There are very few things that could happen in my life which would be worse than having my personal email accounts compromised. Not only is it a significant invasion of privacy, but it’s also just the start to what could lead to a complete privacy meltdown of my life. I say this because once someone gains access to an email account, the attacker could use it to unlock other accounts using the “I forgot my password” feature common on most sites including my personal blogs, Paypal accounts, online banking, Dropbox and of course all of the data sitting in my Google Apps accounts (Inbox, Calendar, Contacts etc…).
The team over at Google showed they understand this problem and implemented a groovy security feature to help protect against it called 2 Step Verification (also known as two factor authentication). We did a full write-up of the security feature over a year ago however in-light of all the security events on the net recently — I think it’s time we revisit Google’s 2 Step Verification in an attempt to remind everyone to get it enabled ASAP.
Before Enabling Google 2-Step Verification
A few things to note before we enable Google’s 2-step verification on your account.
- Enabling 2-step verification will break email being delivered to your mobile device or Email Client via iMap or any other application like answers.groovypost.comwhich uses Google to authenticate you. Google allows you to create a one-off or application specific password for these apps / services. Only takes a few seconds to do but FYI.
- It’s important to setup a backup phone/device after enabling 2-step verification to prevent locking yourself out of your account. A backup phone can be setup to send TXT message codes or codes via a voice phone call. The process is simple but very important. Don’t skip this step.
- After 2-Step Verification has been enabled on your account, download and install the Google Authenticator App for your mobile. This will save you cash since you won’t need Google to send you txt messages any longer.
- That’s it. Continue forward and enable some delicious, groovy, Google security goodness right now.
How To Enable Google 2-Step Verification
Login into your GMail account and click your username at the top. This will open a context menu. Click Account under your name.
Note – If you’re a Google Apps user, your System Administrator will need to enable 2-Step Authorization in the Admin console before the feature will be available for your account.
Click Security.
Under 2-step verification, Click Edit.
Sign in again when prompted (they make you login again for security reasons).
Get out your Mobile Phone and Click Start setup >>.
Enter your Phone number and Click Send Code (note – do not use your Google Voice number. You need a mobile phone).
Google will send you a 6 digit TXT message to your phone. Enter it and click Verify.
By default, Google will trust the computer you’re currently using and not require the use of the 2-step verification from it for 30 days. I’m actually OK with this since my laptop never leaves me at anytime and I have a solid AV solution installed so I’m 99% confident I don’t have any malware installed.
For maximum security however, feel free to uncheck it however getting started I recommend just keeping with the default.
Many applications on the net use your Google account to login however they don’t have an interface to ask for the 2-step verification code. The same goes for Mobile devices like my iPhone since email is delivered real-time. In these cases, Google allows you to create passwords for these devices. I’ll cover this in more detail later so forge ahead by clicking Create passwords or click Do this later to set them up later.
All done. 2-step verification for your Google Account is now enabled.
Note: Before you continue and test things out, I HIGHLY recommend you setup a backup phone just in case you lose your phone and need to login to your account. Just click the Add a phone number link as shown above and it will walk you through the simple process.
To test thing out, logout of your Google account by clicking your username and Sign out.
When logging in, you will notice that after entering your Google username and password, Google will send your mobile phone a TXT message with a new six digit code and prompt you to enter it. Note, if you prefer to not have Google send you txt messages, download and install the Google Authenticator app for your Android or iPhone Mobile. It’s free and simple to use.
Enter the code and click Verify
In this day and age of Malware bots and 0 day exploits, adding two factor authentication to your email accounts is no longer optional in my opinion. Although a bit inconvenient, it’s definitely better to spend a few minutes a day to keep your account and digital life secure than working weeks or even years cleaning up from an account compromise.
Hi Shottle — Thanks for the question. I’m not sure why you couldn’t get Google to send you a text on your second computer.
My recommendation is to try it again only this time — after enabling 2 step verification on your google account (by following the steps in this article), read this article:
https://www.groovypost.com/howto/enable-google-authenticator-app-google-gmail-account/
This is the next article in the series which explains how to enable the Google Authenticator App on your iPhone or Android Mobile so that you don’t need to wait for Google to send you text messages. It works really well and should solve the problem you’re having on ALL your devices.
Hope this works! Report back!
-S
OK. I’ve got 2-step set up on my personal work computer (a Windows 7 machine I bought this January when I first became unemployed), a Windows XP machine that a firm I contract with makes available for me to use, and on my personal MacBook Pro (love that solid metal case). I THINK I’ve figured out what I was doing wrong: after setting up the first machine, I set up my Android and downloaded and installed Google Authenticator. I did not realize that, once I had Authenticator, I no longer needed to get a text–that the Authenticator would generate the codes for me.
Interesting factoid: Having disabled 2-step authentication, I thought I’d need to generate new application-specific password for those applications that need them–and to do that, I “revoked” the previously-generated ones. That did not see to impair the effectiveness of those previously generated passwords, however; I am receiving email on my Android, and through Outlook, without having to enter the new ones.
All’s well that ends well–I do feel better about security with 2-step authentication in place. Thanks for the help!
Spoke too soon–I did, in fact, have to use a new application-specific password.
OK yeah — I was gonna say…… that’s not good!
Yeah I should have mentioned in the article that once you move over to the Google Auth. App, you will no longer get the txt messages. I think that’s a good thing but might confuse a few ppl. Thnx for bringing that out @a1de4feb495b0795d0404382ce3e36bf:disqus.
-S
Article updated.
Ok. I finially enabled it and yeah, very cool. Thnx.
I do however recommend using the iPhone app vs txt messages.
It saves on the TXT message cost yes! I’ll add the link to this article on that.
Unfortunately this does not seem available for those individuals wanting verification codes sent vie another means other than a Smart Phone. I’m currently in rural Thailand, and do not have use of an iPhone etc..
BTW I’m just learning “how to” do more on my computer/internet etc. I’m in the “over the hill” gang. 🙂 But anxious to learn. Groovypost is helping me “big time.”
Thanks,
Selftaopath
I usually just read ‘some’ of your posts, w/intent to keep in mind the ones that apply to me and they usually do not. Because an accounting firm’s management is changing from one to another I realized my husband & I needed a joint email for our financial accounts which up until now, I managed. So I set up a gmail account – which was no walk in the park – now you have informed us of the future with Google, I almost feel like wiping it out & going to hotmail, which also has been complicated by Windows 8, because it wants emails to be secondary to its Outlook.com. Not your fault, but today’s ‘post’ has me in in overload. @66 I’m proud that I buid & run church websites using 3rd pary boiler plates, but the deeper we get into digital “must do banking & investment management by pc!!!” – the more the ‘older’ brain has to keep up to date with. as the population ages, as projections show, soon half the country will not be able to mamage their financial world without a pc degree and… Constant continuing ed! I am very much afraid that age & progressmare working against the boomers!