How to better protect your Google account with two-step verification and Google Authenticator

Google Authenticator

In a recent article, I walked through how to set up two-step verification (2SV) on your Google account. You will now receive verification codes via email, phone call, or SMS messaging every time you try to log in to your Google account with your username and password.

It's important to note, however, that there are potential drawbacks to those methods of verifying your account.

Depending on your 2SV code delivery preferences, Google will not be able to send you a code if you do not have internet access or mobile service. These limitations could present a problem in certain situations. For instance, if your mobile service experiences a temporary outage, you won't be able to receive codes via SMS.

Similarly, if a storm knocks out internet access and you do not have your verified non-Google email account set up on your mobile device, you won't be able to receive verification codes via a message sent to that email.

Fortunately, there are applications such as Google Authenticator that will send you 2SV codes even in the event that mobile service and Internet access are unavailable. I will therefore walk through the steps on how you can install Google Authenticator to receive 2SV codes for your Google account.

(NOTE: I will be using an Android device for this guide, but the guidance for setup on iOS and Blackberry devices is similar).

1. Open up the Google Play Store app on your device. (If you have an iPad or iPhone, use the App Store; if you have a BlackBerry, visit "m.google.com/authenticator.")

2. Search for "Google Authenticator."

3. Click the "Install" button on the Google Authenticator app page. The app then requests permission to access accounts and profile data located on your device. Click the "Accept" button to install Google Authenticator onto your device.

Google authenticator 2

4. Visit the 2-Step Verification settings page for your Google account on a web browser.

If you are not already logged in, Google will prompt you to sign in and will send you a 2SV code either to your phone or to your email. Enter in your credentials and the verification code.

If you are already logged in, Google will redirect you to a log-in page where it will ask you to resubmit your password. This is an added security measure for when a user attempts to access their Google account. Enter in your password and click the "Confirm" button.

5. Under the "Verification codes" tab on the 2-Step Verification page, you will see that the primary way through which you currently receive codes is set to either your phone or to your email.

Below that option, you will see the Google Authenticator icon and some text explaining that you can instead receive 2SV codes via the Google Authenticator app.

Located next to that text is a "Switch to app" button. Click on that button.

Google authenticator 3

6. A dialog box will pop up asking you to select on which type of device you have installed the Google Authenticator app. Please select one of the three radio buttons (Android, iPhone, or Blackberry) and click "Continue."

Google authenticator 4

7. Another dialog box will open on Google's 2-Step Verification page. Follow the instructions on that page to continue the set-up process of the Google Authenticator app, as I will detail below.

Google authenticator 5

8. Open the Google Authenticator app on your mobile device and tap the "Begin Setup" button.

Google authenticator 6

9. The Google Authenticator app will ask you to add an account. You have the option of choosing to do so either via scanning a barcode or by entering in a provided key. (iOS devices offer the same types of options, while Blackberry phones only offer key-based setups.) I choose the the barcode option, so I tap the "Scan a barcode" option.

10. Using a barcode scanner such as ZXing Team's "Barcode Scanner" installed on your device, place your mobile device so that the barcode on your computer screen falls into the scanning area of the barcode scanner app. Hold the app there for a few seconds for it to pick up the barcode.

Once the scanner has read the barcode, a new screen will pop up in your Google Authenticator app announcing that you've successfully set up the app.

Google authenticator 7

As you can see, the screen also provides you with a code that you need to enter into the Set up Google Authenticator app screen on your computer's web browser. Enter that code into the provided text field in the dialog box and click the "Verify and Save" button.

Google authenticator 8

A message will pop up announcing that you have successfully set up the Google Authenticator app. Click the "Ok" button.

Google authenticator 9

Congratulations! You have now set the Google Authenticator app as your primary means of Google 2SV verification. This allows you to set up SMS, email, or call as a backup means of receiving codes.

From now on, whenever you need to log into your Google account, you will be prompted for a code. Simply go to the Google Authenticator app and enter the code provided by the app into the web browser's text field. Those codes are time-sensitive, so the codes must be submitted before time runs out.

Google authenticator 10

Stay safe, and stay tuned for more security "How to" articles!

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

12 Responses

  1. coyote

    March 28, 2016 at 3:59 pm #

    One of the reasons I don't use this for Google (though I only use Gmail for specific correspondences I still use it nonetheless) is because I don't use webmail (I despise it); instead I use a mail client (and use pop3s etc.). But then I have it set to download mail every hour (maybe it is a different interval but I can't recall as I have many email accounts and it varies). If I were to have something like this enabled it would be a huge hassle IF it was for gmail including an email client. I would also have to have my phone by me (and it's not Internet enabled so only text would work for me) most the time (and I try to not have it save for the times I need it for 2SV for accounts which I seldom login to).

