We discuss the concept of two-factor authentication (2FA) in some detail this article, but basically it boils down to adding an extra layer of security by requiring a ‘something you have’ element in addition to the commonly used ‘something you know’.
Google introduced two-factor authentication a couple of years ago (and has now been joined by the likes of Twitter and Facebook) for most its services, including Gmail.
With Google the ‘something you know’ part is of course your username / password, while the ‘something you have’ part is your smart phone. While we think Google’s implementation of 2FA is a great step forward for security, it is a bit of a shame that no options exist for non-smart phone users.
1. To sign up for two-step verification (as Google calls it), follow this link to the sign-up page.
2. After re-confirming your password, Google will ask you for a phone number to send the verification code to. You can choose to receive either a Text or Voice Call.
3. When the code arrives on your phone, enter it on the website.
4. It is always a good idea to be able to access your account even if you lose your phone.
5. The last step is simply to confirm that you want to turn on 2FA.
Using Google two-step verification
Google will send you a new code every 30 days, but the ‘You’ll only be asked for a code whenever you sign in using your account from an untrusted computer or device’ thing is somewhat misleading.
Every time that you use a new browser (even if on the same computer) your phone will be sent a new verification code which you must enter.
Many programs that interact with Google services do not support two-step verification. In this case you can generate an application specific password by going to the App-specific passwords tab on your 2-Step Verification page.
While you are being security conscious, it might also be an idea to check out which apps have access to your Google account here.
What if I lose my phone or have no internet connection?
When you first start using two step authentication, Google will prompt you to add one or more backup phone numbers (which need not be yours, only those of someone trusted). Numbers can be managed from your 2-Step Verification page.
You can also generate app specific / backup codes in advance, which is useful if you plan on travelling someplace without internet access. Alternatively, the Google Authenticator app can generate new codes even if you don’t have an Internet connection or mobile service, and is available for Android, iPhone or a Blackberry.