Protect Your Passwords with Google Two-step Verification

LocksThe last thing anyone wants is more complication in their online life. And managing passwords is certainly one of the banes of our Internet existence. However, there are things that we have to do to stay safe online and making sure that our accounts are not being accessed by “bad actors” (not the stage and screen kind) is at the top of the list.

I’ve written before about the importance of using multiple passwords for online accounts and the system that I use for managing them. I recently started using an option in my Google account called Two-step Verification, to further protect my Google password. Here’s the basic idea: There are only a few computer devices – like your desktop, laptop and phone – from which you will regularly access your Google account. If some other device attempts access, it should be suspect and subject to additional verification.

Verification takes the form of a random string of characters that must be entered in addition to your password – and here’s what makes it so secure – it is not delivered to the computer requesting access. Instead, it can be delivered via:

  • an SMS text to your cell phone,
  • an automated voice call to any phone number,
  • an Android, Blackberry or iOS app or
  • a pre-generated list that you have printed out.

Here’s a short video that further explains the program:

It’s not just for Google passwords

Although you must have a Google account to set this up, other systems can piggyback on it, using Google’s API (application programming interface). You don’t need to understand how this works, just that you can add two-step verification to other passwords, if those services have chosen to integrate with Google. Two that have are LastPass (the password manager that I use – yay!) and More are likely to join the program, so it should become even more valuable over time.

Setting it up

Setup is a little tedious, I’ll admit, but it only needs to be done once. The best instructions are on the Google Accounts Help site. In addition to a Google account, you will need:

  • A phone that is usually available to you when you sign in. This could be:
    • A standard phone (landline or mobile)
    • Any Android device, BlackBerry device, iPhone, iPod Touch, or iPad that can run the Google Authenticator application
  • A backup phone that you can use if you lose access to your primary phone. This could be:
    • A work or home phone (landline or mobile)
    • The phone of someone you trust, like a friend or family member.

Once you have configured Two-step Verification, your Google account will use it the first time that you log in from any device. If you are using one of your regular devices, you can check a box and the system will not try to re-verify that device for 30 days. After that it will re-verify, so you’ll need access to whatever device receives your verification code.

Oh, and one more thing…

There are quite a few applications that use your Google login that can’t ask for verification codes directly, including:

  • POP and IMAP email clients such as Outlook, Mail and Thunderbird
  • Gmail and Google Calendar on smartphones
  • ActiveSync for Windows Mobile and iPhone
  • YouTube Mobile on Apple devices
  • Cloud Print
  • Installed chat clients such as Google Talk and Adium
  • 3D Warehouse, Sketchup, and installed applications
  • AdWords Editor
  • Sync for Google Chrome
  • Gmail Notifier

These programs require that you generate an application-specific password to use in place of your normal Google password. This is done online in your Google Account, then cut-and-pasted into the application’s password box. According to Google, “Most of the time, you will only have to enter an application-specific password once per application or device (soon after you turn on 2-step verification).” Personally, I’ve had to generate passwords for four different applications and I’ve had to enter it into Google Talk twice.

Is it worth the hassle?

My Google and LastPass passwords are the keys to my online existence. If a bad person got hold of either of them, I would be well and truly screwed. Because LastPass is using the Google API in their latest version (thanks, guys!), I can give both of these critical passwords an extra margin of protection.

In deciding for yourself, use the Likely/Consequences Sliding Scale™. What is the likelihood of your password falling into the wrong hands and how bad would the consequences be if it did? If either one of those answers rise high enough on your personal discomfort scale, consider using Two-step Verification.


  1. It is true, we live in a password world, but people need to understand passwords are not secure in themselves. A strong password is not a replacement for the need for other effective security control. People need to be thinking about secondary steps that need to be implemented, like some form of 2FA were a user can telesign into their account and have the security knowing they are protected. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to be compromised, the user would be protected because if the people who stole the password were to try to use the “stolen” password and they don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

    1. Agreed, Bryan and Google should be applauded for providing a two factor authentication (2FA) system that works not only on their own service but is open for other developers to use. The challenge is in changing people’s habits around security. Right now, it’s an annoyance, something to get out of the way as quickly as possible. It took years to convince people that using a car’s seat belt was in their best interest. The same will probably be true of online security.

Leave a Reply

Your email address will not be published. Required fields are marked *