How to use 2-step verification to keep your Google / Gmail account secure [Android 101]

onlineSecurity

Security can sometimes sound like a boring topic to your average Joe Schmo, but it’s actually very important. You simply don’t want to give people the means to sneak into your accounts and access all your sensitive data if you can’t help it.

Sometimes you can’t help it, with even the biggest corporations sometimes letting sneaky, malicious people gain access to customer accounts right under their noses. (We’re looking at you, Target and Evernote.)

Your Twitter account? Yelp? Maybe not as important, but your e-mail stores a ton of sensitive info. In Android land that usually means your Gmail / Google account, and if you haven’t already, you should further protect your account by enabling 2-step verification.

First, though, it’s important to know what 2-step verification is, and how it can ensure no one but you can get into your account.

What is 2-step verification?

Imagine a system where no one can login to your account unless they have your actual phone in their physical possession — that’s exactly what 2-step verification in Gmail equips you with. It’s an extra layer of security that makes it a lot more difficult for people to do their dirty bidding.

Think of it like a safe that not only needs the access code, but also requires the safe owner’s iris to be scanned before giving you access. Now apply that to your Gmail account with 2-step verification — even if the perpetrators had your exact username and password, they wouldn’t be able to fully access your account until they verify their authenticity using your phone.

google 2step banner

Even that isn’t 100% foolproof, though — just like you could probably find your way into a safe by physically breaking its lock, nothing’s keeping people from stealing your phone. But the chances of someone having both your account information and your phone in their possession are slim, and we imagine most “hackers” wouldn’t go through the trouble of trying to track down someone’s phone to get into their account (unless you happen to be some high-ranking government official with highly valued information).

How 2-step verification works in Gmail

The name of the feature is actually a bit self-explanatory — it requires two different login steps before you can gain full access to your account. To illustrate that concept, here is the simple login process in list form:

  1. Sign into your account like normal using your username and password.
  2. A one-use code will be sent to your phone via text message, voice call or a mobile app. Get the code and enter it into the login form.

And that’s literally it. Of course, it’d be inconvenient for people to do this every single time they wanted to login, so Google allows you to set trusted devices up so you can login using just a username and password after logging in with 2-step for the first time. It wouldn’t be wise to trust a library computer, natch, but you might set your home computer up as one of the devices that don’t require 2-step logins.

How to setup 2-step verification in Gmail

You’re likely salivating at the prospect of getting your account equipped with 2-step verification by now, so we’re going to hop right into it. It’s actually very simple to get going, so be sure to read each step carefully, and fully, before heading off to try it yourself.

First, make sure you’re signed into your Gmail or Google account. From there, click this link, and press the Start Setup Button:

2step 1

Next, Google will ask you for your phone number. If you’ve previously set your phone number up with your account, they’ll auto-populate this field for you. If not, simply enter it in the “Phone Number” field (taking care to select your proper country and using full area codes). Then, decide whether you want your code via voice call or SMS. Finally, press the “send code” button:

2step 2

From here, you should be getting a phone call or a text message with a six digit verification number, depending on which option you chose. Make a note of that number, and enter it into the page you see below. (If you didn’t receive your code, you may need to request another one using the link at the bottom of the page.) Once you’re sure the code is correct, press the “Verify” button:

2step 3

If you’re doing this on your personal computer, this is where you’ll want to set it to be a trusted computer. Simply check the box that says “trust this computer,” and hit next. If you aren’t at your personal computer you can leave this box unchecked until you get to it. The next time you successfully sign in Google will ask if you want to set it as a trusted computer:

2step 4

Finally, Google will ask you to confirm everything one last time. If you’re confident that you followed everything correctly simply hit the “Confirm” button.

2step 5

At this point Google will inform you that you will be signed out of all the Google accounts and services you have connected on all of your different devices. This is to make sure you are only signing back in with devices you authorize, so anyone who might have still been signed into your account at this point will be swiftly, promptly, rightly and thoroughly kicked out of every corner of your Google account:

2step 6

And you’re done! From now on, Google will ask you to verify your authenticity using a code sent to your mobile phone each time you sign in on an untrusted computer, and you can rest easy knowing only you will have everything you need to sign in (so long as you maintain possession of your mobile phone).

Backup plans

If, for whatever reason, you need to login to your account from an untrusted computer and you can’t use your phone, or you are traveling and can’t get a proper signal, Google has provided you with a couple of different backup plans.

2step backup

If you have an extra line available to you, Google strongly suggests setting it up as a backup phone. That way, you can still have your code delivered to you on another trusted phone in the event that your primary phone is lost. Setting up your backup phone will take you through the same exact process of setting up your primary phone, so be sure to follow the instructions above if you want to take care of that.

Google also allows you to print or download backup codes, so you can have them handy in the event that you can’t generate a fresh code on the spot. It’s a good idea to generate a few different codes and keep them hidden someplace safe or someplace that’s convenient for you to access them, and only use them as a last resort. You can generate more at any time by heading into your account settings.

