Google just launched two-step verification for all Google accounts, a system which makes your Google/Gmail account — the account possibly containing the lion’s share of your private communication online — considerably more secure. In fact, we’d encourage everyone who uses Gmail (the @gmail version or your Google Apps version) as their primary email provider to start using this feature as soon as possible. Here’s why, and then how.
What’s Two-Step Verification?
The only thing standing between a hacker and your Google account — and more importantly, your sensitive information — is your password. Even if you had the strongest password you could possibly randomly generate, if someone were able to discover that password, they’d be in.
Two-step verification offers a more secure way for Google to verify that you are who you say you are when you’re logging into your Google account on a new web browser, through a new application, or on a new mobile device. Your password isn’t enough by itself. As Google put it:
2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code you only use once.
Those two factors are:
- Your password (just like always)
- A single-use verification code that Google sends to your phone in one of three ways: 1) Using the Google Authenticator app available for Android, iPhone, and BlackBerry, 2) via SMS, or 3) through a voice call (meaning you could even use a landline if you didn’t have a mobile phone — basically the call would read off the code to you).
Both your password and the single-use verification code are required to log in on a new browser. You can then tell Google to remember your login for 30 days.
How to Set Up Two-Step Verification
If you’re convinced that you want the added security, or you at least want to give two-step verification a try, just log into your Google account and point your browser to your Google accounts page. (Google Apps users will need to go to their domain-specific control panel to enable two-step verification. If you’re not the Google Apps admin, talk to yours about it.)
Once you’ve set up your phone, you can also add a backup — a trusted number you can also access if, for example, you lose your phone — so you can still access your account. You can even print off a few backup codes to carry in your wallet or somewhere safe.
Using Two-Step Verification
The process for logging into your Google account from a new browser will now look something like this:
- You visit a Google sign-in page, like this one.
- You enter your username and password, like always.
- You’re now prompted to enter a code, which is tied only to a phone number you provide. You can receive this code on your phone using one of the Google Authenticator apps available for Android, iPhone and BlackBerry, via SMS, or through a voice call (or, I suppose, using one of your printed backup codes).
- You enter the code, optionally checking the box to Remember verification for this computer for 30 days, click Verify, and you’re in.
It’s fairly simple, but it does add a little bit of hassle to your login. Personally, I think the added security is well worth it.
The other thing you’ll need to get used to involves logging into your Google account from third-party applications — like, say, a desktop email client. Since those clients don’t support Google’s two-step verification, you actually have to create single-use passwords for every new third-party application that needs to access your Google account. Here’s how that works:
- Type in the name of the device or application that you want to generate a single-use password for.
- Click Generate password.
- Google will return a new 16-digit (plus four spaces) password for you to use on that device. Once you hide it, you have no way to retrieve it again.
You can revoke any password/device/application from accessing your Google account at any time — which I’ve done for the password I generated in the screenshot above. (Hands off my Google account!)
Been using Google’s two-step verification on your Google Apps account before this? Share your tips in the comments. Otherwise, let’s hear if you’re planning to use the new two-step verification with your Google account.
Like many new feature releases from Google, two-step verification is a gradual rollout, available to everyone in the coming few days starting today. If you don’t see the Using 2-step verification link immediately, it should be there soon.
Two-step verification has been available for a while now to Google Apps users — specifically for the paid Google Apps accounts. This update makes it available to all users of Google’s free products, including free Google/Gmail accounts and free Google Apps accounts.