How to enable two-factor authentication on your Google account

Brian Ambrozy 6 Mar, 2011 at 5:37pm ET Article published in Tech

Recently Google announced the availability of two-factor authentication on accounts. Two-factor authentication makes your account much more secure by requiring two methods of authentication (one of them being your normal password.) The second “factor” with Google is either your mobile phone or a backup, one-time password generated when you enable the service. Google gives you ten one-use passwords, in a printable little wallet-sized card format. If you can’t get to the internet or lose your smartphone, you have a backup in your wallet or fire safe.

When you enable two-factor authentication, you will log in to your Google account normally; but every 30 days you will be required to dual-authenticate.

This is great news, but in cryptic Google fashion, it’s almost impossible to figure out how to do this on your account. The first thing that they failed to mention is that two-factor authentication is being phased in slowly. Not everybody can enable it yet. Secondly, their user interface for even finding two-factor authentication is horrendous. We’ll try to make it as easy as possible for you.

Here’s the step-by-step breakdown:

1. Download and install the app for your smartphone: Android, BlackBerry, iOS

All you need to do is install the app. The Android version will also require the Barcode Scanner app from ZXing (which is free, and tremendously useful.)

2. Visit the SMSAuthConfig page from Google

This is the part where you get find out if two-factor authentication is available for your Google account yet. If not, try again in a couple of days. They seem to be rolling out pretty quickly.

3. Use the smartphone app to scan the provided QR code

Once you open the Google Authenticator app, you can scan the QR code provided and it will instantly spit back a verification code. Easy-peasy.

Google two-factor authentication screenshot

Scan the QR code with your Google Authenticator app to generate a key

4. Print your backup codes

This may seem trivial, but it could be the difference between a happy day and a nightmare of losing access to your Google account. Don’t be lazy. Print them out, cut them out, and stick them in your wallet or glovebox or something.

5. Set up backup authentication via SMS

In the next step, you can put in a telephone number for SMS. If you ever lose your authentication keys, you can have Google send one to an authorized device via SMS. Again; don’t be lazy! Set this up now to avoid heartache down the line. To set it up, put your number in the box and click “send”. Type in the code they text you. Simple.

Google two-factor authentication SMS backup

Don't be lazy. Do the SMS backup procedure.

6. Set up application-specific passwords

Some Google applications don’t honor the two-factor authentication seamlessly. No problem, you can generate application-specific passwords that protect those apps. It’s easier done than said. Once you turn on two-factor authentication in the final step, you’ll be logged out of your Google account. Log back in using your normal password and your new second factor (the number generated from your smartphone). It will tell you that you may need to create application-specific passwords. The first app I had to do that for was my mobile Gmail.

For the first app, I typed in the name “Android”. It then generated a one-time password. No need to memorize it, you just cut and paste it into the app when prompted for authentication. For my mobile Gmail, I had to type it in one time and now it works seamlessly.

The application-specific password screen

If you need to authorize an application that doesn’t recognize two-factor authentication, you can get back to this page by going to your Google Account page, and clicking “Authorizing applications & sites” under “Security”.

In case you were wondering, I can verify that the Google Authenticator smartphone app does handle multiple Google accounts without any issues. When you pull up the screen, it delineates your accounts and the specific keys for them very clearly.

That should be it. You can choose to be prompted every 30 days, or every single time you login, depending on how paranoid or security conscious you are.

Enjoy your new, super-secure Google account!

Comments

6 Mar 2011 ~ 6:23pm BlackHawk Tried setting this up but they don't accept numbers from PR. Meh.
6 Mar 2011 ~ 6:26pm primesuspect That's not america! USA USA!
7 Mar 2011 ~ 8:05am Shorty Great article Mr Suspect. Shall have a look and see if this works in the UK. I am a 2FA fanboy!
7 Mar 2011 ~ 8:58am primesuspect Thanks!

Blackhawk, even though it won't accept your SMS number, can you still enable it with the print backups?
7 Mar 2011 ~ 10:51am HubertGAM This is very helpful. The more reliant we are on all this fancy ass technology, the more careful we need to be. Thanks B!
7 Mar 2011 ~ 4:55pm drasnor Ok, so now my Google cloud data is doubly safe from the hackers. When will it be it be safe from Google?
7 Mar 2011 ~ 5:42pm Thrax They'll be enabling two-factor tinfoil hats, soon.
7 Mar 2011 ~ 5:48pm drasnor

Thrax wrote:

They'll be enabling two-factor tinfoil hats, soon.

I don't understand this response. With the level of private, personal, or otherwise confidential information they handle on a daily basis it's completely incomprehensible that they haven't implemented some sort of encryption. When I save a file to my hard drive I can reasonably expect that the only people that are going to read it are the ones with physical access to the drive. On the cloud, who knows?
7 Mar 2011 ~ 7:54pm ardichoke They're a company that makes money off of very targeted advertising. If you expect to use their services for free, letting them access your data to market to you better is the price you pay.
7 Mar 2011 ~ 9:43pm BlackHawk

primesuspect wrote:

Thanks!

Blackhawk, even though it won't accept your SMS number, can you still enable it with the print backups?

Nope.
28 Apr 2011 ~ 2:15am primesuspect Hey PSN users. Maybe you should think about this...
28 Apr 2011 ~ 7:59pm ardichoke Should probably also make sure you change any passwords that were the same as your PSN password.
2 Jun 2011 ~ 11:54pm anon This is also available for webOS devices (Palm or now HP). It's called GAuth in the App Catalog and the website is here:

https://developer.palm.com/appredirect/?packageid=com.gregstoll.gauth
3 Aug 2011 ~ 7:36pm jared I can see using the sms backup for this and maybe (really maybe) printing out some passwords and putting them in my wallet. The sms backup would at least let you get a pw if you're in a bind.

I do agree that Google is one of my most important passwords and it looks like it will be even more so in the future. I do absolutely love Google though.
8 Feb 2012 ~ 11:57am android I have been using Blogger for Android for my Blogger site but have been wanting to switch over to WordPress. This is great news!! Thank you!!
6 Aug 2012 ~ 10:51pm Jason If only Mat Honan had read and/or heeded this article.
7 Aug 2012 ~ 12:56am QuadyTheTurnip Maybe it's just me, but I thought that this had existed for years now? (or at least almost one year), as that's when I remember my google account first popping up a message suggesting that I activate 2 step verification.
7 Aug 2012 ~ 2:11am primesuspect It came out in March of 2011
7 Aug 2012 ~ 10:45am Garg Guide might need to be updated. Link to Play store doesn't work anymore, and when I followed the steps, there doesn't seem to be anything that connects #2 to #3. Because of that, #3 is ambiguous. Do I scan the code on this page, or how do I get to the page where it displays my own? There may be a new page or a page redesign since the guide was written.
7 Aug 2012 ~ 11:02am Garg I think the guide could benefit from a screenshot of the page where you do the remaining steps. The red box is where you select, in my case, Android to get the QR code for step 3.

It looks like the steps have changed a little. I don't have a list of steps for Set Up Phone/Add Backup/Confirm like you have in your first and second screenshot.