Android Central

Your Google account holds your e-mail, apps, music, books, documents, cloud storage, credit cards and more. It’s time to protect that stuff with more than a simple password.

If you’ve been watching the wider tech world over the past couple of days, you’ll be familiar with the recent misfortune of Wired writer Mat Honan, who succumbed to a devastating hacking attack that annihilated his iCloud, Twitter and Google accounts and locked down several devices in the process.

In Honan’s case, the attack was enabled by compromised (yet publicly available) personal info, as well as failures by Amazon and Apple customer support, rather than a traditional brute-force attack or contact with malware. But a crucial part of what allowed the attackers to take down not only his Apple accounts and devices, but also his Gmail and Google stuff, was the fact that he wasn’t using Google’s two-step authentication to protect his account.

Stories like these always bring home the importance of basic digital security precautions. And one of the most basic, yet most effective steps you can take to protect your account is turning on two-step.

Read on to find out how and why you should do it.

What is two-step authentication?

Google Two-Step AuthenticatorTwo-step authentication adds an extra layer of security by requiring you to enter a six -digit code, generated by Google and sent to your phone, when you sign into your account. That means even if your password is cracked, your account should still be safe. Chances are whoever’s trying to break into your account from afar also doesn’t have your phone in their possession, so they can't get that secondary code.

You can set up six-digit verification codes to be sent via SMS, or if you’re an Android, BlackBerry or iPhone user, there’s an app called Google Authenticator, which you can use to generate a code instantly. These apps work by accessing your Google account on your phone, then scanning a secret barcode on-screen using the phone’s built-in camera.

What about Android devices and certain ap​ps?

Android CentralSometimes an app or device that uses your Google account isn’t able to ask you for a verification code, or it isn’t practical or desirable to have it ask for one. The main example here is Android devices. Sign into one with two-step authentication enabled and you’ll need to use an “application-specific password” instead. These are passwords that give a single app or device access to your Google account at any one time. You can get to them by navigating to accounts.google.com and clicking “Security” from the sidebar, then “Authorizing applications and sites.”

Yes. This part is a pain. But it's important to do.

For example, if you’ve got a Galaxy Nexus and a Nexus 7 tablet, you’d create one for the phone and another for the tablet, and you'd only need to enter it once on the device you're using it for. If you need to stop either from being able to access your Google account, for whatever reason, you can simply hit “revoke” next to the name of the device. And as that password is 16 characters long and only usable by one app or device at a time, everything’s kept securely siloed.

Contingencies

Two-step authentication is good, but it isn’t flawless -- what if your phone’s stolen, for instance? To make sure you’re not locked out of your account if the unexpected happens, Google has a few contingencies in place:

  • When you first sign up for two-step authentication, you’ll be asked to provide backup phone numbers, which you can use to get hold of a six-digit verification number in the event that your primary phone is indisposed.
  • You’ll also be given a set of backup codes, each of which allows you to sign in once. If your main phone is unavailable, and you’re unable to get to any of your backup numbers, this will allow you to sign in once and set things straight.
  • Contrary to what you might think, the Google Authenticator app for Android doesn’t require an Internet connection to work. Even in airplane mode, it’ll generate a working verification code.

How two-step could’ve helped Mat Hona​n, and how it might help you

Amazon and Apple’s customer service blunders (combined with iCloud’s lack of two-step security) had already ensured that Mat Honan’s iPad, iPhone and Macbook were toast. However, enabling two-step auth. could’ve saved his Google account, and the Twitter accounts that were associated with it.

Assume you don't have two-step authentication turned on. If you want to try to recover your password (because you're dumb and forgot it), you're given a few options for account recovery. Part of this involves letting you send a recovery email to an alternative email address you've already linked, and this is only partly obfuscated on the recovery page. That’s how the hacker got into Mat Honan’s account -- without two-step, his recovery address of m******n@me.com was easy to guess. From there, it was simply a case of taking advantage of lapses in Amazon and Apple’s customer services security to take over that account, and then have a password reset email sent to that me.com address.

