Guide : Secure your Google Account with 2-Step Verification
If you are using Android, you do understand the importance of your Google account. From contacts to email to application data, everything is stored in there. This makes it lot more precious than it used to be few years ago, when Gmail was the only product to which most of us used Google Account to log in to. Few weeks ago, I was scared that my Google Account might get hacked and I searched for ways to make it more secure. First thought was to go for a premium account by paying yearly fees of 50$ approx (Google Apps account) but then most of the features were not necessary for me. Then, I stumbled across a relatively unknown feature in Google Account. “2-step verification”. It is a bit painful to setup this feature but it worth the effort as, in the end, your account is priceless.
2-step verification adds an extra layer of authentication where a log in to browser based client will ask for verification codes that can either be generated by ‘Google Authenticator’ mobile app or SMSed/VMed to your primary phone. Any non-browser based tools and any devices need to have password generated (one-time) for that app/device. So, if you lose your phone, you can immediately log in to your Gmail using backup codes (that are provided during setup process) and revoke access to apps/devices. Like I said earlier, the only pain here is the initial setup. Without wasting any further time, let’s setup 2-step verification process.
Before starting the setup, do make a list of apps/devices that need access to your gmail account as you need to setup application/device specific password for these devices/apps. The process in brief is:
- Setup the primary phone
- Add backup options
- Turn on 2-step notification
- Generate application specific passwords
There are two ways to setup your primary phone.
- Using Google Authenticator application (iOS, Android, Blackberry)
- Google SMSes the code to your primary phone
We would suggest to use Google Authenticator application as the codes are generated instantly without the need to wait for SMS (which can be a problem in areas with network issues). Do note that you should never ever share or lose the backup codes and make sure that when you lose your phone, you immediately revoke access to the device and relevant applications. So, let’s get going
SMS based authentication:
- Login to your Google account and open this page or sign-in to your Google account, then go to settings -> using 2-step verification.
- Click on ‘start setup’
Enter the phone number that you want to use and click on ‘send code’ to test the setup. The code is a six digit number. Enter this code in the text box and click on ‘verify’.
If the right code is entered, you will see a note saying “Your phone is Configured”, click Next.
Make a note of backup codes that you see in the next page(there are total of 10), select ‘I have a copy of my backup codes” and head to setup the backup device. Do NOT take a print out of these codes as it is very common to lose the print out. Intead, keep these codes at a safe location online (I have used note taking application).
Next, you will be asked to setup backup phone. In case you lose your primary phone, you will received the codes to the backup phone either by SMS or by automated voice message (useful for landlines). you can opt to test the device to make sure that it is able to received the codes and the procedure is similar to the way it is done for primary phone.
Check the configuration properly and confirm your settings
In the next page, double check everything and when you are sure that what you entered is accurate, click on “Turn on 2-step verification”.
Once you turn on 2-step verification, you will be redirected to account log in page. From this point, every time you try to log in to web based clients, you will be asked to provide verification codes that you get via SMS. If you use the web applications from one device, you can opt to let the browser remember your log in for the next 30 days and not ask for verification codes every time you log in.
Google Authenticator based verification:
- Log in to your Google account and open this page or sign-in to your Google account, then go to settings -> using 2-step verification. click on ‘Start setup’
- Select the OS on which your Google Authenticator runs on (Android/iOS/Blackberry OS) and click on next.
You should now see a bar-code. Open Google Authenticator application on your phone and select Menu -> Scan a bar code to scan the bar-code displayed on the web page. When the application reads the bar-code, it will generate a six digit verification code that need to be entered in the web page (after clicking on next).
In case your phone doesn’t have a camera or if the scan does not work, click on ‘cant scan QR code’ and you will see a 16 digit code. Now, go to the Google Authenticator application in your phone and select Menu -> Manually add an account. Account name will be the user-id and the key will be the 16 digit code that you just got. Select ‘Time based’ type of key and click on Save. The application should now generate a six digit verification code to be used in the web page.
Once you enter the right code, you will be asked to double check the settings and to turn on 2-step verification
When you need to log in to web-based clients, all you have to do is provide user-id and password, open Google Authenticator app and provide the verification code that it generates.
Application specific passwords:
At this point of time, all the applications that use your normal Google Account password will stop working as you need passwords generated for these applications. And this is how you do that:
- Go to 2-step verification settings page
- Use a tag for application and click on “Generate Password”. For example, if I use pidgin on Ubuntu to log in to Gtalk, I use the tag ‘Ubuntu pidgin’. This is only to remember what apps you have assigned the passwords to so that you can later revoke access without getting confused.
Once you click on ‘Generate Password’, a 16-digit password is generated, which will be the password for my log in id on pidgin
as you can see in the above image, I have setup password for pidgin in ubuntu and another for my android device.
When you decide that the application will not be used any more of in case you lose the device running the application, you simply need to click on ‘revoke’ next to that particular app/device to remove that app/device from accessing your account.
Turn off 2-step verification:
Turning off 2-step verification is simple. Click on ‘turn off 2-step verification’ in the settings page and you will be asked for confirmation ans also you will be asked to enter your account password for verification
Once the 2-step verification is turned off, you will see the status as OFF at the top of the page.
At this point of time, you need to change the application specific password that you entered for your device/apps to the google account’s password and you are set.