How To: Configure Google's two-step verification

Millions of people have a Google account, which makes the service a prime target for criminals hoping to sell on valuable personal information.

It’s crucial that you lock down your data using a strong password, and not one that’s easily guessed. Ideally, you should use an alphanumeric password that contains a mixture of upper- and lower-case letters, numbers and punctuation.

Given enough time and the right tools, any password can be unearthed by a determined hacker. Put them off the scent for as long as possible, though, and they may just look elsewhere for an account that’s easier to access.

This is the logic behind Google’s 2-step verification feature, which adds a second layer of protection to your data. Enable the security control in your Account Settings, and you’ll need both your password and a unique code to log into your account thereafter. This code is sent to you in a text or voice message, with neither likely to be accessible to a hacker.
Enable 2-step verification

To enable 2-step verification, you’ll first need to sign into your Google account. This can be achieved through any of the company’s services, since your Gmail, Google Docs, YouTube, Picasa and other accounts are all linked to a single user profile.

Enter your username and password, then click Sign in. Now click on your username in the top-right corner of the screen and choose Account Settings from the drop-down menu.

In the Security section on the Account overview tab, you’ll see that Google’s 2-step verification is off by default. Click the Edit link adjacent to it, then ‘Start set up’. Note that you may need to re-enter your password.

Select the country in which your phone is registered and enter your number if these fields are not already filled in. Next, choose whether you want to receive your access code via text or voice message. It’s possible to change this setting later.

Provide a mobile rather than a landline or Skype number if possible, since you’ll want to be able to access your Google account from wherever you are. Under no circumstances should you enter a Google Talk number:

you’ll lock yourself out of your account, since the code that’s sent to Google Voice will be accessible only after you’ve logged in.

Click Send code. We found the code arrived on our handset almost instantly. Enter this code, then click Verify.

If you are the sole user of your computer or share it only with trusted people, consider ticking the box that allows Google to remember the PC from which you’re accessing your account for 30 days, without prompting you for a verification code each time you try to log into one of its services. Note, however, that you may need to enter a verification code for each Google service you use. Finally, click ‘Turn on 2-step verification’.

No mobile reception?

If you have a compatible smartphone, you can install Google’s free Authenticator app. This is able to generate an access code in the event that your handset loses mobile reception or you are unable to accept calls and text messages, although it still demands your phone number. The app is available on both the App Store and Android Market.

BlackBerry owners can also use Authenticator, which they should download from m.google.com/authenticator.

Back on your PC, return to the Account overview tab on the Account Settings page and click Edit next to ‘2-step verification’. Select your mobile operating system next to Mobile application, then follow the instructions to install the app and link your handset to your Google account. iPhone and Android users will be offered a confirmation link in the form of a QR code, which they must scan from within the Authenticator app; BlackBerry owners
must enter the confirmation key manually.

Once this process is complete, you’ll be able to use the app to retrieve the access code Google prompts you for when you sign into one of its services.

Application-specific passwords

Not all Google services will request a verification code; to log into these, you’ll instead need what Google calls an ‘application-specific password’. Calendar, Talk, Picasa and Sync are some examples, and all require the entry of a new password in place of your usual login credentials.

You’ll be prompted to create an application-specific password for each of these services when you next try to log into them. Alternatively, you can configure the service now by heading to Account Settings, Account overview and clicking Edit next to ‘Authorizing applications & sites’.

Enter the name of the application, then click Generate password. Copy and paste the resulting text into the box of the application that’s requesting it.

You won’t have to memorise or write down this password, since it can be used only once. However, a new application-specific password will be required when you first use an application or site that you haven’t already signed into using 2-step verification. You can later revoke access to individual services in Account Settings if required.

It won’t always be obvious that you need an application-specific password to log into some services. On an iPhone, for example, attempting to log into Gmail in the usual manner brings up an error message reporting that your password is incorrect. If this message appears, simply generate and enter a new application-specific password.

Extra precautions

Although 2-step verification makes gaining access to your Google account far more difficult for hackers, you may find yourself locked out if you lose or break your smartphone. It’s therefore essential that you enter a backup phone number on the Account Settings page, and that you print out some backup codes. You can carry the latter on your person to ensure that you’ll always be able to log into your accounts, no matter where you are.

If you later decide to disable 2-step verification, simply visit the Account overview tab on the Account Settings page and click Edit next to ‘2-step verification’. Click ‘Turn off 2-step verification’ on the following page, then confirm your request in the pop-up window. You’ll also need to revoke any application-specific passwords you’ve set up.