Had two-step authentication been enabled, the hacker would’ve instead seen a message like this when they attempted password recovery -- an instant roadblock in their attempts to hijack Honan’s Google account.

Android Central

Journalists, especially those dealing in technology, aren’t normal cases when it comes to phone or web account usage, so if you're not broadcasting your name all over the Internet, you're less likely to fall victim to these kinds of shenanigans.

Nevertheless, it's a simple and easy precaution, and one that everyone with a Google account, and particularly those heavily invested in Google's ecosystem, should take. Depending on how you use Gmail, an attacker gaining control of it could effectively have the master keys to your digital life. What's more, they could gain access to all the purchases and other content associated with your Google account -- if you're a big Android user, that could amount to a significant quantity of stuff. Worse still, if they pulled the plug on your account, you might lose all of this.

So despite the minor, occasional inconvenience, please, please turn on two-step authentication on your Google account. You'll thank us when no-one hacks your shit.

 
There are 96 comments

Blah says:

I used this until it didn't work and locked me out of my own account.

This happened when I had to wipe my phone and then reinstall the authenticator. It would give me tokens to enter in and they didn't work.

Google support wouldn't help me at all because I couldn't remember the month and year I opened the Gmail account. Who remembers that?

After about 6 months they changed a small amount of the process that allowed me to disable the 2-step authentication and was able to use the recovery keys that they gave.

I'm now very weary about enabling this again, even though I think it's a good idea.

Thanks for the story. It's good to keep this in mind.

skeeve says:

I have a similar story but I think it's a fundamental flaw of the system. It's a good idea, but its implementation is just horrible right now.

I got a new work computer so I installed chrome first thing and signed on to my google account using an application specific password. Later because of trouble with a phone wipe and other things I eventually turned it off but that's actually irrelevant to my story.

When i got my new computer and tried to log on to sync all my bookmarks/history/extensions/tabs/etc, it wouldn't accept my regular google password. it needed the password I used last time. The application specific password that their own page tells you you don't ever need to remember. I tried turning 2-step back on and getting a new application specific password, but that didn't work. I eventually had to delete my old data because it wouldn't even let me connect chrome to my account with the old data still kicking around.

Huge PITA. Never again, unless it was implemented much much better.

sambartle says:

Just in case this scares anyone off this was a one time failure I think.. I use this exact setup for about 7 different Google accounts and all work fine.

It didn't want the SAME one time password - it wanted you to create a NEW one time password specific to this application - this is exactly how its designed to work..

You don't need to mess with 2 step again.. you just go to account on your google account, and then security and create a new application specific password.. (you can call them both chrome as long as you differentiate them.. for example I have Chrome (home) and chrome (work) and about 6 android ones)

As a side note: It would actually have accepted the old application specific password if you had written it down (which it tells you not too) - which is the one downfall I know of.. once used they shouldn't be able to be used from another device, but currently can be.

skeeve says:

I definitely did try to create a new app-specific password and that didn't work. I think it might've been because I stopped using 2-step and had to re-enable it. So maybe it works, but you can never ever stop using it or you will have problems.

still1 says:

where in the heck was your backup code that Google gave you when activating 2 step authentication? Its partially your fault too!!! also, as a secondary option it will also let you txt you the code if you dont have the authenticator app working

Blah says:

I mentioned that I was eventually able to use the codes. Initially you had to get to a specific point to put them in, but I had to know one of the two questions that I didn't remember to get there:

What email address sent you your Gmail invite?
or What month and year did you activate your Gmail account?

It's been YEARS and don't remember either.

I tried again around 6 months later and it let me just use the codes and not the crazy questions. When I was first locked out, you couldn't get support either without knowing the answer to those questions.

still1 says:

I shouldn't have used "heck".. I was not trying to be harsh just an fyi.

You would have went to forget password to restore the account which you DONT even have to do. That is where it ask for these two questions.

"What email address sent you your Gmail invite?
or What month and year did you activate your Gmail account?"

all you have to do is login to your account as normal with password and then it will ask for code then use the backup code you saved somehwere and BAMH you are back. then you have to activate the app to display you the code.