    So do you (or does anyone e.g. Bob [the commentator because I somehow suspect he knows or has some insight – or any other Bob for that matter]) know how this affects Gmail versus Google accounts in general ? Maybe it's only relevant for Google accounts and not logging into mail (specifically through pop3s) ? I could gather more information on my own (even if I had to enable it and test) but I think that others might have additional insight into the matter.

    I rarely log into Google except for mail and as noted I don't use webmail so if it was only for Google accounts in general (and I most certainly do not have Google+) I would consider it.

    Would appreciate any information (or any comments) on the matter.

    • Bob in reply to coyote.

      March 28, 2016 at 7:12 pm #

      Enabling 2SV for your Google account will enable it for all services which use your login (e.g. Gmail, Docs, Drive etc.) You can't selectively enable it for particular services.

      You're right when you say it may cause a problem when accessing your email via a conventional client such as Outlook, Thunderbird and the like. Desktop email clients are slowly beginning to embrace 2SV and 2FA but until then the workaround is through the use of 'App Passwords'.

      All you do is generate an app specific password (in the form of 16 lower case letters, spaces irrelevant) – e.g. if you use Outlook to access your mail you would set up a password exclusive to that app* – it's treated as a static authentication token (like a conventional password) and will log you in straight away.

      [The app specific password cannot be used to login to web-based services].

      *You could use that app 'specific' password across other apps which require a static password although for security reasons I'd recommend you create a different one for each device. Assuming your laptop were to be stolen you'd then only need to revoke one app specific password instead of revoking them all.

      The fact you're accessing your email via POP makes no difference as app specific passwords work with both POP and IMAP protocols.

      You say your phone isn't "internet enabled" but I'm assuming it's a smartphone? If it is then you can enable the internet, download the Google Authenticator app, configure it and then disable your internet connection again. The one-time codes are actually TOTP (time-based one time passwords) so all the app needs access to is the 'secret' contained within the QR-code which you scan and a clock on your mobile with time correct to +/- 10 seconds.

      If you don't have a smartphone, or you don't want to download the app, then the alternative is to input your mobile number as the second step. Instead of generating a one-time code in an app you receive an SMS or a voice call. If you go down this route I'd suggest making a careful note of your backup codes and ideally specifying a landline as a backup in case you lose your phone.

      You say you think it'd be a pain to have to enter the code each time. That's the trade-off with security. However if you mainly/only access your accounts from one computer then you can hit the "Remember this computer for 30 days" option. You then get the convenience of only needing to enter your one-time code every 30-days (unless you regularly delete your cookies) and the security of knowing that an attacker who knew your password couldn't easily compromise your account.

      I don't know if that's answered your questions but my recommendation would be to enable Google's 2SV particularly considering the confidential information most people store in their email accounts.

      2SV reduces the threat posed by key-logging attacks and also the danger posed by somebody remotely capturing your screen. Take a look at the website below:

      http://vncroulette.com/

      It was prepared by some security researchers to illustrate the dangers of insecure access sessions. As the creator(s) aren't malicious they have left a time delay before publishing and have only published a fixed screenshot. An attacker with criminal intent on the other hand would just as easily be able to capture a live stream (plus real-time keystrokes) of data entry thereby compromising the user's accounts.

      2SV would stop this type of attack in its tracks because no one-time code = no entry. That wouldn't stop the attacker being able to gain a live insight into the authorised user viewing his accounts but it would stop the attacker from having independent, unfettered access and/or being able to delete/hijack the account.

      • Bob in reply to Bob.

        March 28, 2016 at 7:25 pm #

        To clarify:

        If you only access your email via a desktop client then once you've caused the client to save your app password your email will download immediately. You'll never be prompted for a one-time code in this scenario.

        If you access Google web services (even Gmail) you will be prompted for your normal password plus your one-time code; subject to my post above.

        2SV shouldn't impair your workflow (but will significantly secure your account) from how you've described it … assuming I've not misunderstood your situation.

        • coyote in reply to Bob.

          April 7, 2016 at 12:48 am #

          I could have sworn I enabled subscription to replies to my comments.

          No, I don't have a smart phone.

          I only use Thunderbird.

