Two-step verification (2SV) is a login feature available on many online accounts today. It provides an additional step (but not an added factor) in the authentication process by prompting a user to enter a code sent to their computer or pre-verified device.
2SV therefore has the ability to protect a user’s account in the event that their corresponding password has been compromised.
Further reading: Learn about the difference between two-factor authentication (2FA) and two-step verification (2SV).
One of the most important things a user can protect with 2SV is their Google account, which can be used for personal and business email, social networking on Google+, and other purposes. Provided below is a guide on how you can enable this feature on your Google account.
1. Sign into your Google account.
2. At the top right of your browser screen, you will find a circular icon that either contains the first letter of your username or a picture of yourself. Click on that icon.
3. A profile card containing your username, your full Google email, and a number of buttons will load beneath the icon. Click on the blue button labeled “My Account.”
4. A new tab will load that brings you to the home page for “My Account.” Scroll down on that page and click on the “Sign-in & security” setting.
5. The Google Sign-in & security page will load up. You can use this page to manage the security settings of your account, including setting up a recovery email and phone, changing your password, and conducting a security checkup of your account. You can also set up 2SV here.
Scroll down the page. Under the “Signing in to Google” sub-heading, you will find a box entitled “Password & sign-in method.” In that box, click on “2-Step Verification.” (NOTE: This feature should be labeled “Off” if you have not already enabled 2SV on your account.)
6. On the right-hand sign of the “Signing in with 2-step verification” page that loads up, you will see a box that includes a blue button labeled “Start setup >>”. Click on that button.
7. At this point, Google will likely prompt you to resubmit your login credentials. Enter your password and click the button “Sign in.”
8. Enter your phone number into the available text field and click on one of the radio buttons to indicate whether you want to receive the verification codes via SMS text message or via call. Once Google has verified that you have entered your mobile phone number correctly (i.e. in the format (222) 555-5555), a blue button labeled “Send code” will become clickable at the bottom of your screen. Click that button.
9. A page will load saying that Google has sent you a code. You should receive a code from Google in the next few seconds either via SMS text message or call. Once you have received the six-digit code, enter it into the available text field and press the blue button “Verify.”
10. Next, you will be asked whether Google should trust your computer. This is a setting that allows you to elevate the privilege status of your computer, tablet, or mobile phone so that you don’t have to enter in verification codes when logging into your Google account on that device. A clickable box will appear that will enable you to check off whether you want to trust the device. Check the box ONLY if the device belongs to you and it is not a public device or computer. When you are done, click the blue button labeled “Next.”
11. Click the blue button labeled “Confirm” to finish turning on two-step verification on your Google account.
12. And you’re done! You will be redirected to a page where you can manage the settings of your two-step verification protection feature. On this page, you can edit your pre-verified phone number, create app-specific passwords, manage your registered (i.e. trusted) computers, or even designate a security key if you are using Google’s Chrome browser. (NOTE: Now that you have set up 2SV on your account, a boxed feature to the right of your screen will list the feature as “On.”)
You can also set up a back-up phone and print out or save backup codes that allow you to access your account in the event that you lose your device.
It is STRONGLY recommended that you set up at least one of these two backup settings.
13. Now whenever you sign into your Google account, you will see this screen after you enter in your password.
Simply enter in the code once you receive it via SMS text message or call. If the code is correct, you will automatically be directed to your account.
Now that you have 2SV all set up on your Google account, it’s important to note that there are other ways you can receive a verification code. I discuss one such method, the Google Authenticator app, in a separate article.
Read more:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Something not mentioned, but much more secure, is the FIDO U2F YubiKey. It protects your account against "password theft, phishing, hacking, and keylogging scams" and has been found to "harden security, improve user satisfaction, and cut support costs."
If you try to log into a fake Gmail website the YubiKey will detect this and refuse to authenticate whereas if you use a one-time code a fake Gmail site will gladly take it and pass the details onto hackers.
https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/
https://www.yubico.com/2016/02/use-of-fido-u2f-security-keys-focus-of-2-year-google-study/
http://fc16.ifca.ai/preproceedings/25_Lang.pdf
http://www.amazon.co.uk/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8/
The devices cost £12.99 and they're virtually indestructible. There is a more expensive device available which is compatible with more online services.
Obviously if you can't afford one, or don't want to use one, then activate 2SV any way as it will provide much needed additional security. But remember that 2SV doesn't make your account immune to being hacked.
Also, never, ever, give your 2SV one-time code to anybody and make sure that the device you receive them on is secure.
It would help if the Google account setup actually worked. I just tried it. It suggested I create an app password for Mail on my phone. I created one but this password wasn't accepted on my phone. Instead I put in my normal password and after text verification it accepted my normal password. It's one thing to make things secure by creating a small amount of complexity but when things don't work it completely turns off users who want to keep things as simple as possible.
I agree.
Not all phones accept the passwords of accounts protected with 2SV thus requiring the static password. Other phones accept a regular password and require one-time authentication (as in your case).
The other problem that you or others may run into is that not all apps / services which you use will interact properly with a static ('app') password.
It's usability turns off many users particularly if people start getting locked out of their accounts with no way back in (or a month-long wait for the free Google support to assist you).
Some security commentators believe 2SV actually undermines security:
https://paul.reviews/does-two-factor-authentication-actually-weaken-security/
The nice thing about Google's 2SV is that you can set up multiple backup second verification elements (this also goes for cases if you can't log in to your Google account and need a password reset). Let's say I use my mobile number for SMS verification but forget to update it in my Google account if I change my mobile number (out of luck if that is your only one and you will be locked out but….). As long as I have other verification elements such as the Authenticator app, alternate email(s), alternate number(s) I won't be locked out. And I do have these for my Google account. Also, this is the case for Microsoft accounts like outlook.com – in fact it seems that Microsoft might have better/more options than Google for their 2SV (which are also used for password reset verifications).
What I am nervous about is using 2SV for Internet accounts that only allow one option (Namely one mobile SMS number). Godaddy has it but you can (so far, it seems) only use one number for mobile SMS. I set this up for my Godaddy account but soon turned it back off after considering the potential problem mentioned above. After that I expressed my concern to Godaddy constructively and the person I talked to understood. I hope they improve on that.
2SV is very important. But there need to be some redundancies to avoid the danger of being locked out the way Google and Microsoft offers.
here's my amazon two-factor auth write-up
https://www.georgepagel.com/2015/11/08/amazon-com-two-factor-authentication/
Hi,
In second step you forgot to blur the User name in the left column
and thanks for the tutorial :)