Google launches two-factor authentication

Google just launched two-factor authentication, and I believe everyone with a Google account should enable it.

Two-factor authentication (also known as 2-step verification) relies on something you know (like a password) and something you have (like a cell phone). Crackers have a harder time getting into your account, because even if they figure out your password, they still only have half of what they need. I wrote about two-factor authentication when Google rolled it out for Google Apps users back in September, and I’m a huge fan.

Account hijacking is no joke. Remember the Gawker password incident? If you used the same password on Gawker properties and Gmail, two-factor authentication would provide you with more protection. I’ve also had two relatives get their Gmail account hijacked when someone guessed their password. I’ve also seen plenty of incidents like this where two-factor authentication would have kept hackers out. If someone hacked your Gmail account, think of all the other passwords they could get access to, including your domain name or webhost accounts.

Is it a little bit of extra work? Yes. But two-step verification instantly provides you with a much higher level of protection. I use it on my personal Gmail account, and you should too. Please, protect yourself now and enable two-factor authentication.

144 Responses to Google launches two-factor authentication (Leave a comment)

  1. This was a fantastic idea. Can’t imagine someone having access to all my google apps.

  2. It’s a step in the right direction. But if the hacker could crack my password, it would only be but a short step to work try every possible phone number or date of birth etc.

  3. a very good move indeed, it will help placing an extra security layer on all Google accounts.

  4. So this is why Google keeps asking for my cell phone number. I’ll have to think about this.

  5. What if I don’t have a cell phone?

  6. thanks sir, for ruling out this feature sometimes back faced problems as it being logged in by another user in some countries and instantly i change my password do the rest of security work to protect my account.
    This feature badly needed. One more thing i like to add is to enable one more feature i.e., whenever you send an email to anyone it will ask you to send it on mobile also.

  7. Sounds like good advice Matt..I noticed it a while back and was a bit annoyed with it, but I get your point..yea it really bites when you get hacked…your sense of security and trust is for a period of time is shaky..

  8. Or I have one but it’s always at home in the charger or under the bed or something because I hardly ever use it for anything but emergencies (assuming I remembered to bring it along when the emergency happened) and it’s just annoying when I keep getting asked for my cell phone or the authentification won’t work because my carrier is Virgin Mobile and apparently that’s weird and I don’t get the text in time half the time.

    Just sayin’ – it’s not necessarily that brilliant.

  9. Jan-Pieter Zoutewelle

    It would be very nice if they would start supporting Windows Mobile 7.
    Love this feature, Google can’t send free text-messages in my country and the mobile verification seems a great solution.
    Sadly I use Windows Mobile 7.

  10. This is a “must have” for power users…… and those who really care about the security of their information. So, I guess that would mean ALL users. Now, I read the thread on the googleblog but I have a question.
    How will this effect allowing 3rd parties such as Buzz, Facebook, Twitter or Friendfeed, etc. from accessing data…. if at all?

    Right, this is for “Advanced sign-in security for your Google account” and since they would be accessing the account wouldn’t they need that 2nd authentication part?

    Or am I just not reading this correctly?

  11. Many thanks to the Google team Matt! I love the simplicity and added security of two factor authentication. My merchant processor offered this option last year after our online credit card account for our software company was compromised. Somehow it adds peace of mind to know online changes cannot be made without my cell phone being called. With the ubiquity of iPhones and Android phones managing our online presence, this type of linkage makes sense on a very intuitive level.

  12. Good article, it’s something some banks use in the UK now, you have your password and then use a device which you put your card into, enter your pin and it generates a unique number (like Secure-ID).

    Does this mean you’ll text me something as part of my account login – I guess I should just login to gmail and find out πŸ™‚

  13. Brian Lane, great question. For applications that want access to something that would normally need your password, you generate a “application password”–a password that that application can use. The password doesn’t expire, but you can see/revoke application passwords from your page.

  14. Is this being rolled out gradually? I do not see this new option under “Security” in my “Personal Settings”.

  15. Sir one more question, does this will be available in Google Apps also (means email id on domain name)

  16. I think this is a great feature and can’t wait to try it. However, it is disappointing to me that I don’t have access to it yet. I realize Google has a huge user base and needs to roll out new features slowly, but I hate reading a blog post that says to go do something now when I can’t. This has been true of almost every significant new feature Google has added (I remember waiting a week for Buzz).

