Protecting Your Gmail Account with Two Factor Authentication.

It’s not always obvious but your email account is one of the most important things you have on the Internet. (Jeff Attwood wrote a really good post about this back in 2008!)

Your email account is like the keys to the city because when you sign up for just about any service on the Internet they’ll ask you for your email address. If you forget your login details guess where they’ll send your password reminder?

This means if someone can get access to your email account getting into anything else is pretty simple. Also consider that email accounts now give us gigabytes of storage so we rarely delete emails meaning it’s not difficult to browse through old messages and figure out what accounts to target.

Thanks Google!

So why is it a big deal? Your money and your identity!

If you pay for stuff online it’s highly likely you’ll be using something like PayPal.

Once this person has your email address resetting the passwords to those other services is a bit of a doddle and they are free to do whatever they want with your cash! Yes you may eventually realise what’s going on and cancel the card but how long will that take and how much inconvenience will it cause?

imageOn top of all this your Gmail account password can also be used in lots of other places like Google Docs, YouTube, Google Reader.

More and more websites are allowing you to sign in with credentials from other websites.

So what to do?

First make sure you’ve got a good password..that goes without saying. If you want an additional layer of security you should think about activating two factor authentication for your Google account.

What’s two factor authentication?

To login to a website at the moment all you have is something you know.

The problem with that is if someone else knows the same thing you can’t do much about it.

Two Factor Authentication means that as well as something you know you also rely on something you have.

imageIf you’ve worked in a large enough company you’ll have already seen this in action with something like a SecurID from RSA (if you work in the SMB market AuthAnvil is a good option)

Google are calling this “Two Step Verification” – presumably to make it sound a little less scary. Winking smile

All well and good but Google aren’t going to hand out tokens to everyone right?

In a manner of speaking yes they do.

There is one thing that just about everyone who uses a computer will have on their person at all times

A mobile phone.

Here’s how it works.

Each time you logon with your username and password Google can send a text message to a designated mobile phone. (They provide backup options too – they’ll even call you and read the code to you!) image

You can’t login until you’ve provided the code.

You can then optionally choose to stay logged into that computer for 30 days.

This means if anyone else guesses your password they still won’t be able to login!

imageThere is also an app you can use as an alternative way to do this that effectively turns your phone into a SecurID token and doesn’t even require an active internet connection. This is called Google Authenticator.

It’s worth mentioning that other services also have similar schemes

Hotmail will send you single use code via text message if you’re on a computer you wouldn’t normally use. These codes expire after 15 minutes and you enter it instead of your password. It’s not quite two factor authentication but would stop a keyboard logger from stealing your password. Details on that are here.

Facebook will send you a code via text message when you login to a computer it doesn’t recognise (you can authorise your computers) they call this “Login Approvals”. Details are here. Only thing I’ll say about this is that when I tried to set it up I gave up after 30 minutes as I didn’t receive the first text message!

I’m talking specifically about Gmail here though as it was the first account I held that offered this extra security.

Setting it up is pretty straightforward.

1) Visit this link: and sign in.

image2) From the drop-down menu, select the country where your phone is registered, and enter your phone number in the box.

3) Choose whether you’d like to receive your codes by text or by voice call. You can always change this later.

4) Enter your phone number, then click Send verification code to receive a code on your phone.

5) Enter the code from the text or voice message into the box, then click Verify.

6) Next you’ll be asked whether you want to remember the computer you are using. If you check the box, you won’t need to enter a code to sign on with this computer for the next 30 days. Don’t check this box if you are using a public computer or a device that you don’t regularly use to sign in.

7) Click Turn on 2-step verification to finish the process!

Done! At this stage if you wanted to use the Google Authenticator app you can set this up with these instructions.

The only other thing left to consider are any applications that may be accessing your account where you can’t use the verification process. You may be checking your email via Outlook or via an app on your phone for example. It’s designed to ask for a user name and password and doesn’t know anything about verification codes.

To get around this you can generate an application specific password. This is a password that when Google receives it in combination with your user name won’t ask for verification. Google will generate a password for you that you enter into the application. It doesn’t get used anywhere else so you don’t have to memorise it.

These passwords can be revoked at any time if you’re worried it may have been compromised or if you want to generate a new one. Google has good setup instructions for this here. (otherwise this post would end up even longer than it is!)

Hopefully all this makes sense and it’ll at least make you think about how you secure your important accounts. It’s good that companies are taking steps to help improve security which will only improve over time but ultimately you’re responsible for your own data.

The following two tabs change content below.
Andy Parkes is Technical Director at Coventry based IT support company IBIT Solutions. Formerly, coordinator of AMITPRO and Microsoft Partner Area Lead for 2012-2013. He also isn't a fan of describing himself in the third person.

Latest posts by Andy Parkes (see all)

2 thoughts on “Protecting Your Gmail Account with Two Factor Authentication.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.