Enabling Google Two-Factor Authentication

A high percentage of the questions I’ve received over the years have related to account loss due to hacks or other compromises. Two-factor authentication is one of the best ways to prevent your account from being compromised, even if the hackers somehow get your password.

Exactly how it works and how to set it up isn’t always easily understood. On top of that, what I consider a critical step to maintaining your account access is often overlooked.

So, let’s set up two-factor authentication in your Google account.

Become a Patron of Ask Leo! and go ad-free!

The basic setup

We’ll start by enabling basic two-factor authentication — which Google refers to as “2-Step Verification” — using your telephone. Once that’s set up, we’ll have additional options as well.

Log in to your Google account normally, using your existing username and password. I’ll assume you’ve logged into Google Mail, but any Google service should do.

In the upper right, click on the icon that is either an image you’ve previously set, or the default first letter of your email address. Then click on the My Account link.

Google - My Account link

This brings you to the My Account page. Click on Sign-in & security.

Google - My Account page

On the resulting page, scroll down to the “Password & sign-in method” section, and click on 2-Step Verification.

Google - Password & Sign-in Method

The next page (not shown) will include some text about why 2-Step Verification is a good thing. Click the Get Started button near the bottom.

You’ll be prompted for your password again (not shown). This prevents someone from walking up to your logged-in Google session and enabling two-factor authentication without your knowledge.

Next, you’ll be asked for a phone number, and how you would like to receive codes on that number: text-message (SMS) or automated voice.

Google - Set up phone for two-factor

Google requires a phone number for their 2-Step Verification. That phone can be a mobile number or a traditional landline. Choosing “Text message” instructs Google to text you verification codes via SMS on text-capable devices. If you don’t have a text-capable device, or simply don’t want to use it, you can select “Phone call”, which tells Google to use an automated voice mechanism instead. Once you’ve entered your phone number and made your text or phone selection, click Next.

Google will then send you the code via the method you’ve selected, and ask you to enter it.

Google - Enter the code

 

This confirms that everything is working properly. Enter the code and click Next (just off the bottom in the image above).

Assuming everything worked properly, you’ll be given the opportunity to actually turn on 2-Step Verification.

Google - Turn on 2 step verification

Click Turn On, and your account will now be protected using 2-Step Verification, aka two-factor authentication.

The often-overlooked critical next step

One of the most common questions I get when discussing two-factor authentication is “What if I lose my second factor?” Indeed, what happens if you lose the phone we’ve set up above? Unless you can replace it quickly with the exact same phone number, you won’t be able to log in to your account on new devices.

That’s why this next step is so critical.

After you’ve turned on 2-Step Verification, you’ll be taken to a summary page displaying your current 2-step settings. Scroll down to the section labeled “Set up alternative second step”, and under the item “Backup codes”, click on Set Up.

Google - set up alternative backup codes

Google will immediately display a set of ten backup codes. (Yours will, of course, be unique to your account.)

Google - backup codes

Save these codes somewhere safe!

The Download link will download the codes as a text file to your computer. The print link will let you print a copy of the codes to paper. Regardless of which you chose, save the result securely. (I keep my downloaded copies in an encrypted vault, for example.)

Here’s why these codes are so important: each code can be used exactly once in place of your second factor, should you ever lose your second factor. Given how common it seems to be to lose phones, I’m surprised Google doesn’t stress creation of these codes more. I consider them critical.

If you ever lose your backup codes, you can return here to generate a new set to replace the old, but only if you’ve successfully signed in first.

Other two-factor mechanisms

You may notice additional two-factor options besides backup codes.

  • Google prompt – If you have a compatible phone linked to your account, that phone can simply ask if it’s you logging in, to which you respond either yes or no.
  • Authenticator App – The Google Authenticator, or a compatible app such as Authy, can be linked to your account in such a way that you simply need to type the code currently displayed by the app. The code is unpredictable, but nonetheless synchronizes with Google servers using clever cryptography. One benefit is that no connectivity is required.
  • Backup Phone – You can specify a separate additional phone to receive two-factor codes.
  • Security Key – These are devices, such as the YubiKey, that act as a physical second factor that must be attached to your computer to authenticate.

Personally, I rely on Authy as the easiest approach to second factor, with the bonus that it doesn’t matter if my phone has any connection at all when needed.

Podcast audio

Play

More for Patrons of Ask Leo!

Silver-level patrons have access to this related video from The Ask Leo! Video Library.

Setting up Two Factor Authentication with your Google Account   Setting up Two Factor Authentication with your Google Account

13 comments on “Enabling Google Two-Factor Authentication”

  1. Thought I’d mention that if you’re a Microsoft Outlook user, 2-factor authentication will initially break the connection to your Gmail account. The fix is not obvious, but you will need to use another Google sign-in feature called “App Passwords.” This page has clear instructions: https://www.msoutlook.info/question/902

  2. I tried the 2 factor verification code previously. I have just tried again. The problem I have is that once it is set I cannot use Gmail. I get the a pop to verify my email address and password every time and I cannot send emails. I am using Outlook 2013. I have tried using the Outlook repair for the email account but that will not work either. Now, I know why I did not have the verification set already!

    • You need to set what’s called an “application password”. I’ll do a more detailed article about it at soem point, but the bottom line is in Gmail, in your google account, look for applications passwords. Google will create the password for you. These are used for programs and devices that can’t do 2-factor. Use that password when you configure Outlook instead of your normal one.

    • You need to add what’s called an “application password”. Look in the Gmail help and Google Account help for the details. I need to write an article on this.

  3. Paypal 2-factor authentication has a serious flaw. If you use 2-factor authentication after the normal username/password Paypal sends you an SMS message with a one-time 6 digit code. So far so good. If, however, you use Paypal to pay for an Ebay purchase (this is almost universal) and select the “Quick Pay via Paypal” on checkout then Paypal gets charged for the purchase with NO FURTHER ACTION on your part. This vulnerability has been there since at least 2014 according to this link http://tinyurl.com/mvltpdt . The upshot is if your Ebay account is compromised (and Ebay doesn’t offer 2-factor) and you’ve selected the quick pay option (it’s a sticky option) then Paypal login is bypassed completely whenever you make a Ebay purchase!! If you can take over an Ebay account with this option enabled you can buy anything you like at any price and charge it to Paypal.

  4. Leo, you wrote: “If you ever lose your backup codes, you can return here to generate a new set to replace the old, but only if you’ve successfully signed in first”

    If I am reading the above correctly, then: If my phone gets lost or stolen, the thief can login with my phone and change both my password and my backup codes. If the thief does this before I realize my phone is missing and before I call the phone company to disable my SIM card, then the thief has access to my account even after I terminate my phone service.

    So I am locked out of my account while the thief still has access.

    • That is correct. There is no such thing as PERFECT security. However the chances of a hacker in another country – the more common type of account hack – actually stealing or having access to your phone is nearly zero. Similarly if someone randomly picks up your phone they’d have to somehow know it was associated with your account. In either case you have MORE security with two factor. Of course someone could target specifically you – both online (password) and physically (phone) – but that’s extremely rare.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.