In the wake of approximately five million Gmail account passwords and email addresses being leaked by Russian ne’er-do-wells, it is time to enable two factor authentication on any account that is important to you. (While Google does not seem to have been at fault for this leak, many users use the same password in multiple places, and coupled with the address leak, crackers have started trying each address in combination with some passwords to attempt to gain access.) Since a vast swath of the Internet public uses Gmail, Google has seen fit to enable two factor authentication for their online properties. In this article, I will show you how to set up the protection and use it.
A quick refresher on exactly what two factor authentication is—it involves something you have (the first factor) and something you know (the second factor). To log into an account or a service for which you have enabled two factor authentication, you are generally prompted to enter your username and password, after which the service or account texts you or otherwise sends to a phone you enroll a one-time code that you will enter in the next step of the login process. By enabling this protection, the leaking of your password or some other compromise of its integrity does not threaten your account, because any nefarious characters would also need to have access to your enrolled phone, which is generally something that is always in your possession. Something you have and something you know.
Editor’s Note: A website has been created for Gmail owners to quickly find out if their Google account was part of the aforementioned leak of 5 million user account details. Check to see if your account is on the list by visiting the “Is my email leaked?” website.
Setting Up Google 2-Step Verification
Google calls this method of authentication “2-step verification,” and it is not difficult to get it set up.
- To begin the process, visit the Google 2-Step Verification support page and click the blue Get Started button in the middle of the page.
Google calls their two-factor authentication feature “2-Step Verification.” (Image: Jonathan Hassell)
2. On the next page, click the blue Start Setup button at the far right of the page.
3. In the first step you enroll the phone—preferably a mobile phone or smartphone, but it could be a landline if that is all you have consistently available—to which Google will send the one time password tokens. Enter your phone number in the box, and then choose a voice call from an automated robot or a simple SMS text message.
Note: Do NOT use your Google Voice number, as Very Bad Things ™ will happen.
4. In the second step you confirm the code that was sent to the phone you entered in step 1.
Verifying your phone verification code. (Image: Jonathan Hassell)
5. In step 3, you can choose to trust the computer you are using to enroll two step verification. If this is your main PC, you can save some time. I would recommend not enabling the cookie on laptops or mobile devices, as if those get lost somewhere, and you have saved your regular password, two step verification becomes completely ineffective on that device.
Establishing trust to a specific computer. (Image: Jonathan Hassell)
6. In step 4, which is the final step, you confirm you want to enable your Google account in this whole deal. I am not sure how many people go through all four steps and then choose not to enable, but I suppose that is what they mean when they say, “don’t be evil.” Click the blue confirmation button, and then you are all set and protected.
Turning on 2-factor authentication. (Image: Jonathan Hassell)
Once you have enabled 2 step verification sign in to your Google account and perform the following steps:
- Enter your username and password on the sign in page.
- Google will then send a code via SMS text, a voice telephone call, or the Google smartphone app, which is available for iOS and Android devices.
- You will enter this code on the next page to verify that you are who you say you are.
Application Specific Passwords
Some applications will stop working once you enable two step verification, including iPad and iPhone Gmail access and some chat programs. For these applications, Google can generate an application specific password that can be used that turns off the multi-factor authentication for just that app. To turn that feature on, head to https://security.google.com/settings/security/apppasswords?pli=1.
From the drop down lists, simply choose the application you need and the device you want to use that application on, and the password will be generated for you.
Generated app passwords for Google Accounts. (Image: Jonathan Hassell)
Printing Backup Codes
Imagine a scenario where you are unable to receive voice calls or text messages, but you still need access to your Gmail account. (Hypothetically, this may or may not have happened to me as I tried to write this piece on an airplane at 30,000 feet.)
For just this reason, Google has created backup codes, which are codes that are generated in advance that you can print out or write down to keep with you in the event you need to sign it but cannot access a fresh one time password.
On this page: https://accounts.google.com/b/0/SmsAuthSettings#devices scroll down to the bottom and click the Print or Download button.
Choosing backup options for 2-factor authentication. (Image: Jonathan Hassell)
The codes will then be displayed, with a handy checkbox so you can eliminate each code as you use it—again, each is good for just a single use.
Printing Google backup verification codes. (Image: Jonathan Hassell)
In summary, passwords alone are so 2004. Enable two step verification on your Google accounts today, and proceed through the next massive leak of personal information worry free.