Please turn on two-factor authentication

You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.

Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works:



I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.

Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.

Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Dropbox, Gandi, Amazon Web Services, Drupal, Stripe, Tumblr and DreamHost, GitHub, Evernote, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Added August 26, 2012: Dropbox added support, so I included a link above.

96 Responses to Please turn on two-factor authentication (Leave a comment)

  1. ” You create a special “application-specific password” that your mail client can use instead of your regular password.”

    Doesn’t it kind of defeat the purpose? An attacker can simply use this password to access my information with 2-factor authentication.

    He may not be able to delete the account, but he can delete my mails and stuff, so this is like a big hole on the shield.

    • Hi user, a few quick things. First, if you weren’t using an application-specific password, you’d be using your real password. So the two-factor solution is no less safe. But also, when you create the application-specific password, Google shows it to you once and then never shows it again. So you type it into your mail client, which hopefully protects your password as well as it would protect your regular password. Finally, you can revoke the application-specific password at any time. That will cut off access to your account from that program without affecting the rest of your account.

  2. great post. I learned a few things. Though, still there’s some inconvenience with the 2-steps auth, but overall worth it.

    • i set my browser to detete cookies and other data when i quit. That means, everytime i relaunch browser (Chrome), even to update Chrome, i have to re-login to gmail (thru that phone message).

    • I use Thunderbird too as a backup of my email. Every time you launch Thunderbird (e.g. Windows restart), you have go to a special Google page to get a new throw-away password.

    • other apps (such as Google sync) has the same inconvenience as using Thunderbird. Each needs a special throw-away code.

    i turned on 2-steps auth when last month for mysterious reasons unfathomable to me, Google warmed me that my account might be hacked by some state run org.

  3. I´ve used two-factor authentication for some time. Stoped using because the ‘turn around’ with external services for Gmail on smartphone and tablet, or apps that uses Google account, like external RSS readers for Google Reader. Made several application-specific password and renew them from time to time. It wasn’t the best hobby.

  4. I turned it on after you tweeted about the video and the common objections. It sounded like a pain before watching the video, but is easier in practice than I anticipated. My only issue so far is with Chrome Sync. I assume I use a different application specific password for each PC’s browser, but sync doesn’t seem to work. It says it’s syncing, but doesn’t update bookmarks and possibly others. All in, for a little extra effort, it’s worth it IMHO. Just remember to get the app and write down some backup codes.

  5. Does Chrome support Google’s two-factor authentication yet? I’d be a lot happier if I didn’t have to have application-specific passwords hanging around on every computer I use regularly – seems like they’d be easy fodder for targeted malware.

  6. Thanks for the double twitter alert on this option. I didn’t know it existed before. I just signed up! I feel safer already 🙂

  7. Good to see you promoting this Matt (here and on HN). For those that are complaining about, or are put off by the minor inconveniences – think about the major inconvenience of being hacked. While not all stories are as dramatic as Mat Honan’s, they are still becoming more and more common. You insure your house, car etc – think of this as insurance of your identity.

  8. @Edward: exactly. Chrome knows about two factor authentication, because it asks specifically for my application specific password, and yet it doesn’t support it. Why not?

  9. Google 2-Factor does not really support Yubikey what it supports is a ineffective workaround
    http://binaryelysium.com/blog/2011/12/13/a-reluctant-relationship-yubikey-google-authentication.html

    The problem with this workaround is it requires a helped app (Windows) or python script (Linux) to be available when authenticating which eliminates the ability of users to use Yubikey in connection with Gmail 2-Factor while at a public workstation etc.

    Google should just natively support Yubikey 😉 I’m sure there is a Googler who would love to implement this in his personal project time.

  10. Matt, I saw your tweet earlier today and read about 3 letter Mat story… too bad that his twitter account was the target but he lost everything…

    I have immediately activated my 2-step verification. Thanks for the highlight.

  11. Good post. I turned on 2-factor authentication on my Google account when it first came out. It’s funny reading this because I just called Amazon a week ago because someone got my password and tried to order a gift card.

    They suspended my Amazon payments account and when I called to get it restored, I asked them about 2-factor authentication and the guy didn’t even know what that meant. I’m sure he was just a customer service person, but it’s something that really needs to be addressed by huge companies other than Google.

    As for application specific passwords, I would feel more secure if there was some way to have a password automatically be revoked if it’s not being used by the intended app. For example, if you create one for YouTube, then I’m sure Google must know which third-party service is trying to use that password correct? If you could specify which application-specific password went with which third-party service, you could block it if it suddenly starts being used somewhere else (like from a web browser).

    With so many apps needing application specific passwords, it just seems that the password could be stolen somehow while being sent across the Internet in clear text, which is not likely for most apps, but maybe some small time developers don’t use proper encryption.

  12. I also have one question…if you were to log into a Google account via a web browser using an application-specific password, do you have full access to the account? In some ways you’re still protected right because Google will ask you for your main password if you try to change any account setting. Is this correct?

  13. Its good but i think really much exhaust for user to do these things. But in general it is good and well secured techniques.

  14. I’ve had it on for a few weeks now, and once it’s set up I barely notice it. Only a few seconds at work when I have to enter my authentication code.

