I hear that there’s a new security system you can enable on Google Gmail and the rest of the Google suite that requires you to have your smart phone along with your password? What’s the security system called [ed note: "2-step verification"] and how can I use it for my own account?
You’re talking about something that I am pretty excited about, actually. One of the classic problems with password security is that the security is only as good as the password remains secret. If someone has your password, not only can they get into your account but they can then change the password and shut you out.
There are challenge systems where you have a separate device used for security: to log in, the system prompts you with a sequence of digits and you then enter that into the device which transforms it uniquely. You then use the resultant value to prove that you’re you (or, more accurately, that you have the device in hand).
A password is known as a “what you know” challenge, while an authentication device is a “what you have” challenge. Each has its weaknesses, but combine the two and you have a pretty decent security system, one where even if someone steals your password they can’t get in without also having your device.
Problem is who is going to carry a separate device?
Enter the smart phone…
As you have heard, Google’s enabled a 2-step verification system that makes every Google property – including Gmail – tons more secure and ideal for if you’re on the road. It combines your existing password with an app on your smartphone that generates one-time verification codes: if you enable it you’ll need to both to log in each and every time thereafter.
I think it’s awesome and enabled it the first minute I could. I think you should too.
The down side? The 2-step verification system is pretty darn complicated to get set up! It’ll take us at least twenty screen captures even to illustrate it and Google suggests you allocate 15-20 minutes to complete the setup.
To get started — and you should! — you need to jump to Google Account Management once you’ve logged in to the system. Now under personal security options you’ll see:
Click on the 2-step verification link. If you’re unlucky, you’ll see this:
Hopefully, however, you don’t have to wait and it’s ready for you, in which case you’ll see this instead:
Ready? Have the time to do this? You can’t stop halfway…
Click on “Set up 2-step verification”…
Now you’ll find that you can only do this if you have a smartphone. I have an iPhone so that’s what I’ll choose:
After selecting my phone, I click on “next” and learn that the next step involves me picking up my phone and installing an app:
On the iPhone I jump to the App Store and search for “Google Authenticator”:
Ah, there it is. And it even has decent star ratings. Regardless, time to download it, which can easily be done by tapping on the green “FREE” button.
Once it does you’ll need to start the application. The opening screen looks like this:
Tap on the ~ez_ldquo+ez_rdquo~ and the next screen on your iPhone (or other smart phone) prompts you to enter your account information:
But wait, it’s cooler than that! Back on your computer, click on the “next” button and you’ll find a QR Code shows up on your screen:
Now, back to the smartphone app. Tap on “Scan Barcode” and it’s a QR Code reader! All you have to do is point it at the QR Code on your screen:
Seconds later it scans and reads your account information and you get your first verification code:
Here’s where it gets interesting. Just stare at the app for a minute or two: the codes are based on both the current time and your account information, so if you wait long enough, you’ll see that it changes. In fact, the tiny little circle on the top left is a timer: every time it goes a full revolution the code changes. Neat, eh?
Okay, focus. Back to the Web and to setting this up! Click on “next” and you’ll have a chance to test the new verification code:
I enter my current code and click Verify and…
Check that out. It’s working!
Click on “next” to proceed…
Ah, great, they really have thought this through, because it is quite possible to end up needing to log in to your Google / Gmail account but not have your smartphone and therefore not be able to enter the time-based verification code. What’s their solution? Click on “next” to find out!
That makes sense. I printed two copies and have one stashed in my wallet while the other is in my office. I imagine that there’s a way to get new one-time codes if/when these are used up, but that’s the subject of a different blog post. Let’s stay focused here! Jeez, you’re so easily sidetracked.
Where were we? Oh yeah, so we printed out the temp passwords. Now there’s another emergency backup choice:
I opted for an automated voice message to a backup phone number of my own. If you’re in a relationship it might be your partner’s mobile device (or your kids phone, or your parents, etc etc).
Interesting, but so far I haven’t been able to figure out what that means. Since I don’t actually use Picassa, it might not be a big deal anyway. For now, I’ve been alerted that there’s going to be something different about how I log in to those services (and I presume that over time they’ll be fixing that so that all Google apps have support for the 2-step verification process).
Click “next” yet again and we’re almost done!
Sheesh. I told you it’s a complicated process, right? Everything look good? Click the big blue button!!
No, really, you do want to do this, right?
So what’s it look like when you use the Google 2-step verification system? Here’s what it looked like when I went to log in to Gmail again:
So far, pretty normal. But when I click on “Sign In”, it now prompts me for the latest numeric code on my Google Authentication app:
When I enter that correctly and click on “Verify”, I’m in, with a security system now based on what I know (a password) and what I have (my smartphone with the Google Authenticate app).
Incredibly cool. Now, how long until other sites start offering the same increased security? And, for that matter, how long until you turn it on for your Google account?