No excuses: It's time to turn on two-step authentication
If you’ve been watching the wider tech world over the past couple of days, you’ll be familiar with the recent misfortune of Wired writer Mat Honan, who succumbed to a devastating hacking attack that annihilated his iCloud, Twitter and Google accounts and locked down several devices in the process.
In Honan’s case, the attack was enabled by compromised (yet publicly available) personal info, as well as failures by Amazon and Apple customer support, rather than a traditional brute-force attack or contact with malware. But a crucial part of what allowed the attackers to take down not only his Apple accounts and devices, but also his Gmail and Google stuff, was the fact that he wasn’t using Google’s two-step authentication to protect his account.
Stories like these always bring home the importance of basic digital security precautions. And one of the most basic, yet most effective steps you can take to protect your account is turning on two-step.
Read on to find out how and why you should do it.
What is two-step authentication?
Two-step authentication adds an extra layer of security by requiring you to enter a six -digit code, generated by Google and sent to your phone, when you sign into your account. That means even if your password is cracked, your account should still be safe. Chances are whoever’s trying to break into your account from afar also doesn’t have your phone in their possession, so they can't get that secondary code.
You can set up six-digit verification codes to be sent via SMS, or if you’re an Android, BlackBerry or iPhone user, there’s an app called Google Authenticator, which you can use to generate a code instantly. These apps work by accessing your Google account on your phone, then scanning a secret barcode on-screen using the phone’s built-in camera.
What about Android devices and certain apps?
Sometimes an app or device that uses your Google account isn’t able to ask you for a verification code, or it isn’t practical or desirable to have it ask for one. The main example here is Android devices. Sign into one with two-step authentication enabled and you’ll need to use an “application-specific password” instead. These are passwords that give a single app or device access to your Google account at any one time. You can get to them by navigating to accounts.google.com and clicking “Security” from the sidebar, then “Authorizing applications and sites.”
Yes. This part is a pain. But it's important to do.
For example, if you’ve got a Galaxy Nexus and a Nexus 7 tablet, you’d create one for the phone and another for the tablet, and you'd only need to enter it once on the device you're using it for. If you need to stop either from being able to access your Google account, for whatever reason, you can simply hit “revoke” next to the name of the device. And as that password is 16 characters long and only usable by one app or device at a time, everything’s kept securely siloed.
Two-step authentication is good, but it isn’t flawless -- what if your phone’s stolen, for instance? To make sure you’re not locked out of your account if the unexpected happens, Google has a few contingencies in place:
- When you first sign up for two-step authentication, you’ll be asked to provide backup phone numbers, which you can use to get hold of a six-digit verification number in the event that your primary phone is indisposed.
- You’ll also be given a set of backup codes, each of which allows you to sign in once. If your main phone is unavailable, and you’re unable to get to any of your backup numbers, this will allow you to sign in once and set things straight.
- Contrary to what you might think, the Google Authenticator app for Android doesn’t require an Internet connection to work. Even in airplane mode, it’ll generate a working verification code.
How two-step could’ve helped Mat Honan, and how it might help you
Amazon and Apple’s customer service blunders (combined with iCloud’s lack of two-step security) had already ensured that Mat Honan’s iPad, iPhone and Macbook were toast. However, enabling two-step auth. could’ve saved his Google account, and the Twitter accounts that were associated with it.
Assume you don't have two-step authentication turned on. If you want to try to recover your password (because you're dumb and forgot it), you're given a few options for account recovery. Part of this involves letting you send a recovery email to an alternative email address you've already linked, and this is only partly obfuscated on the recovery page. That’s how the hacker got into Mat Honan’s account -- without two-step, his recovery address of email@example.com was easy to guess. From there, it was simply a case of taking advantage of lapses in Amazon and Apple’s customer services security to take over that account, and then have a password reset email sent to that me.com address.
Had two-step authentication been enabled, the hacker would’ve instead seen a message like this when they attempted password recovery -- an instant roadblock in their attempts to hijack Honan’s Google account.