    Easy and makes me feel much better 🙂

  15. Hey matt. I like the double security but I have a small problem. I am using Gtalk as primary messenger to stay on touch with friends but after the two step authentication it’s really annoying to create one time rescue password at every time. Is there any solution out there?

  16. Please stop calling the result of the Google Accounts password generator ‘application-specific passwords’. These passwords are not application-specific, there are simply Google-created passwords with a user description. In addition, these passwords are usually less safe than those created with a common password generator – they have only a length of 16 characters and consist only of lower case alphabetical characters and numbers. If anyone collects one of your ‘application-specific passwords’, full access to all your Google services on channels without 2-factor authentication is possible – and there are still many such channels, even Google itself has not fully implemented 2-factor authentication so far …

    Good recommendation, however, with regard to the printed one-time rescue codes. In a situation where you have no access to any of your devices, that is your only hope – if you still remember at least your most essential passwords including the password for your Google account.

  17. On Chrome:

    Once you have activated 2 factor auth, you need two passwords for Chrome: Your normal password and the one-time password consisting of 4 by 4 alphanumerics.. Or, you could just sign in to Gmail, and Chrome will ask if that Google-account should be enabled for Chrome. At least that worked for me the day before yesterday.

  18. Application-specific passwords can NOT be used to log in via the web interface.

  19. I don’t have much to add, except that I already use 2-step and while a slight hassle, it is absolutely necessary. What I really came here to say is that every time I see your name printed, it freaks me out because I think for a moment that *I* made the post/article/whatever. So, thanks for that. I hope you’re happy that you cause me momentary confusion on a constant basis. Thank your parents, too.

  20. I just turned two-factor authentication on and it forced me to set “program specific” passwords for like 10 different apps and seriously messed up my phone. I had to deactivate it. What’s with the hassle?

  21. Christoph Wagner

    @Aseem Kishore, yes that is correct.

    I’ve been using 2-factor auth pretty much since they started it. Via SMS on my E71, now with google authenticator. I love it:) Chrome Sync works flawless for me. But I guess if you use a mail client on an insecure pc/laptop it’ll be annoying as Xah Lee mentions. I only use webaccess on my laptops so I don’t have that problem but for others it could be a big problem.

  22. Good advice.

    I have, though, found Android device enrollment a tad less than obvious when two-factor authentication is active. Maintaining the same set of Google Authenticator accounts on multiple devices is also a bit cumbersome.

    However, the added security is well worth the extra effort.

  23. Is there a way to use a separate hardware device? (Please.) Using my phone as the second factor is nice, but my phone is vulnerable to theft because of its value for resale.

    A sealed gizmo that shows a number just looks like an el-cheapo souvenier. Without knowing my username and password too, it really is worthless.

  24. Maybe you can answer a questions I always had about 2-factor.

    What happens once you run out of the 10 one time rescue codes ? I’m nearly running out. I often need to access my Google account but don’t have Authenticator on my own phone nearby.

    Ideally I’d like to have several Authenticators linked to one account, but it’s only possible to have one.

  25. Hey Matt.
    Regarding Myth #4.
    It would be nice if Google would lock up those “application-specific password” to the protocol/signature that was used the 1st time to login with it.
    For example if I created such a password and connected to IMAP, from that point on, allow that password only for IMAP connections. Or if it was used with some web app/service that does not support proper 2-factor auth, record its user-agent or some other unique fingerprint.
    That way if such a password gets leaked, bad guy won’t be able to use it to login online and take over my account.
    Ability to delete such passwords is great, but it is my understanding that the time between passwords leaking and losing control of your account is very small, so you might not even have time to delete a compromised password.

  26. I appreciate that you’re trying to make more rigorous authentication clearer for people who would otherwise not use it. But I would suggest that you’re rather simplifying the problems that come with two-step authentication in its current incarnation(s). And the expectation gap between the sales pitch and the reality can in itself turn people off: it certainly did for me.

    Without wanting to get too combative, here’s a summary of your myths, and the consequences of your proposed solutions, based solely on my own personal experience.

    Myth #1 consequence: if you don’t have a smartphone, or if you’re on an (old?) Symbian device, you’re still screwed when your signal drops (Three mobile, anyone?)

    Myth #2 consequence: there’s your social attack right there, surely, for lots of your online services; your keys to your inbox are now in your wallet, so you’d better keep it safer than safe. My mum puts her bank PIN number on a post-it note; I think she’s crazy.

    Myth #3 consequence: when Google Mail’s servers receive a software update (or maybe based on the phases of the moon), as far as I can tell you often get logged out, regardless of your “keep me logged in” checkbox setting. Whatever prompts this, it happened so often at work that on its own it forced me to turn two-step off. And I have to log out and into a machine in the conference room every few days during meetings; that’s a shared machine with no checkbox (nor, coincidentally, any mobile signal.)

    Myth #4 consequence: see Myth #2.

    Myth #5 consequence: see Myth #1.

    Myth #6 consequence: the original myth #6 wasn’t actually a myth, so it’s quite hard for me to tackle in this format; but I would say that the point made is only relevant if you rank security of implementation based on popularity of use.

    I love the idea of two-step authentication but I do wish it didn’t rely on either (a) good mobile coverage/smartphones (rewarding people who spend more money on technology) or (b) writing things down and keeping the result in my wallet (rewarding people who keep their wallet on a chain round their neck.) Without resorting to the creeping horror that is dongles with keypads (thanks, HSBC!), I have no ideas myself of how to do this better, though. I’d love to hear if anyone does.

