Some friends have been asking about two-step verification for Gmail accounts. Should we do it? How does one go about it? What behavioral changes will we have to put up with afterward?
The answer to the first question is yes, Ruthie, yes. Read on for answers to the other two. First, though, if you’re imagining that this is a funky new dance step, you need a little background information. Go read Matt Honan’s story. This is what we’re preventing with this precautionary measure. I’m not a fear-monger, but it could happen to you, too. Go read it. I’ll wait.
Back? Great. Now, go watch this Google video explaining two-step verification. Don’t follow the directions yet — just watch it and come on back here, and I’ll walk you through it. Take your time.
All done? Okay.
Two-step verification, then, pairs a password with a unique numeric code that exists in another physical location (the phone or mobile device, or the printed list of codes). In order to log in to Gmail once two-step verification is enabled, you need both of these pieces of information. Banks commonly use this system to verify their customers. World of Warcraft also provides an authentication option that works the same way — you need both a password and a unique code that gets generated when you want to log in. The idea is that even if your password is hacked or guessed, someone still can’t get into your Gmail account without having that code also.
Google will ask you to enter this code every 30 days on a trusted computer (if you switch browsers on the same computer, or clear your cookies, Google will ask for the code again). You can also choose not to have a given computer be “trusted,” and Google will ask for your code every time you log in.
Note that if you are using Google apps, and not a regular Gmail account, you can’t use two-step verification until your site admin enables it for the site. If you follow the steps below and get stuck in the middle of Step 1 because you don’t see “2-step verification,” this is the case for you. Contact your site admin to see about getting it enabled.
Two Foot by Jack Keene. Creative Commons.
So, how does one go about it?
Let’s get started.
1. Gather what you need.
Setting this up properly will take 15 to 30 minutes, and you don’t want to get interrupted in the middle, so make sure you have enough time before you start. Grab your mobile device(s), including phones and iPads. A printer is handy but not absolutely necessary. You’ll do most of the work on your main computer. If you use more than one computer to access your Gmail account (a laptop and a desktop, or a work computer and a home computer), you’ll need to do some of the steps on each one, but you can start with just one for now.
Ready? Let’s go through the process. First, we’ll enable 2-step verification. We’ll set up apps and devices, and then set up backup options for our account.
Start by logging in to Gmail as you normally would, on your computer (not on a mobile device).
2. Enable 2-step verification for your Gmail account.
In Gmail on the computer, click on your name and the plus sign at the upper left of the screen (for example, mine says “Rachel+”). This takes you to your Google+ profile. Click the gear icon in the top right and choose Settings from the drop down menu.
If you haven’t set up Google+, you can get to your profile by clicking your email address in the top right and then clicking “Account.”
Click Security on the left.
See where it says “2-step verification”? Click “Edit” to bring up the setup wizard.
Step through the wizard and have it send a code to your phone. Look at your phone for the text message (or voice message, if you prefer) from Google. Then enter that code on the computer screen. Ta da! Google takes you to a new screen. Stay there for the next step.
3. Enable access from mobile devices.
Here’s the tricky bit: some things that you have already set up to access Google can’t do the two-step, so you have to set up special passwords for those things. You’ll do that next (do it now, even though Google gives you the option to do it later). This includes email programs on your phone, email clients like Outlook and Thunderbird, calendar clients, chat clients, and so on. Read on.
The top of the screen you are looking at lists things that you have connected to your Google account. Take a moment to look over the list of stuff that has permission to access your Google account (or that you opted to sign in to using your Google ID), and revoke access for anything you’re not still using. You can leave the rest alone. Now, look at the lower half of the screen for the next part.
You’ll need to generate bizarre application-specific passwords for all the places that you access Google other than your computer. For instance, if you use the mail program on your iPhone or iPad to get your Gmail, you need to make a special password for those devices. Google makes this very friendly and easy, and you don’t need to make up the passwords yourself or remember them after you type them in once. Before you start, go get your iPhone, Android phone, Blackberry, iPad, or whatever other devices you want to set up, and have them handy. You’ll need them.
Got everything handy? Now, look back at the bottom half of the computer screen. (If you wandered off to collect your devices, Google may ask you to log back in when you try to do the next step. Just enter your email and password as usual and you’ll be right back on track.) In the list on the bottom of the screen, you’ll see a text box and a button.