Jays2Kings says:

Happened to me as well at least the whole wiping my phone and trying to get back into it but I still had my desktop account logged in, now I use Authenticator with my home phone to call and tell me the code as well as 12 printed backup codes in my wallet.

Blah says:

I remember seeing that later on, but not sure it was there initially when I had that issue. I'll look into those and see if I feel comfortable using it again.

Just once bitten....

The app is great, my only one gripe is that the “Authorizing applications and sites” is ONLY on the website. I wish there was a way to access & generate the application passwords.

I use this since I can remember and also I flash roms almost avery another day, titanium backup its your best friend in this case :)

Gspot82 says:

There is no flaw. I regularly swap roms and do this all the time. You just aren't doing it right. What you need to do is have them send you an sms code that you enter to link your android to your google account. You then need to reset your devices application specific password.

a22matic says:

Wow, good stuff Alex. I'll be setting this up today! Thanks!

craigf#AC says:

Too many steps and too much hassle. The extra seconds add up to minutes and hours pretty quickly, and there's always a non-zero chance of it not working and, as Blah experienced, locking you out anyway. I'll continue to rely on strong passwords and common sense, at least until biometrics evolves to be a reasonable alternative.

butters619 says:

At least read the Honan article. Strong passwords and common sense wouldn't have made a bit of difference.

OrionAntares says:

Not entirely true. Common sense says not to trust Apple or an Apple account with any potentially sensitive data or allow circumventing access to any sensitive data sources. There's a reason I flat out refuse to ever give Apple a CC and would only use GCs for iTunes and only keep a low balance on there at any one time. Apple has a horrible track record with security breaches on their accounts.

robotaholic says:

LOL. This is the truth!

mwara244 says:

the U.S. government has banned all apple products to be used for government work.

icebike says:

All these steps and extra seconds are nonsense.

Application/Device specific passwords are entered exactly once.
Takes 30 seconds per device, and done.

From then on, you might have to enter a 6 digit code once every 30 days, on a non-trusted computer. ONLY on a non-trusted computer. (like your work machine, or something)

Then you just whip out your Android, open the authentication app and key in the code. Done.

But apps on your computer such as Thunderbird or some such need only be given an app specific password once. And you can get that code right on your phone if you need it.

Really, the biggest problem is in your head. The fact that the links in the Google Help pages don't always take you to where they say they take you is annoying but not that hard to deal with.

ScottJ says:

It's still a hassle. You can go ahead and deal with it if you want. It's a free country.

garfnodie says:

I started using 2-step the day it became available for me a year or two ago. My Google account had already gotten hacked a few weeks prior and I was itching for the 2-step to become available. Sure there have been a few times of inconvenience, but considering my Google account has pretty much every bit of information needed to become me, I'll take the few minor inconveniences.

RCCola says:

Yea you guys may need to do a tutorial on using this thing then. I tried setting this up and wound up locking myself out of my Google account on my iPad and several of my other devices. The code system just wasn't clear as I was creating codes & for some reason none of them ever worked for me. Took me an hour just deactivate the thing and actually use my account. And I'm no noob, I have rooted all my devices (Evo 4G, Galaxy Nexus, Nexus 7, Galaxy Tab 10.1) using ADB & had a jailbroken iPad. I STILL couldn't figure the damn thing out. lol

ScottJ says:

Why don't we wear helmets when we drive cars? It's because the slight safety benefit acquired doesn't warrant the hassle. Same here. If I had a huge amount of assets to steal or stellar credit to covet then I might be a little more worried. Hackers who got my identity would be sorely disappointed.

treich007 says:

That is sad, funny and all too familiar. But I am still using the two-step anyways.

OrionAntares says:

We wear seat belts.

And don't forget the 50 airbags they stuff into all the new cars.

turketron says:

We use passwords.

ScottJ says:

Seat belts are equivalent to passwords. I would never recommend anyone use anything but a random 10+ character password. Two-step authentication is overkill for the tin-foil hat folks.