          I only use gmail for limited uses (but again through thunderbird). Looking through thunderbird I have 11 email accounts and only 3 are gmail: one of those is so I get mail I send to mailman lists [since google doesn't send]; another one I rarely use if ever, and the main one I don't use often either. Most of the accounts are on my own mail server. Still, I never keep the mail on the mail server (in question); once downloaded I have my client delete it from the server (although I note that unfortunately – last I recall – google does not delete it but moves it into trash for [30?] days).

          Unfortunately Thunderbird has limited support in encryption algorithms (which means on my mail server I have to use weaker encryption algorithms) and I don't recall seeing anything else that you describe. So until that changes I probably am out of luck (and then I would have to look into what you say). I don't see this changing any time soon, though.

          Thanks a lot for the information.

          Thanks also for the link. I'll check it out (and I'm in agreement with all what you say because I know it's actually right; convenience and security don't mix well for example).

  2. Vess

    March 28, 2016 at 6:49 pm #

    1) What if you don't have a smartphone?

    2) What if you aren't willing to give Google your mobile phone number?

    3) What if you lose your phone?

    Thanks, but no thanks. I'll stick to a reasonably secure password and not using Google's e-mail for anything really important.

  3. Barry

    March 29, 2016 at 2:52 am #

    Not everyone has 3g. 4G connection, and some people live practically in the middle of nowhere. Up in certain places in Canada, smartphones are premium items. And maintaining the data plan can be costly. They aint cheap, especially prepaid mobile devices. Not every cellular provider is supported by twitter, google, yahoo, outlook aka MS.
    Most people I know up here stick with dumb phones aka feature phones.
    I agree with Vess comment and I would like to add, what happens when your cellular provider goes belly up and there's no other cellular provider.
    And another thing, teachers here can't access their cellular services, if and when they bring mobile devices into their community.
    Personally I would stick with a secure password, and a small note book.

    • Bob in reply to Barry.

      March 29, 2016 at 12:40 pm #

      Barry, you misunderstand how Google's 2SV works. Read my post as I've highlighted various options which don't require a smartphone or a data plan:

      YubiKey
      Backup codes
      Voice call to a mobile
      Voice call to a landline
      Option to 'trust' a computer

  4. Barry

    March 29, 2016 at 4:58 am #

    I made a little typo, in regards to the teachers bringing their mobile devices to remote first nations communities. They wouldn't be able to make a call outside of their service provider, they're cut off. There are dead zones.
    Sometime an independent cellular provider doesn't offer data plans. And data plans usage can add up. Depending on one's network provider. Plus not everyone would want a smartphone phone. A number of folks have to squeeze every penny. In the US, people can't afford smartphones and had to use tracfones, the downside the receptions are still crappy.
    I think the big cellular providers in Canada can be somewhat territorial in regards to their network. Some prepaid cellular providers are not allowed on Bell network.
    And some folks who are in the boonies and in the outskirts are too far for the cell signal to reach one's mobile device.

  5. Breon

    March 29, 2016 at 9:01 pm #

    Step 4 should specify that u are opening the web browser on ur desktop computer (or any other computing device other than the mobile device onto which u plan to install Google Authenticator).

    It might be easier, tho, to explain the process of installing and using Google Authenticator (and then be easier to understand) if ur example involved only ur mobile device from which u access ur Google Account, and to which u install the Google Authenticator app. Then u add ur Google Account to the Google Authenticator app via a code supplied by ur Google Account. The code is supplied after tapping the blue text link shown in ur screenshot labeled "Can't scan the barcode?"

    U might also note that the Google Authenticator app can be used for 2SV on Accounts other than just Google.

    U might also note that although the Google Authenticator app can be installed on multiple mobile devices, the 2SV codes for any one Account (eg, Google) can only be generated on one of those Google Authenticator apps. Or at least, thats how it seems to me to work currently.

    • Bob in reply to Breon.

      March 30, 2016 at 3:07 pm #

      You can generate the codes on multiple devices providing you scan the QR code at the time you are setting up the app. Or you can make a note of the 2SV secret providing you keep it very secure. Either method will allow 2SV codes to be generated on multiple devices but for security reasons this is unwise – it's best to have only one device capable of generating the codes.

  6. Allan Watson

    March 30, 2017 at 9:02 pm #

    "…Google will not be able to send you a code if you do not have internet access…"
    If you don't have internet access, how can you even try to log on to Gmail or any other webmail service?

  7. Mark

    April 20, 2017 at 8:14 pm #

    I've run into a problem just like I run into everywhere online. Everybody keeps forgetting to say where one can find this barcode to scan. Let alone also finding a "provided key."

Leave a Reply