No excuses: It's time to turn on two-step authentication

If you’ve been watching the wider tech world over the past couple of days, you’ll be familiar with the recent misfortune of Wired writer Mat Honan, who succumbed to a devastating hacking attack that annihilated his iCloud, Twitter and Google accounts and locked down several devices in the process.

In Honan’s case, the attack was enabled by compromised (yet publicly available) personal info, as well as failures by Amazon and Apple customer support, rather than a traditional brute-force attack or contact with malware. But a crucial part of what allowed the attackers to take down not only his Apple accounts and devices, but also his Gmail and Google stuff, was the fact that he wasn’t using Google’s two-step authentication to protect his account.

Stories like these always bring home the importance of basic digital security precautions. And one of the most basic, yet most effective steps you can take to protect your account is turning on two-step.

Read on to find out how and why you should do it.

What is two-step authentication?

Google Two-Step Authenticator

Two-step authentication adds an extra layer of security by requiring you to enter a six -digit code, generated by Google and sent to your phone, when you sign into your account. That means even if your password is cracked, your account should still be safe. Chances are whoever’s trying to break into your account from afar also doesn’t have your phone in their possession, so they can't get that secondary code.

You can set up six-digit verification codes to be sent via SMS, or if you’re an Android, BlackBerry or iPhone user, there’s an app called Google Authenticator, which you can use to generate a code instantly. These apps work by accessing your Google account on your phone, then scanning a secret barcode on-screen using the phone’s built-in camera.

What about Android devices and certain ap​ps?

Sometimes an app or device that uses your Google account isn’t able to ask you for a verification code, or it isn’t practical or desirable to have it ask for one. The main example here is Android devices. Sign into one with two-step authentication enabled and you’ll need to use an “application-specific password” instead. These are passwords that give a single app or device access to your Google account at any one time. You can get to them by navigating to and clicking “Security” from the sidebar, then “Authorizing applications and sites.”

Yes. This part is a pain. But it's important to do.

For example, if you’ve got a Galaxy Nexus and a Nexus 7 tablet, you’d create one for the phone and another for the tablet, and you'd only need to enter it once on the device you're using it for. If you need to stop either from being able to access your Google account, for whatever reason, you can simply hit “revoke” next to the name of the device. And as that password is 16 characters long and only usable by one app or device at a time, everything’s kept securely siloed.


Two-step authentication is good, but it isn’t flawless -- what if your phone’s stolen, for instance? To make sure you’re not locked out of your account if the unexpected happens, Google has a few contingencies in place:

  • When you first sign up for two-step authentication, you’ll be asked to provide backup phone numbers, which you can use to get hold of a six-digit verification number in the event that your primary phone is indisposed.
  • You’ll also be given a set of backup codes, each of which allows you to sign in once. If your main phone is unavailable, and you’re unable to get to any of your backup numbers, this will allow you to sign in once and set things straight.
  • Contrary to what you might think, the Google Authenticator app for Android doesn’t require an Internet connection to work. Even in airplane mode, it’ll generate a working verification code.

How two-step could’ve helped Mat Hona​n, and how it might help you

Amazon and Apple’s customer service blunders (combined with iCloud’s lack of two-step security) had already ensured that Mat Honan’s iPad, iPhone and Macbook were toast. However, enabling two-step auth. could’ve saved his Google account, and the Twitter accounts that were associated with it.

Assume you don't have two-step authentication turned on. If you want to try to recover your password (because you're dumb and forgot it), you're given a few options for account recovery. Part of this involves letting you send a recovery email to an alternative email address you've already linked, and this is only partly obfuscated on the recovery page. That’s how the hacker got into Mat Honan’s account -- without two-step, his recovery address of m****** was easy to guess. From there, it was simply a case of taking advantage of lapses in Amazon and Apple’s customer services security to take over that account, and then have a password reset email sent to that address.

Had two-step authentication been enabled, the hacker would’ve instead seen a message like this when they attempted password recovery -- an instant roadblock in their attempts to hijack Honan’s Google account.

Journalists, especially those dealing in technology, aren’t normal cases when it comes to phone or web account usage, so if you're not broadcasting your name all over the Internet, you're less likely to fall victim to these kinds of shenanigans.

Nevertheless, it's a simple and easy precaution, and one that everyone with a Google account, and particularly those heavily invested in Google's ecosystem, should take. Depending on how you use Gmail, an attacker gaining control of it could effectively have the master keys to your digital life. What's more, they could gain access to all the purchases and other content associated with your Google account -- if you're a big Android user, that could amount to a significant quantity of stuff. Worse still, if they pulled the plug on your account, you might lose all of this.

So despite the minor, occasional inconvenience, please, please turn on two-step authentication on your Google account. You'll thank us when no-one hacks your shit.

Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.