    Couldn’t you soft launch these things where the features are enabled slowly across the user base but the “marketing” begins once it is available to all? How many people never try or enable new features because they can’t when they read about them? As an early adopter, it is frustrating.

    We are working on adding similar functionality to our online banking system and I applaud Google for helping get this out there so users can begin to accept this level of security as commonplace (and necessary).

  17. Hi Matt,

    similar question to above – will be this function available in other countries (for example Poland)? I know what mean “all users” πŸ™‚ but you know how is in real :). Thx for reply and many greetings from Poland.

  18. As someone who travels internationally, and who doesn’t always have his cellphone turned on every minute, this would be an impediment.

  19. I’m not too crazy about this, either. This is one of the reasons I keep my usage of public-domain services to a minimum. I don’t like giving my cell phone out because I can’t rely on my VoIP to screen calls (which is a huge deal for me), and I really don’t like providing secondary email addresses and things like that. I’ll even create different accounts for different purposes, so if one of them happens to be hacked, they get a fractured fairytale of what I’m actually doing.

    The idea of an authentication code doesn’t appeal to me, either. Every 30 days, I have to reenter a code. I’m not going through that kind of trouble. And the code won’t allow me to use my laptop for Google services, since I don’t store cookies on my laptop for any reason whatsoever. So if I want to use my laptop to access Google services, I either have to remotely access another machine or I can’t use it at all.

    Now, I realize that I’m in the minority with the combination of reasons that I have for not liking this (the minority being me and me alone), but some of these reasons would apply to at least some people out there. I guess that’s part of the reason why you guys were at least smart enough to keep this optional.

  20. I would enable it … if I could. Still don’t see the “Setup 2 step verification” link on the right side of my Google Account page.

  21. How does this affect users who have POP/IMAP enabled? It would seem we won’t get much benefit from two-factor web authentication if we have POP/IMAP open.

  22. This is a fantastic idea! I’ve used 2-factor auth at work, and with my paypal account for years. Google is doing well to reinforce to EVERYONE two ideas.
    1) The idea that personal information has value that is worth protecting.
    2) The idea that anything worth protecting is worth protecting WELL.

    Bravo on doing it without requiring any additional RSA or other 3d party hardware too.

  23. Matt, the ‘little more work’ is difficult for those of us who have multiple google accounts. As the multiple account login doesn’t seem two work properly for those of us who have corporate gmail and google apps accounts. I have never fully been able to get it to work with my work account and personal account as a multiple login.

  24. I’ve seen this kind of authentication on online banking only (and I am not referring to PayPal and alike). Local banks use this system with the stupid vasco device and so on. They are good for people who can’t remember a password other then their street, number, birthdate or 123456. For those who can remember passwords like klsJDheUH66702%$2-) why would I waste my time with a 2 step verification.

  25. Certainly additional security is welcome! It may take a small amount of time and effort to setup but the consequences of a hijacked account or hacked passwords can be immense (i.e. Gawker, as you mentioned Matt).

  26. Kyle, this rolling out over the next few days.

    Vivek Parmar, two-factor authentication has been available since September of 2010 in Google Apps.

    Eric Bangerter, it’s tricky to time an announcement and push out a large change across thousands of servers all at once. It takes time to update binaries because it’s a lot of data.

    Krzysztof, I’m not sure about languages, but I wouldn’t be surprised if this rolls out for lots of languages.

    Jason Vagner, you don’t have to have an SMS/data connection. The authenticator can run on its own.

    Brad Landers, you can make an application-specific password for e.g. POP/IMAP and then see/revoke it later.

    Greg Peters, I’m using my Google Authenticator with my work (Apps) account and my home (personal), and it works pretty well. As far as multi-login, I think the rough edges on that will get smoother over time.

  27. How about you make the Android phones include ARM TrustZone, so when we need to login to any website including Google services, that a pin code entry pops up 100% securely on the phone, and as soon as the 4 digit pin code is entered in the phone, the user is logged in. True secure online logins need to be made easier than previous unsecured ones, not harder.

  28. We’ve been using this concept in the DoD for years. To access your machine, you need you Common Access Card (which has all sorts of biometric stuff encoded on it) and a PIN that goes with it. Hackers and crackers need both to access your stuff.

  29. That is soooo logical I don’t know why everyone doesn’t already do it! I guess there always has to be a first and Google seems to be that guy more often than not. I’m going to blog about it tonight. Thanks Google, Thanks Matt.

  30. I think people will reluctant to tie a google account to a phone number (as some of the commenters have said)

    Certainly it doesn’t work at all for corporate users of Google accounts – I cant see our (I work for a major publisher) adwords accounts being tied to an individual employees phone – imagine the scenario one of our adwords guys phone gets nicked and they are locked out of one of our multi million Pound accounts.

    – why not use hardware tokens – the type that WOW use for example for low end users? High end users could opt for RSA Security type cards.

    Some one should have through this through a bit more maybe get Bruce in as a consultant πŸ™‚

  31. great great great, we have tons of important data with google. the more security the better.

  32. Morris Rosenthal


    I don’t have or want a cell phone.

    Why not a land line?

    Or a back-up email account?


  33. Its a great Idea.. Most of the PHP scripts that I use have this feature enabled for the administrative section.. but it makes you wonder.. how many accounts were being hacked that Google created such option?

  34. Is the Google App for iPhone called Google Authenticator? And if you verify by cell phone number, what does Google do with that information? I’m not a tinhat kind of guy, just curious, and I do like two-factor auth for important things (any place where there is an exchange of funds potential – very important (like Google Checkout)).


  35. Matt sounds good to me, always paranoid about account security though I always maintain strong passwords for all accounts, I still feel insecure. Will do two-factor authentication today πŸ™‚ Thanks

  36. I guess Facebook connect will never be a way to authenticate into Google accounts πŸ™‚ Good to know Google is on top of this sort of thing. Securing the web is integral to its growth.

  37. This is a great news….my few freineds has lost their control from gmail account, their gmail account has been hacked. And this unimaginative thing always afraid me, but thanks to you guys for making our personal things more and more secure.

  38. @Chip – The Google App for the Android, BlackBerry, and iPhone is called Google Authenticator.

    @Morris – Google allows you to use a landline or mobile, in addition to the Google Authenticator app – you could switch between SMS & Voice at any time.

  39. Great idea, hate the idea of my applications getting stolen. Thanks for the heads up Matt.

  40. If my android mobile is stolen they could access both my Google account and the sms with the second code making account retrieval thereafter totally impossible.
    Using the landline option means i will never be able to access my account if i am away from that landline. Surely the only safe solution is to either memorise a 13 character password or introduce a pin enabled code generating device similar to the one Lloyds bank give to their online business customers. I did once ask lloyds why they could not simply sms the code to my mobile and they said loss/theft of that mobile posed an even greater security risk.
    I am now torn between the advice given by my bank and the advice given by google which seemingly contradict each other.

  41. @jeff hall
    You can get paranoid about this.
    But you have to secure all routes in.
    On my Android I have a secure password and automatic locking turned on.
    I also pay to run Wavesecure (other products are available) on it so that I can lock or wipe it remotely.

    Generally, yes 2 factor authentication can be a pain but it’s another step in stopping the scumbags getting you.
    I welcome anything that makes it harder to stop them getting into my account.

  42. thanks Paul. I like the wavesecure idea.
    My previous android was pickpocketed in a lift a year ago and the cctv showed just how quick she took it without me noticing a thing. Luckily i changed the google account password before she did but it reminded me that despite being really cautious its very hard to beat a determined thief:-(

  43. Matt Stannard – I have the keypad device for on-line banking too and at first I really hated it. But knowing how difficult it would be for a hacker to get into my account is a big plus and it’s surprising how quickly you get used to it.

    I think anything that improves security has to be good – if my Google account was compromised it would cause me a whole week of problems so I’ll be activating it as soon as it becomes available – we have to wait a while for these things in the UK ):

  44. I have been waiting for this ever since it was announced in September. I checked just now and it is not available on my account. I am a user from India.

  45. I think it is excellent idea. I cannot imagine someone access to my Google Docs.

  46. Hi Matt.

    Agree with you, good idea. However, when I go and try to enable, I am advised the feature will be enabled on my account ‘soon’.

    Has it not been rolled out globally? I am based in Ireland.

  47. Hello,

    Two Step Authentication is simply great. It will defenetly improve Google Account security. I am also one of them who are not able to activate the service right now?

  48. This is a great idea, but probably not the final solution to online security. Still, multiple layers is bound to provide a degree of protection over and above the simple password.

  49. This was a fantastic idea. Can’t imagine someone having access to all my google apps.

  50. This is a cool feature!
    i’m using this security for online internet banking, where i should a generate second PIN using a Token device to do any transactions. And this indeed provides us with a much higher level of protection.
    But i wonder if this 2nd verification can be generate using Windows OS? Not just using Google App for mobile (Android, Blackberry and iPhone) only? Because sometimes, SMS delivery is delayed in my country. And i don’t have Android, Blackberry or iPhone. So if this 2nd verification number can be generate using Windows/Linux OS, that would be great.

  51. This is great news. As a victim of a cyber break-in where I personally lost thousands of dollars
    I can appreciate the desire to set up as high a wall as possible to prevent these occurrences. My bank implemented a rather onerous two-step authentication about two years ago, and while I was initially miserable, trust me, it is well worth the extra steps.

  52. Thanks Matt. A very helpful blog post. I will definitely implement the two level authorization. Securing personal accounts is so important, and this is a very useful tool.

  53. Matt,

    I get this message when I try to set it up: “This is an advanced feature. 2-step verification for this account will be available soon.”

    Looks like its not available for everyone just yet.

  54. I’ve tried to access and want to secure my account but when I try open my account in Google it give me the phrase “This is an advanced feature. 2-step verification for this account will be available soon. ” Just want to ask when would this be available?

  55. Matt,

    The is a very excellent point, recommendation and product. I think Google should also make you change your password every 6 months. Where it is automatic. But I guess this is the way to go.

  56. This is extremely helpful! Google holds on to a huge amount of really private information.

  57. I like it. I’ve started holding important docs in my Google docs as well as backing up an important database there. I like the added security.

  58. I like it. I’ve started holding important docs in my Google docs as well as backing up an important database there. I like the added security.

  59. I am very happy to hear this and I am also of the mind that Google should require users to change their pswds every 3-6 months. Some might complain but as a victim of cyber theft I’m in the camp where you can never have enough security.

  60. I’m in the same position as Michael Martinez. I wondered why google was asking for it and so didn’t supply it. In theory, I think it’s a cracking idea. But I’m always reluctant to provide organisations private information about me that they don’t really need, due to abuses and widescale harvesting of private data that we have seen here in the UK and other European countries. I’ll need more time to think about this – or maybe get a second mobile (cell) just to use that number for two steps.

  61. Nice feature. I worry every day about account hijacking with all the online sites everyone accesses.

  62. Thank you google. We have taken security for granted in the past – only to be biten. It is good to know you are thinking in this direction.

  63. I like the concept and look forward to trying it. Unfortunately, as hackers even become more persistent and sophisiticated, a little extra work will be required on our part to put them out of business (or at least make it harder for them to “earn” a living).


  64. But aren’t users still vulnerable to MITM and other phishing attacks? Aren’t they the major problem these days with account hacking?

  65. This is a great change, particularly for power users. I’m looking forward to it being rolled out to my accounts. I think this is a circumstance where it’s worth a little extra hassle to protect information.

  66. oh God thank you. Google authentication has been a pain in you know what this is much better.

  67. I should thanks Google Team. This was really needed. I am more secure now!

  68. I don’t see the option in my account yet… And for some reason my Google account won’t set the language to English… (YouTube as well – keeps changing the language to Romanian which I don’t like)

    Is the double step autentification available in all countries for all Google accounts?

  69. Having relatives who have also had their accounts hacked I absolutely love this – anything that reduces the possibility of having your account hacked is something I’m delighted to start using. Now that I’m using Google docs the amount of information I would lose if I lost control of my Google account is scary to think about.

    Enabling two-factor authentication is not extra work when you consider how much safer your information becomes – everyone should be enabling this.

  70. I know I will be using this. The more protection the better. Even with “strong” password settings, it seems often that the no-gooders of this world will slip one passed the keeper. Thanks Matt.

  71. Jonathan Quimbly

    Isn’t there another factor that can be used, other than personally-identifying information such as one’s mobile phone number (or one’s Android device ID) ??

    Surely, with all the brilliant minds at Google, there is another option that doesn’t compromise on anonymity?

    OR does Google see a world where the percentage of its users being anonymous steadily dwindles down to zero?

  72. Very similar to Yahoo!’s image verification and to what my bank does.

    I am curious if you all would ever release stats on the number of accounts that get hacked per month.

  73. A great idea that will hopefully become an industry standard for all cloud based apps and storage since more and more businesses are using these tools and the information is both sensitive and critical. I’ve personally had clients that have had their websites and email accounts hacked into and it’s not a fun ordeal to go through not to mention it can be quite costly.

  74. I think this is great – if someone hacked my g-mail account there goes my entire business, pretty much. I can deal with an extra few minutes of the authentication in exchange for not losing my entire business πŸ™‚

  75. I just tried to sign up for 2-step verification and got an error message, “This is an advanced feature. 2-step verification for this account will be available soon.”


  76. I think it is always a good idea to have extra protection options. It is worth the time

  77. It’s been a week and it still says “2-step verification for this account will be available soon.” This is getting a bit annoying.

  78. The amount of passwords you have to keep a log of these days is shocking.
    Two stage verification sounds like a good idea. I know a few membership/forum sites do it now, sending a PIN to your phone when you sign-up and pay, to verify you.

    As long as it is easy enough to request a second PIN, some phones have problems receiving PINS or SMS from websites for some reason. It would be a nightmare if you couldn’t ‘resend’ the information to your phone.

  79. I really like the fact that it protects your accounts when using the same password on other sites.

  80. Hello Mat,

    It’s nice to have the authentication available if wanted.

    Keep up the good work πŸ™‚

  81. I think that this is a fantastic idea and I will be setting it up on my end very shortly. I had a bunch of account problems recently and could have used this then. Its one of those simple ideas that can save us users a lot of headaches!

  82. I have a question. Probably it is not the most relevant place, but I don’t know where to ask.

    Not so long ago Google has enabled required phone verification for all new account holders. Why? In my opinion email account is extremely private thing, and a lot of people including me don’t want to share the phone with anyone without extremely high necessity. I have been using Gmail for a long time already, but after this innovation I have turned my favor to other email providers. So I am wondering whether you will cancel it or not? And if yes, then when can we expect it?

  83. Have it, I started using it as soon as I heard about it. Its definately a step in the right direction as far as email account security goes. Would hate to get my account hacked.

  84. Its a great initiative by Google. And yes, it should be enabled by all.
    But I haven’t enabled it.
    reason being: It feels me to add hurdles to me as well, while signing into Google accounts.

    This 2-factor authentication should be and yes it must be enabled for your secret google accounts like if u are using that google account for your Adsense and if you have secret messages in gmail . But if u dont care for ur hacked account then obviously I will not enable it.

    But yes, I agree that its must and Thanks Google launched it. Atleast I can protect my secret google accounts to sm extent.

    A question here:
    Your database contains anyone’s accounts passowrd. So, can google team hack anyone’s account whether he launches 2-way authentication or not ?


  85. An extra few seconds won’t hurt, especially if it results in a better securit protection.

  86. How about when some phone number are not sent for confirmation
    i mean i really would like to use this security feature, but i never recieved the confirmationw when i entered the cell phone number which is located in Egypt. Am I doing somthing wrong.
    I could really use this feature.

  87. While in theory this is great, and it does help protect people’s accounts, I have a concern, a hurdle if you will.

    That hurdle is my not wanting to give out my phone number, to anyone and not just to Google. In fact I don’t want to give out MORE information of any kind.

    SO, is it possible that in the future this 2-step process includes, you know, two PASSWORDS instead of one password + personal data ?


  88. The extra time required will be well worth it for this new system. Online identity theft is a serious problem and I’m glad to see Google’s efforts to curb it.

  89. Morris Rosenthal


    No post on the ALgo change? My guess is it’s not so good, since my sites are all original content, mainly my books, but are heavily, heavily scraped, and my Google traffic dropped around 30% yesterday. My guess is your algo is having trouble telling the source from the scrapers.


  90. I’d never seen anything about this until I read your blog. Thank you so much for the info! I’m downloading the app right now to my iPhone to get the extra protection right now.

  91. Oh Yes! Thanks to Google. Google always thinks ahead of everyone. I’m going to share this to all my friends and family, because I really don’t like any of my account to be hijacked. I had two times experiences already. It wasn’t nice.

  92. I gotta disagree with Morris on this one. I may be the only person to say this, but whatever you’ve been doing in the last two months…please keep doing it. My Adsense revenues have more than tripled, my clients have all had significant increases in traffic, particularly converting traffic, and everyone is experiencing growth. So keep on the path you’re on until I tell you otherwise, please. πŸ˜‰

  93. Getting my account to be hijacked was one of my nightmares. I guess this solves my problem. Unless the same person steals my cellphone and password in the same time :).

  94. Matt, great idea for the “double password” protection. If my gmail ever did get hacked, my business would be in a world of trouble. Thanks.

  95. Matt,
    I understand the pressure that Google in under, the pressure to stay #1 and especially the pressure from the media.
    However, you have to realize that probably millions of people make a living, directly or indirectly, from Google.
    Technically you owe them nothing and I understand but with that power must come some responsibility.

    Not every page has to be or can be 1000-1500 words.
    Sometimes you just need a small answer, a coupon code, a book name or if you can give your child honey (after 12 months you can, btw.)
    That’s it, simple things that people seek, and if someone works daily on it, why should they starve?
    Having a million empty pages ‘waiting for answers’ and reviews is obviously bad but penalizing every site for
    less than scholarly definitions is not the way to go. Certain sites do not use proper english, so your filters needs to be adjusted.
    Example: headlines like ‘7 Days in Cancun for $500’ at a travel site’s index page are more than enough and all that’s needed.

    Also, you rely on Hacker News visitors to validate the filters through Chrome? Come on, Matt, these are techies and have
    a total different perspective from most normal users.

    In my opinion, too many innocent sites have been caught in this. Sites that people work on daily and are not
    populated by a $100 database with 50 million entries. So please take another look, don’t go from one extreme to another.

    Don’t take it the wrong way, I understand that the spammers are trying to screw with your livelihood too, just be a bit more
    considerate for those that work hard and all of the sudden rules change abruptly.

  96. I won’t be messing around with a phone, for an account I sign into MANY times a day.

  97. Adam,

    I look at it this way. My two sites have been cited by the Wall Street Journal, The New York Times, my blog has been linked by Google Books (a permanent link on Google, maybe that’s what killed me:-). I’ve given permission to groups like the Peace Corp and 4H to use some of my website material (offline only), the self-contained chapters that appear online are from my bestselling books on computer hardware troubleshooting on Amazon, used in college classrooms and by the Department of Homeland Securty. I could actually go on.

    The sites were hit with a 50% traffic loss from from Google in the U.S on Thursday. the onlder one has been online for fifteen years, the newer one for ten. Both sites have been ripped off so often by page and the PDF books without DRM have been ripped off so often that Google has apparently decided that my sites are an article farm. The only problem is that nobody has permission to copy.

    I also fin it amusing, in a sad way, that eHow has more references to my sites than I have pages. Yet they are now beating my pages across the boards.


  98. Thanks for the info! Actually your blog gives more info than google blog! πŸ˜›
    Will download the app! πŸ™‚

  99. Done. Thanks for the “please” which created just enough of a sense of urgency to prompt immediate action!

  100. Excellent information. Definitely need this kind of security in place! Thanks!

  101. Rebecca Herson

    I am very excited about this feature but unfortunately our Israeli cellular operator doesn’t support the Google authenticator application. I tried to browse to and got a message that it is not supported. At least I believe it is the operator that is blocking it.

  102. Nice to see the extra layer of security but does anyone know when this will come into play for Google apps accounts.


  103. Sounds good – a few of my friends/colleagues have had accounts hacked and this certainly affords a higher level of protection.
    Keep up the good work!

  104. Matt – I just tried this and all was going well until I tried to enter my app specific password for Tweetdeck. It just wouldn’t verify it. So I scrapped the whole thing for now. Cool in concept but it’s not fully working at this point (even if it’s Tweetdeck’s fault and not Google’s, it’s still not working right for me).

  105. Come on people. It’s just a ploy for Google to create a mega-database of people’s phone numbers. I guarantee something will get exposed down the road regarding this. This is now the second time that I can think of where Google has tried to capture my phone number… bollocks to that.

    Just don’t be a fool and use the same password on every single account you have going on the internet. Understandably, it is easier to do exactly that; however, you can do something as simple as prepend (or append) a common rule to that password for each domain, ie.

    username: myusername
    password: my_usual_password_mc_dot_com (with _mc_dot_com being appended to your usual password, but is based off of the domain in which you registered on so it is easy to remember).

    Done. No handing out very personal information necessary. Only minimal brain-power.

    – Batman

  106. Hi Matt,

    May i ask you if why UAE has been opted out of the country list? Since i live in Dubai , i can not activate my 2 step verification.

  107. A second layer of security is always a good idea.

  108. This feature saved my account not too long ago. I’m not sure what I would do if I lost access to my gmail account. I’ve used it for years, and literally everything I use is connected to it in some way. Using a cell phone number to ensure admin privileges was a great idea.

  109. That’s a very nifty feature. Not only does my Google e-mail account contain basic info such as my real name, address, hosting log-ins and passwords but also many personal secrets that I would like to remain hidden. So two layers of protection it is; no one is hacking into my account if I can help it.

  110. This is very good feature and i think most needed. It will also avoid spam users from getting hundreds of accounts.

  111. I loved the idea, and I tried immediately, I have important data on my Google Account and I am happy to have a little bit of extra protection. I had only one problem, it is not straightforward to set up on my Ipod where I receive my emails, calendar and other apps that are configured with Google Docs (that are not Google Apps). I downloaded the google authetnicator, but It was no clear the use that I should do it for it. I read online the info that google was suggesting, but still it wasn’t clear. So I had to deactivate the 2 steps authentication, because to be able to access the data it is more important for me at the moment than security. I hope that in the future this functionality will be more smooth and with more real example with products. If it takes more than 20/30 min to configure, I do not think that people will use it. Speed and easy of use remain the key.

  112. Great idea, the more protection the better. Is this available on more than one Google account when using the same mobile number?

  113. thanks google, this is what we need. Right now there is many issue about account safety, specially email. Many of my friend account got hacked. Surely, i’ll use this app..

  114. Hi Matt, at SMX West, great sessions so far, if hallways, post sessions, expo etc., anytime if we can find 10 minutes would like to talk to you. Thanks – Paul

  115. Great idea!

    I have been the unfortunate target previously from Hackers etc and this is a fantastic idea and should be something most other companies start to implement.

  116. Great offer and I wish Google could offer this feature one month ago as my domain was hacked because of low security of my domain a month now but I feel more secure as anytime logging in my google account, there is a call to verify πŸ™‚ Thanks

  117. I had no idea about this. Seems everytime I scout around for security issues someone points out something I don’t know. Always good to learn though.

  118. Authenticators are a fantastic way to protect your data. Companies have been using these for sensitive data for quite some time now, and I’ll be definitely taking advantage of this for my personal account.

  119. I’m glad I came upon this page which prompted me to take action on the 2-step verification. I had seen it in the past but ignored it. But after reviewing this article, I realized it is not wise to skip it. I do this for many other services in the form of a “challenge question” (although it can be questioned how secure that second step is). Thanks for the heads-up.

  120. Just stopping by to express my appreciation for this. It is one of the many ways that Google continues to demonstrate its commitment to user trust and safety.

    I’m sure you’ve read the ArsTechnica detailed writeup on how HB Gary was penetrated by Anonymous. It struck me that if HBGary had deployed 2-Factor Authentication on their Google Apps accounts, then the worst that Anonymous would have been able to do would have been to take down the website.

  121. This was a fantastic idea.

  122. I will glad go through the “hassle” to protect my identity, accounts and to reduce the amount of spam from fake accounts. I do thinks it’s kind of funny that in 2011 Google has resorted to USPS post cards for Google Places verification.

  123. Beqar Shvelidze

    Hi Matt Cutts! Hello from country Georgia!
    This is a very good protection against hackers.
    I will definitely take this two-factor authentication.
    Best regards

  124. Why not create a file i could download and would be my print online? at least from google point of view? i hate all those “captcha” especially when its so easy to over come by automated programs but driving the regular user crazy

  125. Matt,

    Thanks for the advice, which I did try. Unfortunately Google doesn’t make it very easy for the average person to go through the process.

    It was great for my laptop at work. But several hours later, my Blackberry wouldn’t sync my Gmail emails. I’m sur eyou put something in there about it, but it really pissed me off that I was not validated.

    Make it an easier process before you roll something like this out. Not everyone is an engineer working for Google.

  126. This is one of those items that you read thinking this is a good idea but never implement, that is until it is too late. I had not heard of this and so would it not be a good idea on something like this to make people say yes or no on logon “Just Once”. This would then allow you to also allow you to feel confident that people know about it. How does information like this normally get sent around as I am a developer as well as a gmailer and I was not aware πŸ™

  127. a very good initiative as it will help to put an extra layer of security in all Google accounts. Sounds like good advice Matt

  128. Is this being rolled out gradually? I do not see this new option under β€œSecurity” in my β€œPersonal Settings”. It’s very good a two security.

  129. Hi there,

    I still cannot see “two-factor authentication” in my Google Account. Does anybody know how long will it take to appear in every account?

    Great inittiative anyway!


  130. This is without doubt a good idea, anything that helps prevent hackers from getting into peoples account is a good thing. OK it takes a little extra time but surely most would agree (Especially those who have been hacked) its worth it.

  131. We’ve been using dual login/user names for years and it has always surprised me that users understand it. It’s described very well on our sign up pages and most users take advantage of it, using two different names.

  132. I think it’s great. The more protection the better. Getting hacked can be a serious problem and it can be impossible to reverse some of the damage they do.

  133. First i thought like “What? Now i have to share my phone number?” but since it google who asked me so i gave it. But to think about that again it would be a dead end for the cracker. And that’s a really a brilliant idea that i could expect more from google.

  134. Brilliant idea – good to see Google still focusing on one of the ultimate customers look at; privacy & security πŸ™‚

  135. Nice! It was about time a think. Security nowadays is very important. Voicemails are being hacked, chips are being hacked. NFC is the future i think but is all the data encrypted and is it secure? Thx for sharing this information matt.

  136. Thanks for the tip.

    But wouldn’t it be better with a 3-factor authentication instead? Would be cool if Google could send us as a portable Retina-scanner πŸ™‚ Maybe with a built in SMS-function πŸ˜›

  137. Glad we have the two step now, my account was hacked last year, not sure how but as I use tons of Google storage for Picasa and the like this is a great safety net for peace of mind.

  138. Just got gmail hacked today and enabled this. Ugh wish I had found this sooner. Trust me it is far less annoying to enter a code every 30 days then to apologize to 600 plus contacts.

  139. Two factor authentication is a great idea and worth the extra steps involved. I have several friends and family members that have had their Yahoo accounts hijacked within the past months and a two-factor sign-on would make that very difficult to do.

    A+ for taking the step for increased security.

  140. Awesome, this is great, Ive been curious as to when this was going to go live, i guess i totally missed it =) On another note. I recently ran into an issue of someone tryong to verify my goog voice number on another google account. When they did this is stripped MY phone number from MY google account. Like they we’re trying to get my phone number? Weird have you heard of this?

  141. I enabled it a while back and disabled it, it became a pain in the bum at times as i prefer the mobile web interface to google app so i had to close the page near login to get the text to remember a code (which i can’t really do very well) and then reload the page (because my phone likes doing that on launch) to do it again … it became annoying. Also I don’t always have my phone with me when I need things like documents, say I’m in a meeting I’m not going to get my phone out! So as great an idea it maybe on the surface it’s not for me … though I have recommended it to a few more “wanting” types for security.

  142. I have a few gmail accounts using my cell phone number. Now i can’t create anymore account. I want to remove those account to create new one. How can i do this?

  143. i tried to create a gmail account today – it asked me for a number to text me on or a mobile number to phone me on. I do not own a mobile telephone.

    If I am to confirm I am real to Goo/Mail. Then maybe they should realise that although perhaps rather a lot of people own mobile telephones, not everyone does. Especially in rural Scotland where signals are patchy at best πŸ™

    I think you are wise enough to see my slight frustration there.


  144. Thanks for bringing 2-factor auth for the masses! A lot of people have trouble believing that such measures are necessary. Two weeks ago, one of our clients’ Google Apps account got hacked into. We had previously repeatedly encouraged this client to enable 2-factor auth. It wasn’t until this incident that he started to believe us!