Doing the Two-Step With Google
With the typical username and password security employed by many websites, all a thief has to do is crack one code -- your password. Google's two-factor authentication system lowers the chance that your Google stuff can be compromised, because if your password is stolen or guessed, the thief can't access your account without also having your phone.
10/18/12 5:00 AM PT
Horror stories abound of electronic lives compromised by stolen passwords. One of the problems with a password-secured life is that the password is the single element that -- when compromised -- allows access. The User ID isn't protected, nor is any hardware.
Shouldn't there be better methods? There are more secure systems. All you do is add further elements of authentication. This is called "two-factor authentication," and it's been around the computer industry for a long while.
Two-factor authentication uses multiple factors. This usually includes something that the user knows -- the password -- plus something the user possesses -- a phone or smart card. It can also use some information specific to the user, like a fingerprint.
Google has been developing tools that lean on the multiple-factor authentication concept. Its product is called "Google Two-Step Verification," and Google is using it to protect access to its properties, like Gmail.
How It Works
Two-Step Verification forces you to enter a six-digit code, created by Google and sent to your phone. Google reckons that its system lowers the chance that your Google stuff can be compromised, because if your password is stolen or guessed, the thief can't access your account without also having your phone.
Google's Two-Step Verification requires that you opt in. Following are the five steps you'll have to take to set it up.
Step 1: Turn It On
Turn on Two-Step Verification by browsing to Security within the Google Account page using a desktop browser. The Google Account page can be reached by clicking on your User ID -- it's in the top right corner of most Google pages. Click "Edit" and a wizard will launch.
Follow the prompts to set up your phone. Choose "Text Message" as the code sending option -- it's easier. Use "Voice" if you don't receive SMS messages.
Tip: Don't use a landline or Google Voice number.
Select the computer you're using as a "trusted computer" if you trust the people who have access to it. Trusted computers are good to have if you lose the phone.
Step 2: Create Backups
Create some backups on the resulting page. In this case, you should add a backup phone number, like a family member's phone, in case you lose the initial phone. Print out some backup codes for when there's no mobile network available.
Tip: Destroy any backup codes if you switch off Two-Step Authentication in the future.
Step 3: Creat App-Specific Passwords
Create application-specific passwords by clicking on the link. Application-specific passwords are for apps and software that are not compatible with Two-step Authentication and can't ask you for a verification code. Examples are Android phones, mobile Gmail and AdWords Editor.
Enter the application-specific password that you have generated in the password field of the app or device in lieu of your Google account password. You should only have to enter it once. You'll see that it's displayed with spaces -- ignore them.
Step 4: Install the Authenticator
Click on the Android, iPhone or a BlackBerry link and install the Google Authenticator app for Android, iPhone or BlackBerry. This is optional.
The app lets you create codes for new accounts with a device, rather than have Google send them via SMS or voice. It's good if you don't have Internet or mobile network service.
Step 5: Turning It Off
Turn off Two-Step Verification if you don't like using it by browsing to the "Edit" page of Two-Step Verification. It's under "Security" within "accounts." Click "Turn off Two-Step verification."
Tip: Revoke any application-specific passwords you've generated when you turn off Two-Step Authentication. You'll find the "Revoke" link at the bottom of the Application-specific password creation page.
Next time you access that app or application, enter the original password that you used before trying Two-Step Verification.
Want to Ask a Tech Question?
Is there a piece of tech you'd like to know how to operate properly? Is there a gadget that's got you confounded? Please send your tech questions to me, and I'll try to answer as many as possible in this column.
And use the Talkback feature below to add your comments!