Have you ever worried that your email account was hacked? I had a scare recently that turned out to be unfounded, but it got me looking into ways to further secure my Gmail account. I had heard of Gmail’s two-factor authentication before, but had only dabbled in it. I now have two-factor authentication activated on both of my accounts, and it is pretty unobtrusive, and adds significant security to my account.
Two-factor authentication is dependent on you inputting a verification code when you log in, in addition to your normal password. When you activate two-factor authentication in your Google account settings, you will need to decide how you will receive this verification code. I use Google Authenticator, an official Google Android app that provides a unique code that is replaced every 30 seconds. The Authenticator apps is also available on iPhone or Android, or you can also choose to receive the code by text message or phone call. You can only receive the code using one of the methods, however. If you decide you want to try a different method, you must change a setting in your Google account.
So how does it work in practice? When I try to sign in to Gmail, I’m prompted not only for my password, but also for the verification code. You can check a box if you want to exempt that device from requiring the code for the next 30 days.
I then pull out my phone, and open the Authenticator app. The app is simple, and presents you with one code for each Gmail account that you use (and for which you’ve activated two-factor authentication).
Take the six digit code that appears, and enter into the Verification Code box on the page where you were trying to log in. You can then sign in as you normally would.
If you’re worried about what might happen if you lose your phone, Google has you covered. From your account, you print out a list of one-time verification codes, and store them somewhere safe. Those codes will work one time, and one time only, but that should at least be enough to allow you to log into your account and change your default method of receiving your code.
For apps that don’t allow you to input a code, such as Reeder on the Mac or iPad, you can sign in to your Google account and generate an application-specific password. You then use that password instead of your normal Google password with the app in question, and it will work for that app, and that app only.
One aspect of the service I don’t understand is how the Authenticator app works without data service. If any of you security gurus know, sound off in the comments. I presume that it either hashes a code, or generates a list of codes every time that it gets a data connection, but those are just guesses.
The only glitch I found with two-factor authentication occurred when setting up iCal on my Mac. I use WebDav to set up multiple Google accounts in iCal, and got bombarded with password requests after activating two-factor authentication. I suspect I just need to take my time, and methodically create an application specific password for each prompt, but I’m not sure.
Have you tried two-factor authentication? If not, why not?