Did you read @Mat's article? The hackers aren't after your identity. They're after your account and its contacts, for some sort of SPAM scheme. For @Mat, they just wanted to screw with his desirable three-letter Twitter account. They're usually just after your contacts so they can send some kind of plea for money or Nigerian prince scam as described in this much more informative article, from the Atlantic magazine last fall. It's got far more details than the Wired article, and is more relevant to Android users since it's about a hacked gmail account: http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/?single_...

My friend's yahoo email was hacked and used for SPAM recently. He was fortunate that they didn't wipe his decade's worth of emails and photos in it. He was even luckier that they didn't change his password to lock him out. It was just a hit & run attack.

At least Google offers us 2-step, which is really not the inconvenient once set up. None of the other major players do similar at this time, do they?

ScottJ says:

<>

I began using 2 step verification after I got pick pocketed last year. The dude stole my cell phone and immediately tried to get into my gmail acct. Once in awhile the crook still tries to access my acct. because I've had to use the verification codes more than once a month. It's a PITA but for safety it's best to use the 2 step verification. Although when I recently had my ph reset back to GB I had to remove the 2 step verification in order to download apps from the Google play store. I immediately put the 2 step verification back on my Google acct. once my apps were reinstalled.

garfnodie says:

You shouldn't have to turn it off for that. You just have to make a new temp password and that's what you put into your google credentials in the system settings and accounts area.

icebike says:

Something funny about this report.

Once you set up two factor, your old passwords won't work at all, and something that tries to use the old codes won't trigger the need to use verification codes.

Further, you don't have to turn off two-factor just because you wiped your phone.
Just go to your trusted computer, and sign in to your google account there. You can re-establish an app specific code for the newly wiped phone.

The faq helps.

cj100570 says:

Been using it since it launched. I wouldn't dream of not using it. To those having trouble setting it up, here's an easy to follow tutorials;

http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

http://www.howtogeek.com/105041/how-to-secure-your-google-account-with-g...

If these don't sort you out, you probably shouldn't be using technology!

smr260 says:

I won't bore everybody with the details, but I also had a bad experience that caused me to get locked out of my account. I am high on Two Step Authentication in theory, but it's just a hassle as is. I'm sure having my account hacked is also a hassle though...

Gekko says:

EDIT -

i don't like the lost/stolen phone "contingencies".

robpasell says:

The real take away from the story for me was how easily it appears to be to socially engineer Apple into giving away the farm.

I use it (and will continue to use it) even though it's a PITA for a flash-a-holic. Right now, my Authenticator apps for my phone and tablet give codes that don't "work." I figure next time I manage to sit down at my desktop computer I'll reset them.

jean15paul says:

I'm a new "flash-a-holic". I just rooted in the last 30 days and I've already flashed twice. How do you manage 2-step authentication if you're regularly flashing ROMs? Any tips would be appreciated.

icebike says:

You don't really need to run the Google Authentication app, and if you are going to be rooting and romming all the time don't install it at all.

Just get your codes via sms, or voice, (and maybe have a backup voice phone configured too.)

Then when you first boot up your new rom, It will want a new google password.

To get this, just fire up the Browser and log into your google account. It will ask for a 6 digit code, and one will arrive via sms or voice.

Key that code into the web browser pop-up, and you can log into your google account and create a new APPLICATION password which you can cut and paste into the password field for Android login.

The Google Authentication app can actually get in your way while flashing roms. Google won't send sms codes if you have the account set to use the authenticator.

By the way, you can set up the Google Authentication app on MORE than one device, so you can keep it on that old phone that just sits on your desk if you expect your phone to be out of commission while installing new roms.

technomom says:

"By the way, you can set up the Google Authentication app on MORE than one device, so you can keep it on that old phone that just sits on your desk if you expect your phone to be out of commission while installing new roms."

This. I keep Authenticator on my old HTC Inc for this very reason. Just be sure to keep a battery and charger around for the old phone too.

eKennedy says:

I've installed several different ROMs on my Evo and Evo LTE and have always just re-used the same application specific password I set up for the phone the first time. Yes, they say you should never need to remember the app specific codes, but if you do write them down somewhere (like in a LastPass note) then you don't need to get a new one each time you re-flash.

