How to better protect your Google account with Two-Step Verification (2SV)

Enable 2SV on your Gmail, YouTube, Google Docs and other Google accounts.

David bisson
David Bisson

Google 2sv

Two-step verification (2SV) is a login feature available on many online accounts today. It provides an additional step (but not an added factor) in the authentication process by prompting a user to enter a code sent to their computer or pre-verified device.

2SV therefore has the ability to protect a user’s account in the event that their corresponding password has been compromised.

Further reading: Learn about the difference between two-factor authentication (2FA) and two-step verification (2SV).

Sign up to our free newsletter.
Security news, advice, and tips.

One of the most important things a user can protect with 2SV is their Google account, which can be used for personal and business email, social networking on Google+, and other purposes. Provided below is a guide on how you can enable this feature on your Google account.

1. Sign into your Google account.

Google 2sv

2. At the top right of your browser screen, you will find a circular icon that either contains the first letter of your username or a picture of yourself. Click on that icon.

Google 2sv

3. A profile card containing your username, your full Google email, and a number of buttons will load beneath the icon. Click on the blue button labeled “My Account.”

Google 2sv

4. A new tab will load that brings you to the home page for “My Account.” Scroll down on that page and click on the “Sign-in & security” setting.

Google 2sv

5. The Google Sign-in & security page will load up. You can use this page to manage the security settings of your account, including setting up a recovery email and phone, changing your password, and conducting a security checkup of your account. You can also set up 2SV here.

Scroll down the page. Under the “Signing in to Google” sub-heading, you will find a box entitled “Password & sign-in method.” In that box, click on “2-Step Verification.” (NOTE: This feature should be labeled “Off” if you have not already enabled 2SV on your account.)

Google 2sv

6. On the right-hand sign of the “Signing in with 2-step verification” page that loads up, you will see a box that includes a blue button labeled “Start setup >>”. Click on that button.

Google 2sv

7. At this point, Google will likely prompt you to resubmit your login credentials. Enter your password and click the button “Sign in.”

8. Enter your phone number into the available text field and click on one of the radio buttons to indicate whether you want to receive the verification codes via SMS text message or via call. Once Google has verified that you have entered your mobile phone number correctly (i.e. in the format (222) 555-5555), a blue button labeled “Send code” will become clickable at the bottom of your screen. Click that button.

Google 2sv

9. A page will load saying that Google has sent you a code. You should receive a code from Google in the next few seconds either via SMS text message or call. Once you have received the six-digit code, enter it into the available text field and press the blue button “Verify.”

Google 2sv

10. Next, you will be asked whether Google should trust your computer. This is a setting that allows you to elevate the privilege status of your computer, tablet, or mobile phone so that you don’t have to enter in verification codes when logging into your Google account on that device. A clickable box will appear that will enable you to check off whether you want to trust the device. Check the box ONLY if the device belongs to you and it is not a public device or computer. When you are done, click the blue button labeled “Next.”

Google 2sv

11. Click the blue button labeled “Confirm” to finish turning on two-step verification on your Google account.

Google 2sv

12. And you’re done! You will be redirected to a page where you can manage the settings of your two-step verification protection feature. On this page, you can edit your pre-verified phone number, create app-specific passwords, manage your registered (i.e. trusted) computers, or even designate a security key if you are using Google’s Chrome browser. (NOTE: Now that you have set up 2SV on your account, a boxed feature to the right of your screen will list the feature as “On.”)

Google 2sv

You can also set up a back-up phone and print out or save backup codes that allow you to access your account in the event that you lose your device.

Google 2sv

It is STRONGLY recommended that you set up at least one of these two backup settings.

13. Now whenever you sign into your Google account, you will see this screen after you enter in your password.

Google 2sv

Simply enter in the code once you receive it via SMS text message or call. If the code is correct, you will automatically be directed to your account.

Now that you have 2SV all set up on your Google account, it’s important to note that there are other ways you can receive a verification code. I discuss one such method, the Google Authenticator app, in a separate article.

Read more:

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

6 comments on “How to better protect your Google account with Two-Step Verification (2SV)”

  1. Bob

    Something not mentioned, but much more secure, is the FIDO U2F YubiKey. It protects your account against "password theft, phishing, hacking, and keylogging scams" and has been found to "harden security, improve user satisfaction, and cut support costs."

    If you try to log into a fake Gmail website the YubiKey will detect this and refuse to authenticate whereas if you use a one-time code a fake Gmail site will gladly take it and pass the details onto hackers.

    The devices cost £12.99 and they're virtually indestructible. There is a more expensive device available which is compatible with more online services.

    Obviously if you can't afford one, or don't want to use one, then activate 2SV any way as it will provide much needed additional security. But remember that 2SV doesn't make your account immune to being hacked.

    Also, never, ever, give your 2SV one-time code to anybody and make sure that the device you receive them on is secure.

  2. Kevin

    It would help if the Google account setup actually worked. I just tried it. It suggested I create an app password for Mail on my phone. I created one but this password wasn't accepted on my phone. Instead I put in my normal password and after text verification it accepted my normal password. It's one thing to make things secure by creating a small amount of complexity but when things don't work it completely turns off users who want to keep things as simple as possible.

    1. Bob · in reply to Kevin

      I agree.

      Not all phones accept the passwords of accounts protected with 2SV thus requiring the static password. Other phones accept a regular password and require one-time authentication (as in your case).

      The other problem that you or others may run into is that not all apps / services which you use will interact properly with a static ('app') password.

      It's usability turns off many users particularly if people start getting locked out of their accounts with no way back in (or a month-long wait for the free Google support to assist you).

      Some security commentators believe 2SV actually undermines security:

  3. Eric

    The nice thing about Google's 2SV is that you can set up multiple backup second verification elements (this also goes for cases if you can't log in to your Google account and need a password reset). Let's say I use my mobile number for SMS verification but forget to update it in my Google account if I change my mobile number (out of luck if that is your only one and you will be locked out but….). As long as I have other verification elements such as the Authenticator app, alternate email(s), alternate number(s) I won't be locked out. And I do have these for my Google account. Also, this is the case for Microsoft accounts like – in fact it seems that Microsoft might have better/more options than Google for their 2SV (which are also used for password reset verifications).

    What I am nervous about is using 2SV for Internet accounts that only allow one option (Namely one mobile SMS number). Godaddy has it but you can (so far, it seems) only use one number for mobile SMS. I set this up for my Godaddy account but soon turned it back off after considering the potential problem mentioned above. After that I expressed my concern to Godaddy constructively and the person I talked to understood. I hope they improve on that.

    2SV is very important. But there need to be some redundancies to avoid the danger of being locked out the way Google and Microsoft offers.

  4. George Pagel

    here's my amazon two-factor auth write-up

  5. zartosht

    In second step you forgot to blur the User name in the left column

    and thanks for the tutorial :)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.