A high percentage of the questions I’ve received over the years have related to account loss due to hacks or other compromises. Two-factor authentication is one of the best ways to prevent your account from being compromised, even if the hackers somehow get your password.
Exactly how it works and how to set it up isn’t always easily understood. On top of that, what I consider a critical step to maintaining your account access is often overlooked.
So, let’s set up two-factor authentication in your Google account.
Become a Patron of Ask Leo! and go ad-free!
The basic setup
We’ll start by enabling basic two-factor authentication — which Google refers to as “2-Step Verification” — using your telephone. Once that’s set up, we’ll have additional options as well.
Log in to your Google account normally, using your existing username and password. I’ll assume you’ve logged into Google Mail, but any Google service should do.
In the upper right, click on the icon that is either an image you’ve previously set, or the default first letter of your email address. Then click on the My Account link.
This brings you to the My Account page. Click on Sign-in & security.
On the resulting page, scroll down to the “Password & sign-in method” section, and click on 2-Step Verification.
The next page (not shown) will include some text about why 2-Step Verification is a good thing. Click the Get Started button near the bottom.
You’ll be prompted for your password again (not shown). This prevents someone from walking up to your logged-in Google session and enabling two-factor authentication without your knowledge.
Next, you’ll be asked for a phone number, and how you would like to receive codes on that number: text-message (SMS) or automated voice.
Google requires a phone number for their 2-Step Verification. That phone can be a mobile number or a traditional landline. Choosing “Text message” instructs Google to text you verification codes via SMS on text-capable devices. If you don’t have a text-capable device, or simply don’t want to use it, you can select “Phone call”, which tells Google to use an automated voice mechanism instead. Once you’ve entered your phone number and made your text or phone selection, click Next.
Google will then send you the code via the method you’ve selected, and ask you to enter it.
This confirms that everything is working properly. Enter the code and click Next (just off the bottom in the image above).
Assuming everything worked properly, you’ll be given the opportunity to actually turn on 2-Step Verification.
Click Turn On, and your account will now be protected using 2-Step Verification, aka two-factor authentication.
The often-overlooked critical next step
One of the most common questions I get when discussing two-factor authentication is “What if I lose my second factor?” Indeed, what happens if you lose the phone we’ve set up above? Unless you can replace it quickly with the exact same phone number, you won’t be able to log in to your account on new devices.
That’s why this next step is so critical.
After you’ve turned on 2-Step Verification, you’ll be taken to a summary page displaying your current 2-step settings. Scroll down to the section labeled “Set up alternative second step”, and under the item “Backup codes”, click on Set Up.
Google will immediately display a set of ten backup codes. (Yours will, of course, be unique to your account.)
Save these codes somewhere safe!
The Download link will download the codes as a text file to your computer. The print link will let you print a copy of the codes to paper. Regardless of which you chose, save the result securely. (I keep my downloaded copies in an encrypted vault, for example.)
Here’s why these codes are so important: each code can be used exactly once in place of your second factor, should you ever lose your second factor. Given how common it seems to be to lose phones, I’m surprised Google doesn’t stress creation of these codes more. I consider them critical.
If you ever lose your backup codes, you can return here to generate a new set to replace the old, but only if you’ve successfully signed in first.
Other two-factor mechanisms
You may notice additional two-factor options besides backup codes.
- Google prompt – If you have a compatible phone linked to your account, that phone can simply ask if it’s you logging in, to which you respond either yes or no.
- Authenticator App – The Google Authenticator, or a compatible app such as Authy, can be linked to your account in such a way that you simply need to type the code currently displayed by the app. The code is unpredictable, but nonetheless synchronizes with Google servers using clever cryptography. One benefit is that no connectivity is required.
- Backup Phone – You can specify a separate additional phone to receive two-factor codes.
- Security Key – These are devices, such as the YubiKey, that act as a physical second factor that must be attached to your computer to authenticate.
Personally, I rely on Authy as the easiest approach to second factor, with the bonus that it doesn’t matter if my phone has any connection at all when needed.