Google also says to check "remember this password" in apps with app-specific passwords so that you don't have to generate one each time you use the app. I learned that one the hard way with my chat client. LOL.

I'm also using LastPass Secure Notes to store my phone specific passwords.

Glenuendo says:

How does the Google Authenticator from the Play store works will all this? That is my major question.

Darkblue31 says:

I believe the authenticator generates 6 digit codes when you try to use your google account anywhere you havent logged in yet, so it will ask you to go use the app on the phone etc and then enter taht code on the site in question, the codes are time limited

Glenuendo says:

So it's like entering a code into a device on the fly like a tablet such as a Touchpad?

icebike says:

No. Not for tablets.

For those you use an Application Specific password which authorizes the whole device, and your Gmail, Google Talk, Google Play store, etc. One password to rule them all, entered one time on the device. You generate this application specific Password on the Accounts.google.com webpage under security.

The Authentication app is for when you visit the Public Library, and want to read your gmail mail from there. (I don't recommend this, by the way).

When you try to log into Google from such a place it will pop up a box asking for a 6 digit number. Normally these 6 digit codes come to you via SMS. But if you want
you can install the authenticator app, and it will generate them for you.

You whip out your phone and launch Google Authentication and key in the number that appears on the screen into the web browser on the Library's computer.

It is TOTALLY unnecessary unless you work on a Nuclear Submarine or something where you can't get SMS messages.

Glenuendo says:

Thanks!!!

Cappurnikus says:

I will admit setting up 2 step verification can be a little cumbersome but my wife figured it out on her own and she isn't well versed with tech. Neither she nor myself have ever been locked out of our account because we read the setup instructions and set up a backup.

gonzlobo says:

I use 2 step authentication and lastpass and have no issues whatsoever. RTFM.

sting7k says:

I'm really confused about this authenticator app. How does it work? If it can generate codes without an internet connect how do those codes get tied to your account and Google knows too accept them? Wouldn't it make more sense to make it like and RSA token? Like the Battle.net authenticator app that Blizzard uses.

still1 says:

when you activate 2 step authentication Google will give you a QR code which you have to scan using authenticator app and after your the account is linked just like RSA.

then it will give additional option to setup txt message if the authenticator app dont work and will also give you backup code just in case you lose the phone.

icebike says:

The default is text messages.

You don't need the authenticator app.

hselomein says:

the same way an RSA token work, there is a generator on google's server and the samne generator in the app. They most likely use your phone id to sync it up. Have you ever used a hardware RSA key. same principle.

icebike says:

If you are confused by the Authenticator app DON'T INSTALL IT.

It is not necessary. You don't really need it. Its a great source of confusion.

Just take all the defaults when setting up 2-factor. Any time you need a 6 digit code, it will appear by magic in an SMS message.

rjmcnamara says:

Unless of course you don't have SMS turned on (why give even more money to the carriers, right?)

The problem that I had with the authenticator is that when I tried to re-sync my google account on my GNex, it wasn't able to sign me in via the JellyBean interface, and sent me off to a web interface to log in. While logging in, it wanted a "verification code from my mobile application". I popped up the authenticator, copied the code to the clipboard ... and wasn't able to get back to that web interface. It wasn't the in the app buffer.

This is my first experience with the 2-step auth. It needs work.

jean15paul says:

I'm a new "flash-a-holic". I just rooted in the last 30 days and I've already flashed twice. How do you manage 2-step authentication if you're regularly flashing ROMs? Any tips would be appreciated.

still1 says:

so when you first flash.
so lets say ROM1 --> Get "application specific password 1"--> login with it.
when you flash ROM2 --> Revoke "application specific password 1" and get "application specific password 2" login with the new application specific password

just an fyi, you cannot use your password and code combination to authenticate Android if 2-step is activated. It has to be "application specific password"

icebike says:

You can also just write down your APP Specific Password and glue it to your monitor if you know you are going to be flashing frequently. You don't have to generate a new one each time.

gadgetluva says:

For those of you who got locked out or couldn't get your devices back up and running, I think you're confused about which devices require application specific passwords, and how the authentication works. Overall, since I started using it, 2-step has become much easier to use, but it was definitely clunky at first. I'll sometimes turn it off if I need to, but generally leave it on as I know how important it is.

