Please Turn On Two-Factor Authentication


You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.

Two-factor authentication means “something you know” (like a password) and “something you have”, which can be an object like a phone. Here’s a simple video that shows how it works:

I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions — check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my mobile phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the iTunes App Store), so your mobile phone doesn’t need a signal.

Myth #2: OK, but what about if my mobile phone runs out of power or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: OK, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source and based on open standards.

Myth #6: So Google Authenticator is a free and open source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Amazon Web Services, Drupal and DreamHost, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don’t wait to turn on two-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Please Turn On Two-Factor Authentication [Matt Cutts]

Matt Cutts is the head of Google’s webspam team. He works to improve the quality of Google’s search results.

Read Lifehacker’s tips on setting up two-step verification here.


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


7 responses to “Please Turn On Two-Factor Authentication”

Leave a Reply