Do you really think security is too much trouble? That no one is ever going to bother with your accounts? Ask former Gizmodo employee Mat. That could have been you, and it could have been worse. There are several ways to try to protect your online accounts and one of the more important of these is two-factor authentication.
Two-factor authentication is ancient IT technology. If you’ve ever worked in a shop that required you both to show an ID card and enter a pin to go through a door, you’ve used it. As the name suggests it requires you to both show you know something, typically a password, and have a unique item that identifies you. On the Web, two-factor authentication typically requires you have both a password and a phone with its unique number, which can be used as the item.
Since Google played a role in the Honan case and almost everyone uses some Google service or the other–and two-step verification.–let’s go over how to turn on Google’s version of two-factor authentication:
Before jumping in that though here are some other basics. First, don’t use passwords, use passphrases. “Always color outside the lines!” is both much easier to remember and far harder to break than say “Tr)ub4DORm1.”
Second, use different passphrases for each of your accounts. These days, as in both the Honan situation and the, a major reason things went bad was that one password was used for multiple accounts. If you use a different passphrase for each account, you limit your damage to that one service.
And, if you have trouble remembering all those passphrases–as we all do–I suggest you invest in a password management program. I use, and like, LastPass myself. I have many tech. savvy friends, however, who swear by 1Password.
Got all that? Good.
What Google two-step verification adds to your security blanket is to get access to your Google account and all its services is that to break in a cracker needs not only your password but your phone as well.
Here’s how to set Google’s two-step verification up. The first thing you’ll need is a phone that will accept anonymous SMS (aka text) messages or voice calls. You’re going to need that because Google uses your unique phone and its number as its second factor. Google recommends that you use a mobile phone number as opposed to a landline or Google Voice number.You can use either, but I suggest you don’t use a Google Voice number since that could trap you in a situation where you couldn’t easily access any of your Google services
Next, you need to sign-in to your Google account and head to the two-step verification settings page. Once there, you’ll need to choose “Using 2-step verification” from the menu. From here, you’ll enter the country your phone is registered I and enter your phone number. You can also choose whether to get your verification code by voice or SMS on your phone. In a matter of seconds, you’ll get a call with your verification number. You then enter this code into the data entry box provided by your Web browser. Your computer will then ask you if you want it to remember the computer you’re using. If you answer, “yes” that computer will be authorized for use for 30-days. Finally, you turn on 2-step verification and you’re done.
Well, not really. You see, you’re not really authorizing your computer,as you might think from the instructions, you’re authorizing the use of a particular Web browser on that computer with 2-step verification. If, like me, you run more than one browser you’ll need to go through this process with every browser. You’ll also need to go through it with every computer you use. Since on an average day I use half-a-dozen different computers that adds up to a lot of time for the initial setup.
Also, while most Google services work with 2-step authenticaiton, not all of them do. Services that don’t support the 2-step authentication dance include:
POP and IMAP email clients such as Outlook, Mail and Thunderbird
Gmail and Google Calendar on smartphones
ActiveSync for Windows Mobile and iPhone
YouTube Mobile on Apple devices
IM clients for Google Talk and Adium
3D Warehouse, Sketchup, and installed applications
Sync for Google Chrome
So, if like me, you use a smartphone and clients for email and IM, you’ll also need to set up application specific passwords. This will not, can not, be the same as your master Google password.
You’ll get these application specific passwords by first giving it a name, such as e-mail, Android, and so on, and then Google will automatically generate a password for you. You then enter this new password in for the application and your application will be good to go. There are also a handful of applications, such as Google TV Gallery, that don’t work with any version of 2-step verification.
From this same page you can also see all the services you’ve authorized to use your Google ID as your identification. So long as you’re cleaning up your security act anyway, you might as well go through the list and Revoke Access to any service you’re no longer using.
Let’s say though that you don’t have your phone, or you’re somewhere without a signal when your laptop’s 30-days of grace are up. No problem. Google gives you two answers.
The first is to download the Google Authenticator app for Android, Apple and Blackberry tablets and smartphones. With this you can generate a PC/browser password. You can also create a batch of ten backup codes, which you can use to authorize a computer.
Is this perfect? No. There’s no such thing as perfect security. A man in the middle attack can still grab your password and your authentication number. And, a good old fashioned people hack led to .
Even so, if you don’t want your personal security disaster you should follow all these suggestions. Yes, setting Google, or any other two-factor authentication, up can be a pain but you’ll be far safer with it than without it.