BTW, a good rule of thumb is to disable 2-step when you wipe your phone. Re-enable it later. Always have a print-out of the backup codes in a safe, accessible place. I generally keep a code on me with no identifiable markers so nobody knows what it's for just in case my phone gets lost/stolen and I'm away from home.

icebike says:

Disabling it is NEVER necessary. Even when wiping your phone.

Unless of course your ONLY device is your phone. You can use any computer to re-gen the app specific password when you re-setup the wiped phone.

mtmerrick says:

i tried this. never again.
yes, its added security, but the hassle is NOT worth it.

icebike says:

What hassle?
Done once and done.

mtmerrick says:

apparently you've never used a multiple-user PC.

I tried this for several months. For getting into gmail when you're logged out it's not big deal. But the application specific passwords were a hassle. I dumped it when I upgraded my phone but couldn't activate my new phone because I had two-step authentication. I had to go online to turn it off and then activate my phone. I never went back to turn it on.

funkytoad says:

Well I just gave that a go and I'm pleased to announce that that is by far the worst google product/implementation I've ever come across. It doesn't even remind me of something Google might have created it's that poor.

Cares says:

I used to do this but it became a HUGE hassle. When wiping and flashing new ROMs, it is impossible to login to the Google to download Titanium Backup to restore my Authenticator. It took me forever to regain control of my own account. I had to remove it due to this huge inconvenience.

Stang68 says:

Yeah, I figured that would be an issue when wiping ROMs. That's why I'm using SMS codes instead of the Authenticator app. I don't need to be signed into Google Play to receive an SMS.

icebike says:

+1

SMS is safer.

Authentication app is something of a trap for the unwary. It really is seldom used at all. Just go with sms.

Stang68 says:

Yeah, I figured that would be an issue when wiping ROMs. That's why I'm using SMS codes instead of the Authenticator app. I don't need to be signed into Google Play to receive an SMS.

payaxy says:

Trouble is, in many countries SMS method does not work since it's not supported. So this is a no go for me :(

Koolthulu says:

Titanium Backup has an option to create a flashable zip file of itself, so you don't have to download it from the store each time you flash a new ROM.

kenyee says:

It's pretty much like the hardware RSA keys w/ the added fun of being tied to something on your phone. Good to know about the ROM wipe issue though..

Being more secure = more hassle. Most people hate hassle. That's why MS Outlook is the most popular email client instead of Lotus Notes which is craploads more secure but a PITA...

dwd3885 says:

If you are a ROM flasher, couldn't you just login to Google 2-step on a computer, and revoke access to the device and then create a new application pass code? This seems like it would work, right?

icebike says:

Yup. Just use your computer.

Oh, and since you KNOW you will be flashing that device, copy that application code and paste it on the wall. No need to gen a new one each time.

TwistedSyn says:

Whats Next three Step. Oh wait I believe there is already a 10 step program. I know it's totally impossible to believe but my phone lives in a zero bar residence. I feel like I'm going to need a written check list like airplane pilots have to leave my house, Not to mention some sort of carrying case for all my devices. Dang! is this the best the tech world can come up with? A winking face is better than this 2 step idea. But I'm sure some One will say that security can be broken, but as is the case that all security systems are always broken into by some One.

rcpa says:

I tried this once, but I kept getting a notification on my phone that it failed to log into my account. Each time, I would click on the notification, which took me to the google login. I would then generate a new application specific password, and log in. Then 2 to 8 hours later, the notification would pop up again. After a couple of days of this, I gave up and turned off the two-step verification. I have a couple of apps that use my google login, such as Catch Notes and Beyond Pod, but I would have expected them to use the cached login of the phone. So I don't know if it was asking for a password for each of my apps as they tried to use my account, or if something else was wrong, but I got sick of reentering a application specific password over and over again.