  27. I tried it, but Chrome kept asking me to authenticate every few days. It was a massive pain in the ass. I use Chrome to keep my bookmarks synced between home, work, and mobile. I won’t go back to 2-factor until Google makes Chrome play nicely with their 2-factor authentication.

  28. Matt, this is never gonna take off until Google finds a way to make it easier to implement for *normal* people, not engineers and not industry people. I can barely get clients to keep from making their passwords “1234” now as it is. As for me – I have 17 Google accounts (my own and my clients’) to keep up with, six computers and four mobile/tablet devices. The 2-Step method may be secure, but it’s still WAY too complicated and time consuming. The first time I tried it, I was locked out of key Google products for several days before I got them all turned back off. You guys can make cars that drive themselves and Google glasses; you oughta be able to come up with a more intuitive way to secure accounts.

    When you make something that my 81 year old mother can work her way through to protect HER Google account (yes she has one, and she’s actually pretty proficient technically – but this is way out of her league) *then* you’ll have something.

    (I suppose that’s not to say you shouldn’t be pushing this now, since it’s the only solution at the moment. But it definitely needs work; all the more so because so many “normal” people have Google accounts now.)

  29. How does this effect websites that I allow to authenticate via my google account? For example, I don’t have a stackoverflow account – I just log in via google. I would assume that for those applications I simply continue to autneitcate at google with my password and google will prompt for my 2FA key when appropriate (every 30 days)? Correct?

  30. Two factor authentication is nice in principle, but you just need an alphanumeric string to setup Google authenticator, that’s nothing more that another password, think about it as a complex security question. It can be guessed, stolen, you name it…
    Additionally application specific passwords are pretty weak, fixed length, no uppercase and no numbers unless something was changed, and you just need one of those to access a mailbox via IMAP and reset the password of a linked account.

  31. Very true, very useful. But what I most notice here, is that even in Google produced videos, you’ll show an iPhone and not an Android Phone.

  32. I’ve tried setting this up before and failed. I just tried again with the same result. The problem:

    * I have my domain hosted on Google Apps
    * When I try to enable two-factor auth from the link in your FAQ, I get an error that says “The administrator for [domain] has not granted you access to do this.”
    * When I log into admin, I can’t find this setting anywhere.

  33. Google could do a major service to users by improving the instructional help for living with two-factor authentication.

    We live in a tech bubble and do not realize that this can be daunting for the average user. Perhaps video FAQs with screen recordings of various activities (such as adding application specific passwords.) These videos could be put in context with the error messages so users could understand what’s going on.

  34. The one issue I have with turning on two-factor auth is that there doesn’t seem to be a way to do so without essentially associating a phone number with my google account. Yes, I understand I don’t need to use a phone *after* I’ve set up two-factor authentication, but it appears to be required for the set-up of it in the first place.

    I’d love to be using two-factor. I know it would help me sleep better at night. Much like using a pseudonym does. The moment it’s possible to set it up without needing to give Google my phone number, or other information that breaks my pseudonym, is the moment I turn it on.

    Am I missing something? If there *is* a way to turn this on without providing my phone number, please say so!

  35. I’ve been using two-step authentication for Google for about 3 months now and it’s really not that painful. Setting up iOS devices (blog readers, mail apps etc.) takes some time, but once your application-specific password is set up you don’t really have to do it again.

    The management of app-specific passwords is really easy too.

  36. I’ve used Google’s two factor authentication for a little over a year. My opinion is that it’s awesome and I do feel that my account is more secure. I currently have 34 “Connected Sites, Apps, and Services” and 15 “Application-specific passwords”.

    It isn’t always easy to use the two factor system and I’ve run into a problem only once. The Google Latitude app on my iPhone will not work. I’m not positive it’s because of two-factor authentication, but the problem is security related.

    TL;DR: Two-factor authentication is awesome. I’m happy with it for ~1 year. I recommend it.

  37. There is no f*cking way I’m handing over my cellphone number to Google.

  38. For those of us who clear cookies after closing browser session, this is a major pain. If Google could solve that one, I am in for it. It’s a great application.

  39. This is a very nice feature, but IMHO google (as most of the time) missed the point of it’s users.

    The process is complex (and I really believe it should be when it comes to security), but the problem is that the most vulnerable users (the ones that pick easy, same passwords for everything) are the ones that are not going to go into the trouble of such cumbersome process. Imagine trying to explain to your dad, that now he need 2 step process, plus add every single app that he may use into this?

    Once again google proves that it has no idea about user experience (wave, buzz, +, android) are all good examples of that.

  40. Thanks for raising the visibility of this, Matt. If you’re looking to protect any other systems with two-factor authentication my company, Duo Security, offers 2FA-as-a-Service, which is completely free for under 10 users. You can sign-up and add 2FA to your SSH logins, WordPress, VPN, and others.