Journalists, especially those dealing in technology, aren’t normal cases when it comes to phone or web account usage, so if you're not broadcasting your name all over the Internet, you're less likely to fall victim to these kinds of shenanigans.
Nevertheless, it's a simple and easy precaution, and one that everyone with a Google account, and particularly those heavily invested in Google's ecosystem, should take. Depending on how you use Gmail, an attacker gaining control of it could effectively have the master keys to your digital life. What's more, they could gain access to all the purchases and other content associated with your Google account -- if you're a big Android user, that could amount to a significant quantity of stuff. Worse still, if they pulled the plug on your account, you might lose all of this.
So despite the minor, occasional inconvenience, please, please turn on two-step authentication on your Google account. You'll thank us when no-one hacks your shit.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.
or What month and year did you activate your Gmail account? It's been YEARS and don't remember either. I tried again around 6 months later and it let me just use the codes and not the crazy questions. When I was first locked out, you couldn't get support either without knowing the answer to those questions.
or What month and year did you activate your Gmail account?" all you have to do is login to your account as normal with password and then it will ask for code then use the backup code you saved somehwere and BAMH you are back. then you have to activate the app to display you the code.
Takes 30 seconds per device, and done. From then on, you might have to enter a 6 digit code once every 30 days, on a non-trusted computer. ONLY on a non-trusted computer. (like your work machine, or something) Then you just whip out your Android, open the authentication app and key in the code. Done. But apps on your computer such as Thunderbird or some such need only be given an app specific password once. And you can get that code right on your phone if you need it. Really, the biggest problem is in your head. The fact that the links in the Google Help pages don't always take you to where they say they take you is annoying but not that hard to deal with.
Just go to your trusted computer, and sign in to your google account there. You can re-establish an app specific code for the newly wiped phone. The faq helps.
you can install the authenticator app, and it will generate them for you. You whip out your phone and launch Google Authentication and key in the number that appears on the screen into the web browser on the Library's computer. It is TOTALLY unnecessary unless you work on a Nuclear Submarine or something where you can't get SMS messages.
so lets say ROM1 --> Get "application specific password 1"--> login with it.
when you flash ROM2 --> Revoke "application specific password 1" and get "application specific password 2" login with the new application specific password just an fyi, you cannot use your password and code combination to authenticate Android if 2-step is activated. It has to be "application specific password"
yes, its added security, but the hassle is NOT worth it.
Done once and done.
Personally Im a HotMail user (only reason i've a Gmail is because Android requires one) Regarding the Credit Cards mess, I wanna Thank Bank Albilad for issuing a PrePaid Credit Cards that is NOT linked to my original\main account
2) to all those that said "I got locked out"/"i was up the river without a paddle", did you not read the clear instructions? Print out the backup codes, and keep them in a safe place (please, not taped to the back of your cellphone! :-)). If you ever get in to trouble, just use one of those.
3) even easier than that, and assuming you have at least one trustworthy friend on planet Earth, setup a backup phone in case yours goes missing.
4) App Specific passwords for your android phone and google chrome etc are phenomenally easy to use. Just enter them once, so whats the problem?
5) If you select "remember this computer for 30 days" when you are reading email, guess what? It means you dont have to type that code every 30 days. Imagine that. My personal complaint is that more sites (including this one!) dont yet implement the use of logging in as a google user (come on, you are Android Central, right? Related to google I think? :-)). I personally think that having to create a new account/password combination for every site you want to be a user on is a far bigger issue than this whole 2-step minor PITA. Or worse, those that key in the same password to many sites, right? Just my $.02...
Things like this are good if you need tight security, but for the user who only has an email account and non-vital data in the cloud it just makes things too complex, the point of a smartphone is to make things quick and easy. As far as getting into facebook,twitter etc
have at it, theirs nothing important on those sites anyway. If someone gets in and buys stuff or devices on google play, I'll have the credit card company deal with it.
You physically hand your credit card information to people at stores every day, I had a cab driver run up $1000 on my credit card this January and the credit card company took care of it. Even with a simple combo lock the information in my smartphone is more secure than any of the credit cards in my wallet.