Gmail Security 102

Google has a very nice security feature everyone should be using.  It’s called 2-step verification.  It’s relatively simple to setup, and there is a little bit of administrative overhead, but you should do it just the same.    These instructions are for Google Apps, but they should work for everyone.

As a Google App administrator, the first thing you need to do is allow your users to enable 2-step verification.   This step is only for Google App Administrators.

With this enabled, you can now setup 2-step verification for your account.  Everything below should apply to both Google App and regular Gmail users.

Go into Account Settings


And turn 2-step verification on (it defaults to off.)

From the Account > Security, under “2-step verification”, click Edit.  Verify your 2-step verification is ON.

Now that it’s on, let’s go in and setup your access.  When you set this up, Google will send an SMS message to your phone.

From this point on, if you have a “dumb phone”, you can continue to get SMS messages whenever you need access.  I’ve got an iPhone, so this tutorial will focus on that.   You’ll need to get the Google Authenticator in the App Store.   You’ll then need to set it up with this account, and that just involves opening the app, pointing your phone at the on screen barcode, and then entering the resulting code into the web form.    You only have to do that once to set it up.  Afterwards, you’ll need to enter a code once every 30 days for whatever computer you’re on (if you check the “remember me for 30 days” checkbox.”), along with your password for access.

At this point, your Google account is secure, but you have a single point of failure.  If you lose your phone, you’ve got no way into your account.  Google is a few steps ahead of you.  First, you should add a “Backup phone number.”   This cannot be your iPhone phone number, since you’re using the Google Authenticator.  If you can, use someone close to you – your friends, your kids, your spouse.  Additionally, whoever you designate for your backup phone number should also have 2-step authentication.  If they don’t, you’re not getting the full security that this process provides.  There have been exploits.

The third, and final, way to get into your account is using Printable backup codes.  These are one time use codes that will let you get into your account.   Print two copies out and tape one to the back of your wallet, and keep the other someplace safe at home or work.   There are 10 codes on this printout, and each is a one time use code.  Be aware the next time you generate the printable backup codes, any existing codes are invalidated.

Now that google is secure, you need to get access for those apps that don’t place nice with 2-step authentication (such as the iPhone Mail app and Sparrow.)  To do that, you’ll need to get “Application-specific passwords.”

You’ll want to use a descriptive name for the password you generate.

You’ll get a long one time use password.  My understanding is these passwords don’t expire.

You may want to bookmark this page.  In addition to generating one time use passwords, it has a list of who has authorization to your account, and also allows you to revoke access (I found was authorized, for some reason.  Not any more!)  Should you lose your phone, you can remove all authorization from all devices.  Handy.

I wish I could say there was more to it.  There isn’t.  It’s remarkably easy, and seemingly robust and definitely secure.

Happy Computing!!