    Google Ventures backed us earlier this year to help in our mission of democratizing two-factor authentication. Sure, we have a business to run, but we really don’t want cost or complexity to put the long tail of smaller sites and services “below the security poverty line”. —Wendy Nather, 451, https://www.451research.com/t1r-insight-living-below-the-security-poverty-line

  41. People don’t seem to understand how one-time passwords work. “One-time” means that the password will work once. When you generate one, as soon as you use it to sign in with a particular app from a particular computer, it won’t work for any other app on any other computer. So if I create a one-time password for Adium on my work computer, if somebody manages to brute-force or capture it after that, it won’t do them any good. It won’t work anywhere else. That’s the point. In a case like that if your one-time password got logged with a keylogger for example, the damage would be minimized because the attacker couldn’t then use it to log in from their own machine. You also have the ability to revoke these one-time passwords if, let’s say, you write down some extras and put them in your wallet. If your wallet goes missing, you can log into your account and delete them.

    People can speculate about security problems with Google’s 2 step authentication, and it’s not bulletproof, but at the end of the day you’re much less likely to have your account compromised. If you think that occasionally taking an extra minute to wait for, then enter your secondary authentication is more inconvenient than having your account compromised and losing all of your data, then don’t use it. Hopefully Google can make things simpler for people at some point, but in the mean time, they’re doing more than most other companies to protect their users.

  42. I respect your opinion, Matt — but this authentication process can fuck things UP. I wish I could go back two hours, to having some respect for Google. What a nightmare you created!

    I also hope someday to be able to get my mail again with Thunderbird. I really, really hope for that. Maybe even on my Samsung Infuse — although that seems like a distant dream now.

    God Almighty, I regret falling for all this FUD bullshit.

  43. If the extra 30 minutes it takes you guys to get stuff working after turning this on, and the extra 5-10 minutes a month you might spend generating application specific passwords and re-authenticating devices is just too much hassle for your extra layer of security, then don’t use it. But when your account is compromised, you’ll have yourselves to blame.

  44. If I connected my Google account to anything of value, I’d consider doing this. However, I don’t use gmail and never plan to start, I don’t use any services involving money, and I don’t save any personal information in it. I only *have* the account for a few reasons: so I can set persistent Google search preferences, so I can subscribe to YouTube channels, and so I can view the occasional bit of content on Google Docs or Google Groups.

    Given that, I really wish Google would *stop* pestering me for a phone number that I have no intention of ever providing.

  45. I have not used two-factor with Google largely due to privacy concerns. What is Google’s privacy policy with respect to Two-Factor Authentification? Exactly what data is gathered by the app, and how (and how long) is it kept and used?

    When I last checked, I could not find anything specific and found only the broad company-wide privacy policy, which allows Google to correlate all of my app and web data and activity together.

    As Two-Factor would be an app on my phone, this unacceptably would allow Google to coorrelate multiple Google accounts, and accounts across Google and other companies, as well as correlate the Two-Factor app to my unique device and other data Google may have about and from my device.

    Is there any assurance of privacy in writing beyond the broad company-wide policy for using Google’s Two-Factor Authentification?

  46. Gary Gapinski’s comment is spot on. I do have two-factor authentication enabled, but upgrading from one Android smartphone to another some months back was an exercise in confusion and frustration. Once multiple devices get into the mix, even just in a transition scenario, things become, in Gary’s (perhaps understated) words, “a tad less than obvious”.

    Also, I’m still not sure I completely understand how two-factor works in the context of an Android device. I assume the whole device is authorized, because I have not had to use any app-specific passwords on Google apps like Calendar or G+.

  47. I just turned two-factor authentication on and it forced me to set “program specific” passwords for like 20 different apps, everything crashed !! Nice try but I’m not in…

  48. I’d love to turn 2-step authentication on, but unfortunately it still doesn’t work in the Isle of Man, Guernsey or Jersey. Matt, you wouldn’t happen to have any timeframe for supporting these regions, by any chance? (Specifically the Isle of Man, in my case – it shares the same +44 region as the UK; land lines all start with (0)1624 or (0)7524, mobiles use (0)7624 or (0)7924.) Thanks!

  49. great article matt! shameless self plug also for our nifty java (win/linux/osx) authentication app for the desktop that we put together a while ago, code is opensource on github: http://blog.jcuff.net/2011/09/beautiful-two-factor-desktop-client.html we use it in production now with our home rolled 2fA radius based clients to front end our hpc login nodes.

  50. Nathan Ferguson

    @Matt Cutts You recommend using a different password for Gmail than on other services.

    I’ve heard many people say they vary one or two characters of a single “base” password. Assuming each variation is a good password — and that the varied character is not obvious (e.g. not “dog1”, “dog2”, etc.) — is this secure enough?

    Put another way, if one password differs from another password by just one or two characters, does this give the hacker an edge, or do they have to crack each password “from scratch”?

  51. Gary Kilpatrick

    I was reading Mat Honan’s story and to me it seems Google could help by not making the recovery e-mail address for any Google account so obvious to figure out to anyone.

    Sure you blank some letters, but it’s usually only on the last name which is obvious to guess. I’ve just tried it with my account and it’s dead easy to guess.

  52. I dont know why people complain about chrome book mark syncing… chrome syncing works fine for me with 2 step authentication anabled. All you have to is not encrypt the bookmark with any phrase key. use the default password encryption

  53. I agree 100% with BlackFrank. Besides, if the user is too lazy to be bothered with trying to secure their own information, then they deserve those repercussions.

  54. Myth #2 consequence: there’s your social attack right there, surely, for lots of your online services; your keys to your inbox are now in your wallet, so you’d better keep it safer than safe. My mum puts her bank PIN number on a post-it note; I think she’s crazy.

    No, one of your two keys is in your wallet. If somebody steals your wallet, they still have to guess your password.

    It’s something you know plus something you have. Makes it much harder for somebody to break into your account.

  55. I was using 2-factor authentication till 2 months back, but then I had to change my number which for some reason the 2-factor security page is telling me is invalid, now I have actually narrowed down to the problem, which is my number is new and not yet established as a valid number in your database(or whatever else you’re using to verify numbers) and even this I had to make sure with the help of totally another web service(I am pointing this out cos I was really troubled by this but got no help from Google) which is also probably using the same method as you (and for all intents and purposes I don’t have a smartphone on me at all times so Google Authenticator is not an option.)

    P.S. : Sorry for all those parenthesis.

  56. You keep asking to “make it easier.” Well, 2-factor authentication demands you enter your password (something you know) somewhere. That means either typing your password into the browser or into the authenticator app. Then, you must enter the token code (something you have). Anything less, and you are no longer using 2-factor authentication, and are now subject to attack.

    If you are going to wipe out your cookies every time, then how can the browser possibly know you logged in 5 minutes ago? It can’t, so you have to enter the same data.

    Application-specific passwords are a convenience and not part of 2-factor authentication systems. My company doesn’t offer them, but I’m glad Google does. The fact that they are hashed and not recoverable is a good sign. If someone can email your password to you, then it’s a sign your password isn’t really secure.

    When you say this process can mess things up, well guess what? ANY authentication solution can “mess things up,” i.e. not let you in. That’s why it’s called AUTHENTICATION. It can lock out you or someone else if the right info isn’t provided. Just create an application-specific password, enter it into the app, and then it will let you through.

  57. Also see this report analyzing the process in depth: http://www.scribd.com/doc/95267199/Analysis-of-Google-s-2-Step-Verification

  58. When I log into admin, I can’t find this setting anywhere.

    It should be on the Advanced tools tab under the Authentication section. See Set up 2-step verification for your domain.

  59. Sure, two factor authentication is a good idea, but what does it have to do with the exploit that compromised Mat Honan’s account? From what I understand, the attackers exploited vulnerabilities in account recovery; it didn’t have anything to do with the type of authentication he was using (which was much better than average).

    This seems like “burglars are climbing in through windows; make sure your doors are locked” sort of advice.

  60. You forgot to mention that you will spend HOURS getting the apps that use google authentication to work. Each app on each device at some interval will need you to be on your computer to generate one. There isn’t even an app-authenticator app so on my android devices I could just switch, then click orcut-past or some non horrid and inconvenient typing. You don’t even show the temporary password as a barcode so I could just snapshot it. Or make the same one last 5 minutes so I can do most if not all my apps at once.

    Only if you ONLY use gmail should you do this, otherwise you will keep being locked out of every other google and some other apps. Even google doesn’t use it for all its own apps.

    It has been months if not years, why can’t google make the rest of the authentication secure but not labor intensive.

    This is so inconvenient and annoying, I can’t use it. I wish I could but I can’t spend 3 minutes at frequent random intervals spinning to reauthenticate apps. I turned it back off as soon as it was clear I would be down for HOURS if I left it on.

    Please fix this. Make 2 factor authentication easier and/or more universal. Maybe something like firefox sync. Maybe push, not pull. I don’t know. I just want to authenticate ONCE in one place per device every few days or reboot.

  61. I’d love two turn on 2-factor authentication, but my workplace forbids cell phones, and I need to be able to log into my account when I’m at work. Until there is a way to do this without a portable electronic device, I can’t use it.

  62. In reference to my previous post, I also don’t want to have to carry around sheets full of codes I have to look at every time I want to log in.

  63. I would really like the secondary authentication to expire frequently, maybe every few hours so stealing my tablet would not help. Having 2-factor that lasts for 30 days isn’t secure. And making it painful but sticky for the app or any authentication defeats the purpose. The bias will be to use it but leave things unlocked for as long as possible. It should be easy and ephemeral. It shouldn’t take 2 hours once every month, much less more often, but 5-15 seconds every few hours. That is how tokens work.

    I should have to 2-factor at least daily, have a auth kill switch (one device can deauth the rest but not frequently), but ONLY have to do just the 2-factor once for all apps on a device during that period (and/or have an easy local authenticator – switch, push for an otp copied to clipboard, switch, paste, go if they can’t securely ask the authenticator).

  64. @user Also, Google does not allow you to log in the the web interface with an application-specific password. So even if someone gets hold of your application specific password, they cannot use it to change stuff in your account. They may read your mail but as Matt said, you can disable an application-password at any time.

  65. for chrome you have to turn on OAuth authentication in the chrome://flags page for chrome 21. in chrome and chromium versions 22 and up, it is automatic and built in.

  66. Looks like I have to opt in for this!

  67. Doubting Thomas

    Of course, using a mobile phone as your second factor is pretty insecure. In the UK, at least, MNO account identities can easily be transferred to a new phone number with only superficial ID at 3rd party mobile sales shops like Carphone Warehouse or Phones 4 U. This is a common vector for hacking into telephone & online banking accounts, where mobile phone callbacks are sometimes used as an authentication factor or form part of security reset solution.

  68. When are you adding 1-step verification using ARM TrustZone such as the one that I think may be in Samsung Galaxy S3? ARM TrustZone is simpler, faster thus much more secure. I don’t want passwords online anymore, I want a pin code on my ARM TrustZone enabled phone to log-me securely into any website, not just Google stuff, I want Google to manage all my passwords using ARM TrustZone too, and change the passwords so when Gizmodo, Phandroid and others get hacked, I don’t have to spend hours trying to remember which low-security site I want to change my low-security easy password on, Google should auto-generate different hard passwords on every website, every app, for me, all managed for me with my one PIN code on ARM TrustZone on the Android phone I trust. Could we at least know if Google is looking into ARM TrustZone?

  69. Just an fyi, there may be a usability edge case when enabling 2-factor authentication, when people both change their password and enable 2-factor at the same time and need to reconfigure their Android phone. Doing this locks you out of your Android account, and you can’t sign back in. Details:

    My Android (Nexus S) master account is also my primary Gmail account. I just changed that password at accounts.google.com, and then enabled 2-factor authentication.

    The result was, it logged me out of that account on my Android, and requires me to log back in with the new password. However, that fails, with the message “Couldn’t sign in. To access your account you must sign in on the web. Touch ‘Next’ to start Browser sign in”.

    So I hit Next, and sign in via browser, which works, but the next page asks for the authentication code from Google Authenticator. I open Authenticator, get the code, but now there’s no way to get back to the browser.

    Hitting the Back arrow takes me to the home screen instead of the browser login page I was just on, and holding the Home button to see the task-switcher shows no Google Browser in the list of apps I can switch to.

    After much trial and tribulation, I gave up, disabled 2-factor via accounts.google.com, logged into my Android master account successfully with the new password, which was stored, then turned 2-factor back on. Worked fine then.

    Anyway, just a heads up, but that problem will be very confusing if non-techies run into it.

  70. I may be in the minority here, but I don’t really see a benefit to this.

    1) It only applies to Google services, and I don’t see any references to non-Google services.

    2) As others have suggested, it requires us to give up a piece of information (i.e. a cell phone number) that I’m personally not keen on giving out. I don’t have the controls that I do with a VoIP line where I can filter out calls by say NPA if I want to.

    3) I don’t understand why people would use a GMail account as opposed to an email account associated with a domain that they own for business communication. Even personal stuff, I would keep that to a minimum.

    The “why” isn’t overly clear to me here.

  71. After reading this Post I activated two-factor authentication using Google Authenticator for my Google and Amazon AWS accounts. My only regret is not having enabled two-factor auth before now.

  72. @Multi-Worded Adam:
    1. It only applies to Google services because Google is the company implementing it here. Google can’t possibly implement two-step authentication for Amazon, or Twitter, or any other 3rd party. Hopefully other companies will start to implement similar two-step authentication systems of their own for their customers to opt-in to if they’d like.

    2. Why on Earth would you need to filter based on NPA for SMS messages sent from Google that they only send out when you need the pin to authenticate? If you don’t trust Google with your phone number, then maybe you shouldn’t be trusted their service at all. The altnerative is to issue stand-alone hardware like SecurIDs which would cost money. If you don’t trust Google, stop using their services.

    3. First of all, you can set up GMail to handle your domain so that your emails still show up from your own domain. But beyond that, most users (believe it or not) don’t actually have their own domains. It’s a convenience factor. It’s far easier to sign up for a gmail address than to create your own domain just for email.

    You are absolutely in the minority here. 2 step authentication isn’t for everybody, but for people using GMail who are concerned about keeping their account secure, this is an added layer of security users have the option to opt-into if they choose.

  73. Nick:

    I know Google can’t implement two-step authentication. The point was that it isn’t a universal solution, which means I’m being asked to provide a piece of information and to create custom authentication pins/etc. to use a single service. That’s excessive.

    The point behind being given the choice to use my VoIP line is that I use my VoIP line as a single point of contact i.e. that my phone line and cell ring simultaneously whenever I receive a call to my VoIP line. I don’t have to give out two numbers to people to be contacted, and if I have an issue with someone spamming me on my VoIP line (e.g. anything from an 800 number), I can block that spammer from both lines. I can’t do that when I have to give out my cell phone directly, so I don’t. I am in the minority here, but I can tell you for a fact that I’m not the only person that does this with a VoIP line. I think we should be able to retain that. I wouldn’t even care all that much if I could give a phone line and hear an automated recording of a PIN for my device, which is something Google is very capable of doing. But we can’t do that.

    I know I could set up GMail to handle my emails from my domains, but I never understood why anyone would do that when most hosts offer a mail server that a user would retain greater control over. Personal emails? Anyone who would be more subject to a hacking attempt wouldn’t be here anyway, so it’s not like they’re going to see it unless someone tells them about it (which probably won’t happen).

    So yeah, I’m definitely in the minority. But I haven’t seen a pragmatic use for this yet.

  74. I cannot stand expiring passwords. They create security weaknesses by forcing people to have to write down the passwords. We need someone to tell the rest of the IT industry to knock it off with them and use things like this. For my bank management I have one of those verisign RSA GoIDs which is a little keychain fob with a number on it that changes every 5 minutes. I have to login with that number, and my password. Unfortunately the bank still changes my password regularly, and also stupidly requires 8 characters (not 8 or more, exactly 8).

    ING Direct, another bank I use, has one of the best login systems I can think of. No password changing, but three steps. First you recognize a picture you picked so you know it isn’t a phishing site. Then you use your mouse to type a pin into a virtual keypad to eliminate keyloggers, then you type in your password (which doesn’t change, so you can remember it).

    For web site stuff I always double bag it. Relying on wordpress or vbulletin or whatever software you use to have security is an exercise in futility. Use their login system, but also put that behind .htaccess password protection. That defeats 99%+ of automatic exploits.

  75. I haven’t done extensive testing, but this is what I’ve seen so far. Application specific passwords are sometimes more limited than to “one application. The idea behind two factor authentication is that an attacker now needs two things to access your account: Your password and your phone. I think it also gives you the option of managing multiple Google identities from one account.

  76. Hope your well. Will this affect login to analytics, checkout and other services?

  77. It’s funny how people bash free tools that are handed to them. If you don’t like this or any other services, do not use them. It is really simple.

  78. “I don’t understand why people would use a GMail account as opposed to an email account associated with a domain that they own for business communication.”

    Hmm….

    A) Because the storage is huge, free, and only has the cost of seeing tiny ads at the top.

    B) Because it’s easy to transition email from another domain to this one (used when I changed ISP providers, and moved all email from my ISP to GMail).

    C) Because the people I do business with don’t really care if my marketing domain is in my email address since everyone uses address books and contact lists automatically from their phones or email systems.

    Going on two years with GMail, the unlimited storage and web-oriented access has made it easy to NOT delete email unless really necessary, and easily search EVERYTHING as needed. Digging up tax records from two years ago out of email, or finding the closing HUD statements on real estate deals is much easier in email than finding it in my never-caught-up paper files.

  79. Hey Matt

    I was reading an article on Yahoo today and I just gotta give you and your web team kudos for the latest organic search results. Since you and your team felt that average Joe website can’t give the proper information and now favor the so called brand authority sites. Your team started giving companies like Amazon multiple listings on page 1 (for the same term) and extensive listings on page 2 etc., for the same term – well Amazon thanks you. Imagine how much more money they made from Google search.

    finance.yahoo.com/news/forget-apple-forget-facebook-heres-184209532(dot)html

    here’s a few comments from that that article.

    “But neither one of those companies worry Google executives as much as another that is actively taking money out of their pockets. This company is from Washington, but no, it’s not Microsoft. Google’s real rival, and real competition to watch over the next few years is Amazon. Google is a search company, but the searches that it actually makes money from are the searches people do before they are about to buy something online. These commercial searches make up about 20 percent of total Google searches. Those searches are where the ads are. What Googlers worry about in private is a growing trend among consumers to skip Google altogether, and to just go ahead and search for the product they would like to buy on Amazon.com, or, on mobile in an Amazon app.

    There’s data to prove this trend is real. According to ComScore, Amazon search queries are up 73 percent in the last year. But it makes intuitive sense doesn’t it?
    On mobile, where Amazon has its own app and Google is just a search bar for a smaller-screened browser, the equation tips further in Amazon’s balance.

    The scenario gets even scarier for Google if Kindle phones and Kindle tablets gain ubiquity.

    If you have a Kindle phone, which comes with free movies and books because you have an Amazon Prime account, which also gives you free shipping, why in the WORLD would you ever search to buy something through anything but Amazon?

    You wouldn’t.

    That’s why Amazon is practically giving its hardware away. It’s also why Amazon scares Google more than anything Facebook or Apple are up to.

    Again, since your latest and greatest updates to the algo in pursuit of stomping out so called junk sites, you have opened the doors wider than ever for 1 of your main rivals now in search. I am sure you will dismiss this comment, but Amazon and the gang should be sending you a bottle of champagne for boosting up their profits so much.

    The same thing applies to companies like Yelp and Trip Advisor that I now see multiple results for various searches I have done. What you have actually done is opened up the average user eyes – non internet marketer type, and shown the average internet user that they don’t need Google search. When they want a product, they can simply go to Amazon directly and that seems to be the case now more than ever before.

    As well, as you and your team refine those results to battle junk sites in favor of even more so called brand sites, Google will become less relevant (think hard about this point). I am sure you didn’t intend for that to happen, however, time will tell whether your team are a really intelligent group or you helped the search giant becomes a 2nd tier search engine in the future.

    It gets better, wait till Apple refines Siri even more (I like my iphone by the way) and you loose out to more people because they can simple ask the question on siri and it gives them the answer rather than typing it out.

    Cheers dude

  80. I avoid the 2 step process for 1 simple reason. It gives more data to Google. Less is better when it comes to giving away my personal information. Lots of people talk about how wonderful Gmail is and I do like it overall.

    However, the free email has come at a heavy price in my opinion. I think people should think really hard about giving their cell phone number over to a company that will only use it for one single purpose – to make more money by sending us spammy text messages offering us wonderful deals etc. No thanks, I prefer to keep that out of the reach of Google and any other search engine.

  81. I think if I follow above approach no one to crack my account. As a security concern currently, I have provided my mobile number, alternate email id and security question in my gmail account. Till now, I haven’t face any problem with my Gmail account regarding security whenever I find anything I will start using two step verification.

  82. Hardly anyone has mentioned the security ramifications of getting one’s cell phone hacked!

    http://www.geekosystem.com/phone-number-hacked/

    There is an article all about it!

    Quoting from geekosystem:

    “According to Petrillo and fellow expert Don Bailey, the mere digits of your cell phone number can betray your name, your travel itinerary, and your work and home address; it can also allow others to listen in on your voice messages and personal phone calls.”

    You can read the rest of the article at the above link.

    Providing your cell phone to google is just as dangerous as providing the last 4 digits of our Social Security number or the last 4 digits of our credit card number. It all leads down the same road: to identity theft. Isn’t anyone thinking creatively and outside the box here? We are all handing over pieces of our privacy.

    The first thing I did before just automatically and without thinking turning on two-step authentication out of fear, was google “hackers and phone numbers” “hackers and cell numbers” and after reading everything that I did, I am not in any hurry to hand over my phone number to Google.

    I wish there was some sort of two-step process that would not involve giving my phone number to Google but that would render my account more secure.

  83. Dear Matt,

    Too bad the ‘trusted computer function’ works with cookies. It would be great if I could add a ‘trusted ip address’. I wouldn’t get annoyed then when I switch from browsers, use incognito, delete my internet history or just the cookies…

  84. I would feel more secure if there was some way to have a password automatically be revoked if it’s not being used by the intended app.

  85. What about all the apps and services I have tied into Google? I believe I will need to make extra pins and stuff for all of these applications. This will take a lot of time, effort and organization.

  86. Very true, very useful. But what I most notice here, is that even in Google produced videos, you’ll show an iPhone and not an Android Phone.

  87. I am using 2 step verification for the last 2 months and I have amazing sort of experience with it. My gamil account is very important for me because I am using it for my adsense, blogger, analytics, facebook, freelancer accounts. I have seen a couple of attempts of login into my account from unauthorized places and this 2nd step verification stopped them to log into my account.

  88. I use the 2 step process and I have never received a soliciting phone call from Google, or a text, and as a Google webmaster tools/adwords user they already have my personal info anyways.

  89. After 2 weeks, I still can’t get Google Chrome Sync to work correctly. Because I like to sync passwords, Chrome automatically encrypts the data. However, it uses a different encryption password on each computer/iPad.

    Every time I add a new Chrome Sync device, I have to delete all data from the server and all devices, regenerate a new application-specific password, and then re-apply to all devices (currently 8). Somebody on the Chrome team needs to try dogfooding this.

  90. [fake name…] I have employees/contractors (they do video post production for me.) who post for me on my Youtube [business] account. The YTube account was setup years ago, before logins were merged and two-factor was available. I can’t just “start” a new channel or eMail account. But I can’t use 2F either because others have to be able to post my content. So what’s a person to do?? Wait to be hacked?

  91. Sorry I am a bit late here.

    Well Matt I too agree that 2 step verification is going to provide better security. But still I will not recommend anyone who is using Android to enable step verification. Here is the reason why?

    Once you enable 2 step verification, your existing password for Google account will give Authentication error on Android mobile. So you recommended to use Application specific password. Do you know what will happen if anyone uses Application specific password?

    If application specific password is enabled for Android mobile then user just have to enter the 16 character code only once. When Google generates Application specific password it says three things.
    1) You don’t need to remember this code.
    2) You have to use it only once.
    Spaces does not make any difference.

    Do you know what will happen to an Android mobile if someone forgets it security lock code or pattern? (Also assume that data transfer is disabled on that mobile and no wifi)

    User have to login via Google account to unlock mobile. But if you try to enter your regular login passowrd it will reject it because Google account on your Android mobile only recognizes that application specific password. Do you still remember that application specific password?

    Definitely No because Google already told you no need to remember it. But in this case without that code your mobile will just become useless. So the conclusion is all the three points will generating application specific password are wrong. The modified points here are
    1) you have to remember that application specific code in future if need arises.
    2) You may need to use it multiple times (if you forget password)
    3) Spaces do matter. An extra space will lead to wrong authentication error.

    So if you want to avoid all this scrap please don’t enable 2 step verification.

    This is a severe bug in 2 step verification. Correct me if I am wrong. Waiting for your reply….

  92. activated it since this post publishing date
    and still exploring it’s features 🙂

  93. I turned off Google two-step authentication yesterday — I want to use two-step authentication but Google needs to fix it so it works without my needing to reset everything all the time (daily or weekly)

  94. “Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
    Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.”

    Wrong. Wrong. Wrong. I aready tried before finding this because I am having the exact same foreign country problem. Guess what GA says when you launch it on your phone? please log in and continue on a computer. That is earthshatteringly unhelpful. That’s basically where i end up with every “help” article.

    I have been at for two weeks, I have tried the whole answer a bunch of questions thing, whihc takes 3-5 days. but what you get is a form email saying some version of, this is obviously a robot responding to your help request, and “we” see you are having problems with two step verification. Try logging in an changing your settings.

    Seriously?

    I am done with Google other than Gmail and I am making sure none of my clients ever rely on Drive, Voice, etc very seriously.

    Get. It. Together.

  95. I am still surprised how many users are not using the 2 step verification, it is simple yet secure.

css.php