Please Turn On Two-Factor Authentication

Please Turn On Two-Factor Authentication

You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.

Two-factor authentication means “something you know” (like a password) and “something you have”, which can be an object like a phone. Here’s a simple video that shows how it works:

I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions — check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my mobile phone doesn’t have SMS/signal, or I’m in a foreign country? Reality: You can install a standalone app called Google Authenticator (it’s also available in the iTunes App Store), so your mobile phone doesn’t need a signal.

Myth #2: OK, but what about if my mobile phone runs out of power or my phone is stolen? Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in? Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP? Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: OK, but what if I want to verify how secure Google Authenticator is? Reality: Google Authenticator is free, open-source and based on open standards.

Myth #6: So Google Authenticator is a free and open source, but does anyone else use it? Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Amazon Web Services, Drupal and DreamHost, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don’t wait to turn on two-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Please Turn On Two-Factor Authentication [Matt Cutts]

Matt Cutts is the head of Google’s webspam team. He works to improve the quality of Google’s search results.

Read Lifehacker’s tips on setting up two-step verification here.


Show more comments

Log in to comment on this story!