How to set up Google's two-step verification

To better protect your digital life, specifically your Google account, turn on two-factor authentication for your Gmail account. With a few minutes of setup time, your account will be much more secure -- with very little hassle.


Did you read Mat Honan's tale of woe last week? The one where his Amazon, Apple, Gmail, and Twitter accounts were hacked and his digital life was eradicated?

If not, I strongly encourage you to read his story. In a nutshell, hackers strung together pieces of information to gain access to several important online accounts. The results were personally devastating for him. But his story is a good lesson for all of us. After learning the details of the attack -- from one of the hackers himself, no less -- Honan says he regrets three things most of all.

1. Turning on Find my Mac, which let the hackers erase his MacBook.

2. Not creating regular, local backups of his MacBook, including his photo library.

3. Not using Google's two-step verification, which would have prevented the hackers from getting into his Gmail account and perhaps his Twitter account, the true target of the attack.

That last item is a good reminder for anyone who uses Google for e-mail and its ever-growing suite of apps. Two-step verification (also called two-factor authentication) adds another layer of security to your account. With it turned on, you (or a would-be hacker) would need to take two steps to log in to your Gmail account. In addition to your regular password, you'll need a six-digit code that gets sent to your phone immediately whenever you try to log in. This means a hacker can't break into your account even if they've cracked your password. They'd also need physical possession of your phone.

If that seems overly cumbersome, don't worry. You don't actually have to wait for that texted code every time you log in. In this post, we will cover how to set up two-step verification for your Google account in just a few minutes -- and how to do it without adding extra steps to your everyday routine.

Setting up two-factor authentication
To get started, click here and log in with your Gmail credentials.

Confirm that the phone number listed here is the cell phone you'd like to receive passcodes on. Once your phone number is set, you need to decide how you'd like the code sent to your phone: via voice, text, or mobile app.

Choose your delivery method for two-step verification codes.
Choose your delivery method for two-step verification codes. Screenshot by CNET

Now you can test out the system. Click "Send code", and a verification code will arrive on your phone in a matter of seconds. Enter that code and hit "Verify," then "Next."

Testing out two-step verification.
Test out two-step verification. Screenshot by CNET

Next you will be asked whether you are using a trusted computer. If you are on a computer you use frequently and that you feel is secure, such as a home desktop or a computer only you use at work, you can tell Google to trust it and you won't be asked for the two-step verification code when you log in from that machine. From any untrusted computers, you (or anyone trying to get into your account) will be required to enter both the password and a two-step verification code whenever you attempt to log in to your account.

Now click the red button to turn on two-step verification and re-enter your password.

Screenshot by Matt Elliott/CNET

Using two-factor authentication
But, wait, there's more!

After turning on two-step verification for your Google account, there are two other quick items to attend to.

1. Make a backup plan in case you lose your phone.

You can build in some redundancy for your two-step verification code by adding a second phone number as a backup. You can use the phone number of a trusted family member or friend, and Google can send a code to that person if you ever need to log in and your phone is misplaced, broken, lost, or stolen. To do this, head over to Google's Accounts > Security page and click the Edit button next to two-step verification to add a backup number.

On this page, you can also print a list of backup codes, which you can use to log in. Click the "Show backup codes" link for a list of printable codes, which you can then keep in a safe spot.

You can also use a mobile app to receive codes. The Google Authenticator app is available for iPhone, Android, and BlackBerry platforms and is useful for when you don't have cell service or want to avoid running up the text messaging portion of your cell phone bill.

Screenshot by Matt Elliott/CNET

2. Set application-specific passwords.

If you have apps that use your Google account, you will need to create application-specific passwords for them. Common apps that require this step are smartphones, mail clients that use IMAP/POP (such as Outlook Express, Thunderbird, or Apple Mail), and chat clients.

Setting up passwords for apps.
Setting up passwords for apps. Screenshot by CNET

To see a list of the apps that have access to your Google account, click the "Manage application-specific passwords" on the two-step verification management page.

Managing application-specific passwords.
Managing application-specific passwords. Screenshot by CNET

At the top you'll see a list of the apps to which you've granted access to your Google account, such as Google+. Toward the bottom of the page, you'll see an area where you can generate a password for your apps.

How to generate application-specific passwords for new apps.
Generate application-specific passwords for new apps. Screenshot by CNET

Start by giving it a name, e.g. "Gmail on my iPhone." Then click the "Generate password" button. This will create a 16-digit code to use with the app you've specified.

Generating a code for a phone.
Generating a code for a phone. Screenshot by CNET

Switch over to the phone or app you're using, and enter this code to log in to your Gmail account. Thankfully, you need to this once per app or device. You can revoke the app's access to your Gmail account at any time from this same page. If a phone or tablet that has access to your Gmail account is ever lost or stolen, remember to log in to Gmail immediately in a Web browser and revoke access from that device.

There is no question that two-step verification adds a bit of hassle to your digital comings and goings, but it's a slight inconvenience worth the trouble, we think you'd agree, when the alternative can be something as devastating as getting hacked to the extent that Wired's Mat Honan did.

For more tips on protecting your Google account, read Sharon Vaknin's five best practices for warding off hackers .


Discuss How to set up Google's two-step verification

Conversation powered by Livefyre

This week on CNET News
Hot Products
Trending on CNET

CNET's top picks

9 vacuums you need to see

We’ve selected a variety of vacuums that offer something extraordinary – from a fantastically sturdy upright to a low-key bot with Roomba-level performance.