Other ways to keep your account safe

2-step verification is a powerful tool in and of itself, but you should always take care to practice basic account security measures. Some of these may sound obvious to a lot of you, but you’d be surprised to learn how many people completely disregard these (sometimes unwritten) rules:

  • Don’t make your password obvious. Using “password” as your password isn’t a good idea, for instance. Stay away from using your children or spouse’s name, pet names, school mascots and slogans, birthdays, and any other personally sentiment words and names that someone can easily guess.
  • Mix your password up with both uppercase and lowercase letters, and sprinkle some numbers and — if supported — special characters throughout.
  • Use a password that’s at least 8 characters long.
  • Never show or tell your password to anyone else.
  • Never use your password on a site that isn’t Google’s. To be safe, you can check the URL of the site you’re currently on by looking at the address bar of your browser, and check the site’s security certificate by looking for a lock icon.
  • Change your password as often as possible. For some, this could be as much as once per week, while others may be more comfortable doing it once per month. Either way, you shouldn’t go too long without changing it.

Using these tips will go a very long way in making sure your account stays secure. Whether your account is for signing up for online promotions or used to communicate in a corporate setting, you’ll want to take every measure you can to make sure unwanted eyes are kept out. We urge you to take heed to these tips if you aren’t already, and go on with your life without worrying about undesirable cyber foes.

Any other tips?

Have we missed something? Have an extra tip you want to share? We want to hear it, and so does everyone else! Be sure to drop any other hints or thoughts into the comments section below, and let us know if you have any questions about anything discussed in the guide above!

Continue reading:




  • the_real_kratos

    The last time I set this up, a few of my third party apps that I had granted access to different Google services stopped working because they were not compatible with 2-step verification. One example of such was an Office style app (can’t remember which one exactly) that I used Google Drive to access remote documents. It wouldn’t work again until I deactivated 2-step.

    Edit, turns out I can use it for 3rd party apps now! I have to sue a separate password, generated by Google. It’s kinda a pain to get set up, but hopefully I won’t have to do this very often….

  • pang

    when i lost my phone and tried to do device manager, it sent me a text asking me to verify in order to access the device manager.

  • http://google.com/+derekross Derek Ross

    Also, it’s worth mentioning that you can use the Google Authenticator app for dozens of other applications besides your Google account. Such as: LastPass, Coinbase, Blockchain.info, Dropbox, AWS, WordPress, Facebook, etc.

    We have an incredible amount of information saved on our Google account and other accounts. You should be protecting that information to the best of your ability.

    • jfelts

      Yet you still can’t password protect Google drive…

      • z0phi3l

        It’s attached to your main Google account, including 2 step verification, not that hard a concept to grasp

  • http://twitter.com/Vanakatherock Vanakatherock

    Informative article. I set up 2-step on my main gmail account last week when I logged in and seen both my google search results and youtube history had Russian language results over the span of a week and at a time I was asleep.

  • Paul Guy

    Any idea if all or most of the google services/applications actually support 2-step verification now. They used to not, and that was why I stopped using it. I have no problem living in GoogleLand, I just want everything to work there.

    • David Schaap

      Since the start of it it supports the creation of special app-specific passwords for programs that don’t support 2-step authentication. These passwords are created per program/app/site you add (see security settings page of your google account), and are then entered in the app you wish to give access.

  • phinn

    Didn’t even know about this. Took just a few minutes to setup on my main box, laptop, and phone. Nice…

  • np6s4x

    nice read, already have it setup on google, yahoo, and microsoft

  • godrilla

    2 step verification is a must as well as passwords longer than 8 digits long which hackers can crack within minutes with a powerful graphics card ( sentences are the new recommendation ). If you really want to be secure try running a vpn.
    Also don’t use the same password for different accounts.

  • lordielordie

    Google Authenticator app generates the access code on the fly and does not need to be on line to do that.

    that’s is what Authenticator it looks when you have 2 Google accounts..

  • currency212

    This can get extremely annoying if you change roms a lot. All of a sudden you’re constantly having to use those backup codes and then reset the Authenticator app. However there’s a workaround provided you have another rooted Android device. You need to make a titanium backup copy of an already setup Authenticator app and install it on the other device with app and data.

    Then you have 2 devices with the authenticator app! Obviously this *won’t* be as secure as just 1 device, but it’s still tons better than just a password.

    My 2nd tip is facebook also can use this same authenticator app and two-factor authentication. Remember fb can be a minefield of biographical info. Mother’s maiden name, bam, high school, bam. All that info can be used for answers to “secret questions” on password retrieval sites.

    • Devon Warren

      This was the only real annoyance I had with the 2 factor but I just ended up skipping the google login initially and then setting it up and having it send a code via text to use.

  • Go Hawkeyes

    The downfall is that to set a computer as trusted you have to have cookies enabled in your browser. I have chrome set to delete cookies on exit so my computer is never remembered as trusted.