For each device, type a descriptive name in the text box so you know what it is later (like “Gmail on my iPhone” — spaces, caps, whatever you like is OK) and then click “Generate Password.” Now leave your computer alone for a minute and pick up the device — let’s say it’s your iPhone. Open the settings app on the iPhone. Click the “Mail, Contacts, Calendars” item in the settings list, and then tap the name of your Gmail account in the list of accounts. Tap again where it says “Account” with your Gmail address. On the device, erase the password that’s in there — that is still your Gmail password, but this device can no longer use it because of the two-step verification process. Now look back at your computer screen, and find the string of characters that Google has generated for you. Type them into the password field on your device. You can omit the spaces if you want. Click Done on the device. The iPhone will verify the information, and when it’s successful, you’ll see a row of checkmarks in all those fields on the iPhone. Click Done again on the device, and your device is set up. Ta da!
To set up the next one, click Done on the computer screen and you’ll get a new text box. You’ll also see that the device that you just set up is listed there now with the name you gave it.
Do the same thing for your iPad and any other physical devices you use to access your Gmail.
4. Enable access from other apps.
Next, we’ll set up other apps besides Mail. Examples of apps you might need to change are Spanning Sync, Google Notifier, Outlook, chat clients like Adium and Google Talk, and so on. These might be apps on
your computer, or they might be on your mobile phone. If you don’t use any of these, you can skip this part. If you try to access something later and it says that your Gmail password isn’t working, come on back and follow these instructions for that app.
In the same place where you set up your iPhone, iPad, Blackberry, or what have you, type in a name for the app you will be authorizing (“Spanning Sync,” for instance). Click “Generate Password.” Leave that screen up, and open the preferences for the app you are changing. Find where you put in the password, erase the password that’s in there, and put in the new weird one that Google has generated for you (spaces optional, again). Click “Done” or “OK” or the moral equivalent both in the app and on the Google screen, and you’re good to go.
4.5 Ack! I came back to do this part later and I can’t find the settings page with the text boxes!
In Gmail, click your name with the plus (“Rachel+” for me) in the upper left. Look on the right for the little gear and click it. Choose Settings from the drop down menu.
If you haven’t set up Google+, you can get to your profile by clicking your email address in the top right and then clicking “Account.”
Click Security in the menu on the left. Click the Edit button next to Authorizing Applications and Sites. Enter your password (your usual Gmail one) if prompted. There you are!
5. More information from your friends at Google.
Now, check your email. Gmail has sent you a helpful message full of useful details. It also contains action items:
1. Set up your backup phone. If your mobile gets lost or stolen, you can use the backup phone to receive a verification code. Click the link in the email, then click “Add a phone number” on the page it takes you to, and enter the backup phone number. If it’s a landline, be sure to select “voice call” and not “SMS/text message” as the delivery method.
2. Print a set of backup codes. Print these out, and even if you’re unable to access either phone, you can still use a verification code to get back into your account. Just carry these with you when you travel. If you don’t have a printer handy, you can save them to a text file and print them later. Follow the directions in the email to get these codes.
3. Optional: set up the Google Authenticator mobile app. If you like, you can get the Google Authenticator app for your mobile that will generate a code you can use, whether or not you have cell service. (This is great if you travel overseas.) If you want to do this, you need to get a free app from the app store and then set up your app using the online instructions. Click the link in the email for the type of mobile you have to get started, then just follow the on-screen instructions. You can configure the app to work with multiple Gmail accounts, if you have more than one.
Save the email from Google for later, just in case.
That’s it! Now your account is protected with two-step verification.
Huh. What behavioral changes will we have to put up with now?
Every 30 days, Google will ask you to log in again. After you enter your password, it will ask for a verification code. You can have that code texted to your mobile, or you can use the Authenticator app to generate one, depending on what option you selected when you set it up. If you change your mind about how to get the code, you can change that in your settings (see “4.5, Ack!” above for how to find your settings).
Something weird happened, or I have more questions.
Google has a great help system that covers 2-step verification.
This post is dedicated to my mom and my sister, with lots of love. Go do it now, guys.
Updated 8/8/12: Added instructions for folks who don’t use Google+.