You’re already familiar with what security professionals call one-factor authentication. You provide “something you know” to access your Google account: your username and password. That’s one-factor authentication.
You’re also likely familiar with two-factor authentication. You access your bank’s ATM with your ATM card and four-digit PIN. That’s two-factor authentication: “something you know” (the PIN) combined with “something you have” (the ATM card).
Two-factor authentication increases security, but decreases convenience. You can’t simply get cash out of the ATM by remembering your PIN; you also need to have your ATM card.
Google’s two-step authentication is similar. Once enabled, you’ll enter your username and password (something you know). That’s one factor. Then, Google will send a 6-digit code to your mobile phone (something you have). You enter this 6-digit code to gain access to the account. That’s two factor, or two-step, authentication.
Before you begin
First, you’ll need a mobile phone. If you don’t consistently carry your phone with you, think carefully before enabling two-factor authentication.
Second, if your account is a Google Apps account, the administrator must enable users to turn on two-step verification for the domain.
Administrators: To enable two-step authentication for users, log in to your Google Apps control panel at http://google.com/a/yourdomain.com, go to the Advanced tools tab, then click the checkbox to “Allow users to turn on two-step authentication”.
Enable Google Apps two-step authentication
1. Open a browser to http://accounts.google.com/login. Enter your complete email address and password.
2. Click on the “Edit” button to the right of “two-step verification, Status: OFF”.
Click the “Start setup” button to continue.
3. Is your computer secure?
You should setup two-step verification only from a secure computer. Typically, this would be a work or home system.
Click “Proceed anyway” to continue.
4. Specify your phone number and confirmation method
You’ll see “Which phone should we send codes to?” Choose your country, and then enter your complete phone number. In the United States, enter your entire 10-digit phone number.
You can choose to receive the 6-digit codes either by text message (SMS) or voice call. You can change methods, if needed, each time you login. I recommend the text message option for most users, as it tends to be simpler.
5. Verify your phone number
Google will then send a 6-digit code to your phone.
Enter the 6-digit code, and then click “Verify”.
6. Trust this computer?
You can now choose whether to “Trust this computer” or not. Enabling “trust this computer” means that you’ll need to enter two-step verification just once a month.
I recommend you enable “Trust this computer” only on desktop systems in secure locations, such as your office or home. If you use a laptop or share your computer with other users, I recommend you don’t enable this. This means you’d need to enter the 6-digit code every time you access your Google account on your laptop.
Is that inconvenient, yes? That’s the inherent security trade-off: you’ve increased security, but decreased convenience.
Click “next” to continue.
7. Confirm settings
Next, you’ll be prompted to confirm your settings. Click the “Confirm” button to complete the process and turn on two-step verification.
You’ll then see a confirmation that “two-step authentication is ON” for your account.
8. Print backup codes
I strongly recommend you print the backup codes. Google provides a set of ten one-time use codes that will enable you to access your account. These can be used in the event you are unable to receive a text message or voice call on your phone.
Click on “Show backup codes” on the confirmation page. Print these codes and store them in a secure place.
We’re finished configuring two-step authentication for your Google Apps account!
Login with two-step authentication
Now, let’s test it. Log out of your Google Account (click on your name in the upper right of the browser, and then choose “sign out”).
Go to http://accounts.google.com/login. Enter your complete email address and password.
You’ll be prompted to enter the six-digit code received on your phone. Enter the code, and then click “Verify”.
You’re all set. two-step authentication is now enabled for your Google account. Remember to keep your phone with you so you can access your Google account.
Two more important things to know
Most applications work well with two-step authentication. Some mobile apps and third-party web apps may require you to use an application-specific password. To get an application-specific password, log in to your Google account. Look for “Authorizing applications and sites” and click “Edit”. (You may be required to re-authenticate, just to be secure.) See Google’s help pages to learn more about application–specific passwords.
Google also makes Google Authenticator applications for Android, iOS, and Blackberry devices. The Authenticator app provides the frequently changing 6-digit number needed for verification. The nice thing about the mobile apps is that they work even without cell coverage. Download and configure the Google Authenticator app only after enabling two-step authentication as described above. Follow Google’s instructions for your device to configure the app.
Are your Google Apps users secure?
two-step authentication should be standard procedure for all corporate users of Google Apps.
An increasing number of other sites offer two-factor authentication (including Facebook). I recommend you enable two-factor authentication whenever and wherever possible. The increased security is worth the decreased convenience.
Have you rolled-out two-step authentication for your users? Do you have any tips to share from your experience?