Security

Doing the Two-Step With Google

Horror stories abound of electronic lives compromised by stolen passwords. One of the problems with a password-secured life is that the password is the single element that — when compromised — allows access. The User ID isn’t protected, nor is any hardware.

Shouldn’t there be better methods? There are more secure systems. All you do is add further elements of authentication. This is called “two-factor authentication,” and it’s been around the computer industry for a long while.

Two-factor authentication uses multiple factors. This usually includes something that the user knows — the password — plus something the user possesses — a phone or smart card. It can also use some information specific to the user, like a fingerprint.

Google has been developing tools that lean on the multiple-factor authentication concept. Its product is called “Google Two-Step Verification,” and Google is using it to protect access to its properties, like Gmail.

How It Works

Two-Step Verification forces you to enter a six-digit code, created by Google and sent to your phone. Google reckons that its system lowers the chance that your Google stuff can be compromised, because if your password is stolen or guessed, the thief can’t access your account without also having your phone.

Google’s Two-Step Verification requires that you opt in. Following are the five steps you’ll have to take to set it up.

Step 1: Turn It On

Turn on Two-Step Verification by browsing to Security within the Google Account page using a desktop browser. The Google Account page can be reached by clicking on your User ID — it’s in the top right corner of most Google pages. Click “Edit” and a wizard will launch.

Follow the prompts to set up your phone. Choose “Text Message” as the code sending option — it’s easier. Use “Voice” if you don’t receive SMS messages.

Tip: Don’t use a landline or Google Voice number.

Select the computer you’re using as a “trusted computer” if you trust the people who have access to it. Trusted computers are good to have if you lose the phone.

Step 2: Create Backups

Create some backups on the resulting page. In this case, you should add a backup phone number, like a family member’s phone, in case you lose the initial phone. Print out some backup codes for when there’s no mobile network available.

Tip: Destroy any backup codes if you switch off Two-Step Authentication in the future.

Step 3: Creat App-Specific Passwords

Create application-specific passwords by clicking on the link. Application-specific passwords are for apps and software that are not compatible with Two-step Authentication and can’t ask you for a verification code. Examples are Android phones, mobile Gmail and AdWords Editor.

Enter the application-specific password that you have generated in the password field of the app or device in lieu of your Google account password. You should only have to enter it once. You’ll see that it’s displayed with spaces — ignore them.

Step 4: Install the Authenticator

Click on the Android, iPhone or a BlackBerry link and install the Google Authenticator app for Android, iPhone or BlackBerry. This is optional.

The app lets you create codes for new accounts with a device, rather than have Google send them via SMS or voice. It’s good if you don’t have Internet or mobile network service.

Step 5: Turning It Off

Turn off Two-Step Verification if you don’t like using it by browsing to the “Edit” page of Two-Step Verification. It’s under “Security” within “accounts.” Click “Turn off Two-Step verification.”

Tip: Revoke any application-specific passwords you’ve generated when you turn off Two-Step Authentication. You’ll find the “Revoke” link at the bottom of the Application-specific password creation page.

Next time you access that app or application, enter the original password that you used before trying Two-Step Verification.

Want to Ask a Tech Question?

Is there a piece of tech you’d like to know how to operate properly? Is there a gadget that’s got you confounded? Please send your tech questions to me, and I’ll try to answer as many as possible in this column.

And use the Talkback feature below to add your comments!

Patrick Nelson has been a professional writer since 1992. He was editor and publisher of the music industry trade publication Producer Report and has written for a number of technology blogs. Nelson studied design at Hornsey Art School and wrote the cult-classic novel Sprawlism. His introduction to technology was as a nomadic talent scout in the eighties, where regular scrabbling around under hotel room beds was necessary to connect modems with alligator clips to hotel telephone wiring to get a fax out. He tasted down and dirty technology, and never looked back.

2 Comments

  • Yes many banks and financial sites are also using two step authentication. I agree its very good but it can be annoying sometimes. I think we need to find a way to register PC’s or devices with a site so that if you switch browsers you do not have to go through the process again. Still a little work on my part is not a problem if it protects my accounts.

  • I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. I AM glad that they offer that option. It is worth the time and effort to have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels