Two-step verification (also known as two-factor authentication or 2FA for short) adds a second identification method beyond your password, to be used whenever Google isn’t completely certain that you are the person logging into your account. You’re probably already using 2-factor authentication on websites that handle sensitive data, such as your bank, tax preparation service, cryptocurrency exchange, or health insurance provider. Usually it’s in the form of a security question, or some portion of your social security number. These are fairly weak methods of 2-factor authentication. More secure methods involve sending a one-time-use numeric code via email, SMS, or automated voice call, but these can be intercepted if an attacker takes control over your phone number via SIM swapping. The strongest forms of 2FA involve hardware tokens that must be plugged into a USB port or connected via Bluetooth; or authenticator apps (such as the Google Authenticator) that provide one-time-use codes.
Google uses a variety of trust factors to calculate the probability that a login is legitimate, such as signing in from a new or distant location, using a browser’s autofill feature to supply your Google password, or signing in from a new browser or untrusted device. If there are any hints of suspicion, Google will ask for a second authentication method beyond your password. Even when there isn’t anything unusual, Google occasionally asks for a second method just to make sure it’s really you.
When 2-step verification is triggered, all Google services that require authentication will pause on all of your registered devices until the second step is complete. This is not as much of an inconvenience as it may seem, especially considering how much extra security it adds to your account. For instance, if someone guessed or stole your password and tried to log into Google Play to go on a spending spree, they would immediately be stopped by the second authentication factor. Wherever you are at that time, you’d receive a notification of a new login attempt, and you’d be asked to provide a second authentication method. You’d recognize this as an unauthorized login attempt, and you’d be able to instantly block it and change your password to avoid more attempts. If you’re asleep or otherwise unavailable, your account will stay locked everywhere until you provide a second authentication factor.
There are six possible secondary authentication methods; you should enable at least three:
- Google Prompts: Requires you to unlock one of the specified mobile devices, then tap Yes in the login prompt that Google sends to it. You can add this to multiple smartphones and tablets.
- Authenticator App: Install and configure the Google Authenticator app on a mobile device, and use it to generate short-term authentication codes. There can be only one active Authenticator app among your mobile devices.
- Backup Codes: Google will generate ten single-use backup codes that you can write down or save to a text file. If you save it to a file, you can print the codes and keep them with your other important hard-copy documents, or you can put it on an external storage device such as a USB drive, CD, or memory card.
- Voice or Text Message: Google will call or text the specified phone number, and relay a verification code that you must use for your secondary authentication. This can be a landline phone or smartphone. You cannot use a Google Voice phone number for this because you wouldn’t be able to receive any communication from Google Voice when 2-step verification is triggered.
- Security Key (hard token): You can purchase one or more Titan hard token security keys from the Google Play store, or other trusted retailer. A hard token is as close to a physical key as you can get with digital authentication. It’s a small device (about the size of a house key or USB memory stick) that uses a physical or close-proximity encrypted connection to authenticate you. Security keys can connect via USB (A or C), NFC, or Bluetooth. Google sells Titan brand security keys for anywhere between $25 and $40, depending on which connection method you prefer. The downside is that you have to keep track of this key as though it were your house key or car key, and if you lose it, you’ll have to immediately log into your account (possibly with a different secondary authentication method, which is why I recommend at least 3) to disable it. You can have multiple Titan keys for your account, so you can keep one with you, and put one in a fireproof safe or safety deposit box.
- Security Key (Android): If you have a smartphone that runs Android version 7.0 or later, you can configure it to act as a hard token. It’s not a good idea to use the same smartphone that you have the Authenticator app on; the two methods would be redundant on the same device. The ‘security key’ phone does not need a data plan or an Internet connection (beyond the initial Security Key configuration process); all it needs is Bluetooth.
Three of these methods (Google Prompts, Authenticator App, Android Security Key) require that you be in possession of your smartphone to complete the second authentication factor. If your phone is lost, stolen, damaged, or has no Internet access, then these methods won’t be available (except the Security Key method, which only requires Bluetooth to provide authentication). Enabling all three of these on one Android device is redundant, since you only need one if you only have one phone. I suggest enabling Google Prompts if you have several mobile devices connected to your account, and enabling the Authenticator App on your main (or only) smartphone.
The Android Security Key method is best used on an old Android phone that you aren’t using. As long as the old phone has at least Android version 7.0, you can set it as a trusted device in your Google account, configure it as a Security Key, then put it in a fireproof safe or lockbox with your valuables or important documents.
You should also enable another method that doesn’t require a smartphone. I suggest the Backup Codes method as a third or fourth option, especially if you need to log in when you’re away from home. Remember, though: don’t store the backup codes in a place that requires a Google login (such as Google Drive, Gmail, or Google Keep), and don’t store them on your smartphone. It’s best to print them out and put that paper with other secure documents like birth certificates and tax forms. You may want to put an unused code in your passport and/or wallet in case your main smartphone is lost or stolen while you’re travelling. If you lose any codes, or if you suspect that someone may have copied them, log into your Google account immediately and disable the old codes, then generate new ones.
Whenever you provide a secondary authentication factor, you’ll see a link on the authentication screen that says Don’t ask again on this device. If you follow that link, you can designate the device that triggered 2-step verification as a trusted device. This will raise the trust level of that device, though it does not completely eliminate the possibility of secondary authentication triggers. You can revoke ‘trusted device’ status in the 2-step verification configuration section of your Google account.
I like Google, but I like privacy and security even more, so for the latest edition of Google Power Search, I added a huge new section that explains how to keep your Google account secure, and how to keep Google out of your life as much as possible while still using its most valuable services.