IceDree says:

Thats a great article Alex ... as always

I've read the article & the comments & i just wanna say Damn.
Personally Im a HotMail user (only reason i've a Gmail is because Android requires one)

Regarding the Credit Cards mess, I wanna Thank Bank Albilad for issuing a PrePaid Credit Cards that is NOT linked to my original\main account

yoinks says:

I just set it up. Wasnt terribly intuitive, but wasnt too bad. I like the idea. Im sure it's just something to get used to.

Now I've got to figure out how to explain it to my mother :-D

ottscay says:

I've been using 2-step almost since it came out. It's a small price to pay for the extra security in my humble opinion.

jwdaigle says:

I'm surprised there are so many people that say this stuff is garbage. My experience has been altogether different, and I personally think that the occasional PITA is a small price to pay to protect yourself from being morphed into someone else.

I mean, think about all the juicy info locked up in your google account? Especially when you take advantage of OAuth access to other services (ie, "logging in with your google account")!

Few feedback items to the complainers:

1) have never used the authenticator app, probably never will. SMS works just fine, thank you. And if it doesnt, google even offers to call you to tell you the code.
2) to all those that said "I got locked out"/"i was up the river without a paddle", did you not read the clear instructions? Print out the backup codes, and keep them in a safe place (please, not taped to the back of your cellphone! :-)). If you ever get in to trouble, just use one of those.
3) even easier than that, and assuming you have at least one trustworthy friend on planet Earth, setup a backup phone in case yours goes missing.
4) App Specific passwords for your android phone and google chrome etc are phenomenally easy to use. Just enter them once, so whats the problem?
5) If you select "remember this computer for 30 days" when you are reading email, guess what? It means you dont have to type that code every 30 days. Imagine that.

My personal complaint is that more sites (including this one!) dont yet implement the use of logging in as a google user (come on, you are Android Central, right? Related to google I think? :-)).

I personally think that having to create a new account/password combination for every site you want to be a user on is a far bigger issue than this whole 2-step minor PITA.

Or worse, those that key in the same password to many sites, right?

Just my $.02...

ybcthanerd says:

wow this is crazy people lockin themselves out of their own account. ive been usin this since i had my G2 cant think of not using it. works great never had any problems. this application is not that hard people jus READ before u accept.

S_C_B says:

:-)

Jet300 says:

I just use SMS. When I flash a ROM I bypass the account setup and get the PHONE running first. Then I set up my Gmail account. Google tells me it can't login and automatically takes me to web account sign in ... I put in my password and within 10 seconds get my 6 digit code via SMS. I type that in the box and sign in .. It all takes about 30 seconds.

Scary part is every 2 months or so I get a random SMS from Google with a verification code. That means someone somewhere has my password and can't get in ... Scary stuff

BTW I have never ever used authenticator. I have Google services linked to my 2 home laptops, my 3 android handsets, the nexus 7 , and my iPad (gasp! Lol) ... Never needed it ever. Just use SMS or a voice call if you don't have SMS for some reason or another. You can generate application specific pass words when need be at: accounts.google.com 

Most Google services just prompt for the 6 digit code now anyways......

movielover76 says:

If I used google wallet I'd consider it, but as I don't it's just too much of a hassle.
Things like this are good if you need tight security, but for the user who only has an email account and non-vital data in the cloud it just makes things too complex, the point of a smartphone is to make things quick and easy. As far as getting into facebook,twitter etc
have at it, theirs nothing important on those sites anyway.

If someone gets in and buys stuff or devices on google play, I'll have the credit card company deal with it.
You physically hand your credit card information to people at stores every day, I had a cab driver run up $1000 on my credit card this January and the credit card company took care of it. Even with a simple combo lock the information in my smartphone is more secure than any of the credit cards in my wallet.

mcleodglen says:

So why don't companies needing a password prevent rapid cracking attempts or enforce a maximum number of wrong tries? Every time I ever tried to log in at gmail or hotmail with a wrong password I was prevented after three or five attempts. How do hackers manage?

