Google just launched two-step verification for all Google accounts, a system which makes your Google/Gmail account—the account possibly containing the lion's share of your private communication online—considerably more secure. In fact, we'd encourage everyone who uses Gmail (the @gmail version or your Google Apps version) as their primary email provider to start using this feature as soon as possible. Here's why, and then how.
What's Two-Step Verification?
The only thing standing between a hacker and your Google account—and more importantly, your sensitive information—is your password. Even if you had the strongest password you could possibly randomly generate, if someone were able to discover that password, they'd be in.
Two-step verification offers a more secure way for Google to verify that you are who you say you are when you're logging into your Google account on a new web browser, through a new application, or on a new mobile device. With two-step verification, your password isn't enough by itself. As Google put it:
2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code you only use once.
Those two factors are:
- Your password (just like always)
- A single-use verification code that Google sends to your phone in one of three ways: 1) Using the Google Authenticator app available for Android, iPhone, and BlackBerry, 2) via SMS, or 3) through a voice call (meaning you could even use a landline if you didn't have a cellphone—basically the call would read off the code to you).
Both your password and the single-use verification code are required to log in on a new browser. You can then tell Google to remember your log-in for 30 days.
How to Set Up Two-Step Verification
If you're convinced that you want the added security, or you at least want to give two-step verification a try, just log into your Google account and point your browser to your Google accounts page. (Google Apps users will need to go to their domain-specific control panel to enable two-step verification. If you're not the Google Apps admin, talk to yours about it.)
On the right side of the page, under Personal Settings > Security, click the Using 2-step verification link (you can bookmark that link if you like).
Now walk through Google's two-step verification setup guide. It's pretty simple: Essentially you have to add a new phone that you want to use for your two-step verification, confirm that it is indeed your phone (you do this in different ways depending on what method you're using. Using the Google Authenticator app for Android or for iPhone, for example, you verify by scanning a QR code and then testing the verification code it generates. Just follow along with the wizard for whatever method you're using.
Once you've set up your phone, you can also add a backup—a trusted number you can also access if, for example, you lose your phone—so you can still access your account. You can even print off a few backup codes to carry in your wallet or somewhere safe.
Using Two-Step Verification
The process for logging into your Google account from a new browser will now look something like this:
- You visit a Google sign-in page, like this one.
- You enter your username and password, like always.
- You're now prompted to enter a code, which is tied only to a phone number you provide. You can receive this code on your phone using one of the Google Authenticator apps available for Android, iPhone, and BlackBerry, via SMS, or through a voice call (or, I suppose, using one of your printed backup codes).
- You enter the code, optionally checking the box to Remember verification for this computer for 30 days, click Verify, and you're in.
It's fairly simple, but it does add a little bit of hassle to your login. Personally, I think the added security is well worth it.
The other thing you'll need to get used to involves logging into your Google account from third-party applications—like, say, a desktop email client. Since those clients don't support Google's two-step verification, you actually have to create single-use passwords first time you log into any new third-party application that needs to access your Google account. You'll only need to generate the new password for each application once—unless you decide to revoke access to that device. Here's how it works:
Point your browser to this page (I'd actually recommend bookmarking it, but you can also find the link on your Account settings page under Security > Authorizing applications & sites. Here you'll see all the webapps that you've allowed access to your Google account via Oauth (which uses the verification process above); below you'll see the Application-specific passwords section, which is where you generate new passwords for devices that can't support the two-step verification. To do so:
- Type in the name of the device or application that you want to generate a single-use password for.
- Click Generate password.
- Google will return a new 16-digit (plus four spaces) password for you to use on that device. Once you hide it, you have no way to retrieve it again (a good thing).
Unlike the two-step process for logging into your Google account on the web, you only have to enter an application-specific password once; it remains active with that single-use password indefinitely. You can, however, revoke any password/device/application from accessing your Google account at any time—which I've done for the password I generated in the screenshot above. (Hands off my Google account!) From the device configuration page, you can also clear your phone info and all printable codes, should you lose your phone or misplace a printed code.
Been using Google's two-step verification on your Google Apps account before this? Share your tips in the comments. Otherwise, let's hear if you're planning to use the new two-step verification with your Google account.
You can contact Adam Pash, the author of this post, at tips+adam@lifehacker.com. You can also follow him on Twitter and Facebook.