenticator apps.

Your Google Authenticator app can help securely access accounts.

Evernote's setup is similar to the others above: login, go to "Account Settings", then choose "Security". From there, you can enable 2-step authentication using Google Authenticator.

Evernote enabled 2-step authentication in May 2013.

Dropbox provides a nicely designed step-by-step process for enabling 2-step authentication. First login to your account, choosing "Settings", then select the "Security" tab. From there, click the link to enable two-step verification.

Dropbox has a nicely designed step-by-step process that walks users through each step of configuring 2-step authentication.

Finally, if you use the LastPass password manager, I strongly encourage you to secure it using 2-step authentication. Even if you use a very long, obscure password, the data store, if breached, would provide access to all of your passwords for other sites. This is worth securing.

To enable 2-step authentication in LastPass, login, then choose Settings, then select the "Multifactor options" tab. Choose the "Google Authenticator" option, then follow the on-screen instructions.

Your password data store is definitely worth securing with 2-step authentication!

Bottom line

New sites continue to add support for 2-step authentication and the Google Authenticator app every month. While two-step authentication may not protect your data from the U.S. National Security Agency, it will help prevent unauthorized access to your accounts. Enable it wherever possible today.

Also read:


Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.


Little hiccup with LastPass. Need to disable offline access for two-factor to work fully.   With offline access allowed I can log into my vault, but I get stopped trying to get to setup.  Luckily there was a link on the LastPass vault that got me around that into setup and now that I disabled offline access everything seems to be OK.  


Two factor auth on Evernote is only available to Business and Premium members.


All sites should use 2-factor auth using TOTP (time-based one-time passwords) leveraging Google Authenticator as perfect mobile client for that purpose so all developers have to do is implement on the server-side for their websites for java server-side at least, i wrote a blog article "Google Authenticator thus enabled" which you can find on, which i hope provides a good resource for java website developers


3DLogin is currently in beta stage. No Apps is required to login to sites, no more usernames, passwords or registration. try the 3DLogin demo -> Own a website? integrate 3DLogin, beta sign up here -> Own an app? We have our qr-code reader library that will integrate to any iOS/Android app to capture 3D rotation, speed, and encoded onetime signature. Adding this to any site is very simple and it takes 10 minutes. Cheers!!!


Google authenticator uses a standard based on symmetric (single shared secret) keys. This means that if through any flaw in a sites security, somebody can read the code checking key; they can use it to create a valid logon credential and impersonate you. Not a worry if the key is only stored in a single place and used for the 1 site, (anyone who can read your key has your privileges already) but on a more complex site or for single sign-on across a range of sites it's a big flaw. Also I'm surprised Google Authenticator can't encrypt its function and keys independent of the phones main locking. This means that anyone getting access to your phone or a backup is only your main 4 digit PIN away from reading your keys.


Call U Conferencing has integrated with Google Authenticator to secure your conference calls. You can check it out at


First of all, Google authenticator works great and I use it for everything. Google also has something called 'application specific passwords' which allow the use of strong machine-generated passwords for devices or services that cannot use authenticator. The added benefit is that each one is unique, so if one were compromised, the others will not fall. For example, I have a contact form on a website I manage, and it sends to my gmail via a google SMTP server connection using an app specific password...the same site uses a Google calendar that uses a different application specific password. The calendar is managed on my mobile phone which uses an app-specific password for it. For some more critical sites, the RSA Authentication Manager (formerly known as ClearTrust), does the same thing and works very well. Two-factor auth is a very good thing to use. It improves security exponentially, and is especially a good fit for those who may set weak passwords. The password length and strength is much less important once a two-factor system is being used.


Facebook lets you use the Google Authenticator app for two step verification.

Mark W. Kaelin
Mark W. Kaelin

Do you use two-step authentication for any websites now? Have you considered adopting the extra measure of security? Why or why not?


The six digit key is only good for 30 seconds and I doubt it can be used twice at two different logins in any case. They are like matches. Burn them once. Tell the whole world about ones that have been used. Makes no difference. Unless you are implying someone can impersonate your google authenticator app and read/obtain new ones. Yes if you allow some third party app or site to get in your gmail account, then you are vulnerable to that app being malicious.

Editor's Picks