DThor says:

First off: if you have a phone with you most of the time, and you use google for pretty much anything that you wouldn't like to fall into a stranger's hands, then you should start using it. Secondly, it is *not* a hassle, nor is it buggy or screwy or whatever else it's been called. It works perfectly well, I just set it up for the first time and it went flawlessly. You just need to RTFM, and in this case, not really since there is only a simple process to follow and a followup email you should read and follow it's advice for further tweaking. I have a phone and a tablet, they are both authenticated and won't need to be from now on(barring a factory wipe, I suspect), my home computers will only ask me for a 6 digit number once a month which is generated by my phone with one click, and public logins use that same process each time. Honestly, it couldn't be much simpler and gives great peace of mind.

Not saying this to be argumentative with those dismissing it as 'too much trouble' or 'buggy', but for those wondering who to believe. It works fine and if you use google much, it's smart.

mattlove says:

Great article. Better safe than sorry

moonnite says:

To bad the 'Application Authentication' can not be used without the 2-step feature. Because I would defiantly make use of that feature

fillossofer says:

Thanks for the kick in the ass. I finally did it (took all of twenty minutes). There's so much personal info tied to my Google account that if someone were to gain access and change my password, I'd be SCREWED. Now I feel a bit better about the security of my account.

FloridaPhil says:

Unless I am missing something here this is just way too much like hard work unless you only have one Google account and maybe a couple of devices.

I have 4 different Google identities on 6 different devices with literally dozens of apps that use my Google identities. There is no way in hell I have the time or patience to screw around individually authorizing each and every application that requires access.

Also, am I correct in thinking that if I want to use a friend's PC to pick up my gmail, I have to authenticate that PC?

Give me an option to authenticate the entire device in one easy step and I'll do it. For now I'll rely on a password manager with a complex master password.

jconnon says:

My Google voice number is my sprint cell number. It says not to use your Google voice number. Is there another option or am I just missing something simple?

jensph says:

I have the same question... Though, if we are locked out of our Google accounts, wouldn't the cell phones still receive an SMS?

David Kerr says:

I to have trying to use the google authenticator on my android tablet to compleat the two stage sign in but every time i try to enter a verification number thay was generated on my android tablet into the verification window when compleating the signin process on my main computer a message comes up in read saying that the verification number is incorrect and i know that the number is correct as the google authenticator generated that number so it must be correct so what is going wrong as i would like to use my tablet plus google authenticator to allow me to sign into google from my main machine as my mobile phone is sometimes on charge and a charge only lasts a couple of days.

Dial2Verify says:

Check this out as a sample code

Ref: http://code.google.com/p/missed-call-otp/wiki/SampleCode2

The source code is shared for developer's reference, to Implement user authentication via Missed Calls ( by using mOTP API )

Step1: To send a one-time password to user's phone:

$replye = file_get_contents("http://api.motp.in/v1/YOUR_API_KEY_HERE/" . "USER_PHONE_NUMBER_HERE");
$reply = json_decode(trim($replye), true);
if($reply["Status"] == "Success") {
// OTP sent, session ID is on $reply["Result"]
// you need the session ID to get the correct code
}

Step 2: To decode pin / password sent to user's phone (for the session ID that is returned on the previous step, so you can compare with what the user entered on auth form ):

// get login otp that was sent to user
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"http://api.motp.in/v1/OTP/YOUR_API_KEY_HERE/" . $reply["Result"]);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,"private=YOUR_PRIVATE_KEY_HERE");
$replye = curl_exec($ch);
$reply = json_decode(trim($replye), true);
if($reply["Status"] == "Success") {
// correct code is on $reply["Result"]
// you can now compare it with what the user entered
// obviously, you must let the user enter the received code before comparing
}

You can push the code to the user and get a session ID first, then have the user input the code and only then retrieve the correct one from the API, or you can do like me and do it all in one run, storing the correct code in a session variable and only comparing it later when the user provides it