Please Turn On Two-Factor Authentication

You should read Mat Honan's heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple's security practices, but I would still advise everyone to turn on Google's two-factor authentication to make your Gmail account safer and less likely to get hacked.

Two-factor authentication means "something you know" (like a password) and "something you have", which can be an object like a phone. Here's a simple video that shows how it works:

I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions -- check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my mobile phone doesn't have SMS/signal, or I'm in a foreign country? Reality: You can install a standalone app called Google Authenticator (it's also available in the iTunes App Store), so your mobile phone doesn't need a signal.

Myth #2: OK, but what about if my mobile phone runs out of power or my phone is stolen? Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don't I have to fiddle with an extra PIN every time I log in? Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn't work with POP and IMAP? Reality: You can still use two-factor authentication even with POP and IMAP. You create a special "application-specific password" that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: OK, but what if I want to verify how secure Google Authenticator is? Reality: Google Authenticator is free, open-source and based on open standards.

Myth #6: So Google Authenticator is a free and open source, but does anyone else use it? Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Amazon Web Services, Drupal and DreamHost, or even use a YubiKey device. There's even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don't wait to turn on two-step verification. It's not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Please Turn On Two-Factor Authentication [Matt Cutts]

Matt Cutts is the head of Google's webspam team. He works to improve the quality of Google's search results.

Read Lifehacker's tips on setting up two-step verification here.


    Those aren't myths... they're FAQs or concerns about moving to two factor authentication.
    A myth would be "You can't use TFA in a foreign country if your mobile phone doesn't have coverage".

    google offers you a set of codes that you should keep with you at all times. so you can access your accounts even if you loose your phone.

    1. What if I don't want Google to have possession of my phone number
    2. What if I don't have a smart phone (the app is then useless)

    And that is why the two-factor authentication is a suckhole - it requires stuff you don't want to give. An alternative is required but unfortunately I don't know what.

      In these cases see which does it on Windows.

    I didn't know it existed. I shall look into it. Thank you, Jay.

    A question is not a myth, Matt

    What if my phone is lost/stolen. Then I am locked out of my Gmail for good. Because if I'm not then my Gmail is obviously capable of being accessed by malicious 3rd party using password alone.

    This is simply NOT an answer. A strong password, memorable to you (like mattsucksdonkeysballslulz) but not to anyone else is way more important!

Join the discussion!

Trending Stories Right Now