You may know that you can protect your Google account with an additional login step after you enter your email address and password. 2-Step Verification (2SV) can be done via an SMS, Google Prompt, an authenticator app, or a security key.

In October 2017, the default 2SV method changed from SMS to Google Prompt. Before, when you turned on 2-step verification, you’d receive a six-digit code via SMS. Now, you’ll be encouraged to use Google Prompt on your Android or iOS device when you enable 2-step verification.

“We made Google Prompt the default form of 2SV to provide a better user experience,” Rodrigo Paiva, product manager at Google said via email.

Google Prompt

Google Prompt asks for a “yes” or “no” response on your phone after you enter your Google account and password on a site. It’s fast and straightforward. If you just tried to login somewhere, tap “yes” on your device and continue. Otherwise, tap “no.”

“Google Prompt has a ‘No, it’s not me’ option, which allows the user to take immediate action if the login is unauthorized,” say Paiva.

Google Prompt works on both Android and OS devices. On Android, you add your Google Account on the device: Settings > Accounts > Add account > Google. On an iPhone or iPad, you install the Google app, login with your Google account, and enable push notifications: Settings > Google > Notifications > “Allow Notifications.”

Either way, you’ll need a network connection to receive the “yes/no” prompt –just as you would with SMS.

Alternative methods

Of course, all previous Google 2-step verification methods remain available. These include the use of an app (such as Google Authenticator), a security key, SMS, as well as backup codes.

Nearly every person who uses 2-step verification should generate backup codes. Backup codes are intended for one time use: once you use one to login, you can’t use it again. When you activate 2-step verification, print out your backup codes and store them securely for use in an emergency.

A mobile app, such as Google Authenticator, Microsoft Authenticator, or Authy, can also provide 2SV. Once connected to an account, the app generates a 6-digit sequence that you enter as the second step in your authentication process (after your username and password). But unlike Google Prompt and SMS, which require network connectivity, these authentication apps create 6-digit codes when your device is out of coverage. These apps also work with most other sites that offer 2-step authentication, such as Salesforce, Dropbox, GitHub, and many more.

SMS authentication remains available as an option, too. However, in most cases I suggest Google Prompt instead of SMS verification. “Google Prompt verification happens over an encrypted connection,” Paiva said.

“Google Prompt verification is completed with just one tap,” he added, “It’s much easier and less error-prone than fiddling with codes from SMS or Authenticator.”

For even greater protection you can authenticate with a security key, such as a Yubikey. A security key adds an additional piece of hardware to the authentication process. It also protects against phishing attacks, as well.

But in some cases, the security key method restricts which apps you can use or access. For example, if you use an iOS device and protect your account with a security key, you’ll need to use the Gmail or Inbox apps instead of native or third-party mail apps. “For those users who are most at risk of targeted attacks, we offer the Advanced Protection Program (g.co/advancedprotection),” Paiva said.

2-Step Verification Recommendations

I recommend that every person who uses a Google account enables 2-step verification. Go here to learn more, and enable it: https://www.google.com/landing/2step/. For most people, Google Prompt will be the simplest, fastest authentication method.

If you currently use 2-step verification via SMS, I recommend you switch to either Google Prompt or to an authentication app, such as Google Authenticator (Android or iOS). Go to https://myaccount.google.com/security#signin to review the sign-in settings for your Google account, then make the appropriate changes.

If you have higher security needs, deploy security keys.

If you’re a G Suite administrator, run a report to view which accounts are enrolled — or which are not enrolled — in 2-step verification. To see this report, login at https://admin.google.com, go to Reports > Security > then select “2-Step Verification Enrollment” from the menu. (And if you’re a G Suite administrator and haven’t yet deployed 2SV, see the G Suite support section for more details on configuring 2-Step Verification for your domain.)

Your experience?

If you’ve secured your Google account with Google Prompt, what has your experience been? How does it compare to other 2-step verification methods you’ve used? If you choose to use another verification method, which do you use — and why? Let me know in the comments or on Twitter (@awolber).