Most of the people who read my blog, I think, aren't as technically geeky as I am. This blog post is mostly directed to those of you who don't think about computers, or online security at all (or not much), but who still use the internet for a lot of stuff - like online bill paying and email.
This post is about something called "Two Factor Authentication." Now, before your eyes glaze over and you just close the browser window in dismay becuase I'm getting all geeky please give me a minute of your time. This really is important and it could save you a lot of grief in the future.
Take a second and think about the password you use on your email account. How secure do you think it is? Do you use it on any other account anywhere? I'll bet good money that your password isn't as secure as you think it is and, more than likely, you've used it somewhere else at some point in the past. Maybe even on some site you don't even remember signing up for. That, my friends, is a recipie for disaster.
If you forget your password to any other site how do you normally recover it? Normally you cick on a link and enter your email address and that site sends you a new password or a link to reset your password with. Your bank probably does something along the lines of the second option. So, really, the only password anyone ever needs of yours, in order to access ALL of your online identy including your bank account is your email password.
That's a single point of failure and that's bad - really, really bad.
Yeah, I'm fear mongering. But that's ok because this is really important. You need to make sure your email account is as secure as possible becuase your email account is, for all intents and purposes, YOU on the internet. This is where "Two Factor Authentication" comes into play. Basically, two factor authentication means that when you login to your email address you provide two secret valuesinstead of just one (your password). The first factor of two factor authentication is your password and the second is a special value or code that is generated on the fly right when you go to login.
There are a couple ways this second value can be generated. You might have an app on your smart phone (google authenticator for example) or you might get the code sent to you, on demand, via text message, or you might have a special little key fob that generates a new code every minute that you carry around with you. I'm going to talk about how you use two factor authentication with a Google account today - but I know Microsoft offers two factor authentication (hotmail). I don't know if Yahoo does but, if they don't, you should change email providers to one that does today. Seriously, go do it right now becuase this really is the most important thing you might do online. Ever.
Because the second value is sent to you via your phone the odds are good that nobody else (except perhaps a family member) will be able to hijack your account since other, more malicious hackers, won't have access to both your password and your phone.
Okay, from here on out I'll be discussing the particulars of setting up two factor (or two-step) authentication on Google. All you need is a google account and a phone number (it doesn't have to be able to accept text messages).
- Go to the googe 2-step verification settings page
- Sign in!
- From the drop-down menu, select the country where your phone is registered, and enter your phone number in the box.
- Choose whether you’d like to receive your codes by text or by voice call. You can always change this later.
- Enter your phone number, then click Send verification code to receive a code on your phone. We recommend you use a mobile phone number as opposed to a landline or Google Voice number.
- Enter the code from the text or voice message into the box, then click Verify.
- Next you’ll be asked whether you want to remember the computer you are using. If you check the box, you won’t need to enter a code to sign on with this computer for the next 30 days. Don’t check this box if you are using a public computer or a device that you don’t regularly use to sign in.
- Click Turn on 2-step verification to finish the process! You’ll be automatically taken to your account settings page
At this point you can just stop. You've set it up and you can start using 2-step verification on your google account. However, there are a couple other things I've done to help make sure I can login to my account even if I don't have access to my cell phone (the number I used).
- Install the Google Authenticator App it exists for Android, iPhone, iPad, and Blackbery devices.
- Print out the small ist of one time use codes that are on the 2-step verification settings page and put them in your purse or wallet. Scratch them out after you use them - but only use them if you have no other way to get a code on the fly from Google.
- Add some backup phones if possible.
Please note that if you use Google services with other applications like Outlook that don't support 2-step verification you can generate single use "application-specific passwords" that you never have to remember but which will let your client login and start working with Googles service.
If you have any questions or you run into problems setting up the service just leave a comment or refer to the Google Help on the subject.