What is two factor identification?
Typically, we login someplace with an ID and a password. That combination is good everywhere, everyplace, everytime and is often saved on the device. It’s convenient but if someone knows your ID and password, they can login anywhere and get to all your stuff controlled by that account. If it’s something like a Google account, that might include your email, files, calendar, and sites that let you login using your Google credentials.
With two factor identification, logging in on a new or untrusted device requires that ID and password, plus a code delivered to an independent device. Even if someone knows your ID and password, they won’t have access to your device.
2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they’d have to get a hold of your phone.
Here’s what I had to do to enable two step authentication on my Google apps account
- logged in at https://accounts.google.com/ and went to the account security page at https://www.google.com/settings/security
- installed the “Google Authenticator App” on my iPhone to receive verification codes
- set the computer I’m setting this up on as trusted (the default setting). It’s my home desktop and it’s reasonably secure.
- turned on 2 step verification
- added backup phones (home phone, wife’s mobile)
- clicked the button to go forward with creating application specific passwords and to review aplications with access to my Google account — WOW, there are sure a lot of them.
- at this point, all sorts of unable to login boxes are popping up on things
- generated and entered app specific passwords for
- iphone mail
- ipad mail
- desktop mail
- mac mail (had to also enter the password for the calendar app)
- chrome synch
- Enabled browser logins to Google services on each device and checked the “good for 30 days” box.
On my account management page, https://accounts.google.com/b/0/SmsAuthConfig, I can disable all of those verification codes. It would be nice if I could see what codes had been used an deactivate individual devices, but in an emergency situation, I suppose its best to disable any device not marked as trusted.
The total setup time, including taking notes and typing really difficult strings was about 20 minutes. I like to think that my 9th grade touch typing teacher, who didn’t see much promise in me or my attitude, would be very proud of me as I typed those 16 character passwords.
The Google Authenticator is interesting – it works like those RSA keys that present a new code every 30 seconds or so.