Your email account is probably the most important account on the Internet other than using it to exchange messages. You will have to provide your email address for most services that you sign up or software that you buy online for the purpose of recovering your password if you somehow forgot it and for the software publisher to send you the license information. If you loses your email address because someone hacked it, the hacker can actually gain access to all your other accounts such as Facebook, Twitter, Dropbox and etc by performing a password recovery to send a newly generated password to your email address which the hacker has access to.
One of the most used trick to gain unauthorized access to an email account is by guessing the secret answer to the secret question. Sometimes the secret question is not really that secret at all because they ask for your mother maiden’s name where any of your family member would know or even a stranger would via social engineering. If you haven’t realized, you really have a lot to lose when your Google account is hacked because one single Google account can be used on all services provided by Google such as AdSense, AdWords, FeedBurner, YouTube, Google Wallet, Google Drive and etc. As much as you try to keep your Google account safe, there will always be a risk for your Gmail account to get stolen.
I recently got to know that Google has implemented a 2-step verification which is a very effective method to prevent your Gmail account from being hacked by associating the account with your phone. A password can always be stolen either through your carelessness or from a malware such as keylogger but one thing that they cannot steal is your phone which physically belongs to you. If the hacker stole your password, they still won’t be able to login to your Gmail account because they do not have the additional time limited PIN code that can only be generated from your phone.
Matt Cutts, a head of Google’s Webspam team said that he would not trust his Gmail account without having two-factor authentication and he would feel naked on the Internet if he didn’t have this sort of protection.
Similar to the excellent LastPass, some concerned users wouldn’t want to use a cloud based password manager because they are afraid of storing their password online but personally I’m not worried about it because I have associated my LastPass account with a physical YubiKey. If someone knows my LastPass master password, they still won’t be able to login to my LastPass Vault without the YubiKey that is physically with me. In fact a few months ago when a Google account manager came to meet me, I noticed that she had to connect a YubiKey on her MacBook before she can access her private Google account.
If you’re convinced that turning on the 2-step verification will greatly keep your Gmail account secured but is worried about the difficulty in setting it up, let me walk you through it.
1. First visit your Google account’s security settings page from this link https://www.google.com/settings/security and log in if necessary.
2. The 2-step verification should show the status OFF. Click the Edit button for 2-step verification.
3. Click the Start setup button.
4. Enter your phone number and select the method to receive the codes, either by SMS or voice call and click the Send code button.
5. Google will now send you a text message via SMS to the phone number that you’ve entered if you’ve selected the SMS option or will call you to read out the code. Enter the verification code and click the Verify button.
6. Google will now ask you if you’d like to trust the current computer that you’re on so that it only ask for verification code every 30 days. You should keep the checkbox ticked if you’re on your computer. Click the Next button to continue.
7. Click the Confirm button.
8. Google will now inform you that some application may need new passwords because they do not support the 2-step verification. One example is if you’re using an email client such as Outlook to check your Gmail, then you will have to use the application specific password that is randomly generated because it will no longer accept your current Gmail password. You will however need to use your current Gmail password to access the web based Gmail instead of the random generated password.
9a. Once you’re at the 2-step verification settings page, I would strongly suggest you to add a backup phone number in case you temporarily do not have access to the primary phone number that is associated to your Google account.
9b. Install the mobile application so that you can also generate the PIN codes from your mobile cellphone when you don’t have cell coverage. Currently it only supports Android, iPhone and BlackBerry but not Windows Phone.
9c. Do print out the backup codes which is really useful when you do not have access to your primary and backup phone to generate the codes. The backup codes do not expire but can only be used once. You can always generate 10 new backup codes and doing that will disable all previously generated backup codes while only the latest ones will work.
Now that the 2-step verification has been turned on for your Gmail account, logging in to your Gmail from other computers will ask for the verification code. As for your computer, you will only be asked to enter once every 30 days that is if you’ve previously allowed Google to trust your computer.
This is a great initiative by Google to further enhance the security of our Gmail account for free! If you haven’t enable the 2-step verification for your Gmail account, I suggest you to do it as soon as possible.
Hi, nothing seems to be absolutely secure on the Internet anymore. As in my own case with passwords I usually create a word document typing in numbers, uppercase and lowercase letters (a real jumble) then from it I can cut and paste a password of a different mixture of many letters and numbers from the letter or document. Another thing I have used is the Onscreen Keyboard found in the System Tools, this means you do not have to type in a password but simply use your mouse to click on the onscreen keyboard. For myself I use 4 separate systems on 4 different partitions. Windows XP for Internetting, firewall and virus protection, Windows XP for all other functions and programs, never connects to the internet so no firewall, updates, or virus program needed (very fast) Windows 98SE for Gamezone (Only Games) many downloaded games designed for XP will run on Win 98, strange thing is some do not need to be registered or cracked, instead of the usual 1 hour they for some reason run like a full version without payment or expiry. 4th and last system is what I call “Workzone” Windows 98SE with this I can copy, backup, restore and burn to backup disks easily and quickly. With my Internet system Windows XP from my Workzone System (Win98SE) I even have a folder called “Quick restore” in it I keep a copy of my Documents and settings folder and the Temporary Internet Files folder. From my workzone system it is a simple matter to Delete these two folders from my XP Internet system then simply copy the two Documents and settings folder and the Temporary Internet Files folders to the Internet system. This I can do anytime and takes less than 2 minutes. Also I made a small bat file I call Prefetch, This when run from my workzone system instantly clears the Prefetch Folder where corruptions sometime occur. Its configuration is c:
cd\windows\prefetch
del *.*
e:
cd\win98_se\prefetch
del *.*
Course the C: and E: can be changed to reflect the drives or partitions where your XP Systems are.
If some corruption is in a system (usually the one you have been using for the internet) from your Workzone system you can simply format the disk or partition where it resides and then restore it from backup.
To access your Windows 98SE systems you can install a system manager, I use the old Vcommunications System Commander which will allow you to run up to 40 different systems including Linux. However you can create a boot floppy or boot CD. just create a boot floppy Start up your Windows 98SE system , after starting then exit to DOS at the DOS prompt, insert the floppy disk and enter the following… Format a: /s Once you have created your boot floppy remove it and restart your computer. From your file manager delete the MSdos.sys file on the floppy and copy the MSdos.sys file from your computer. Now remove the floppy and write protect it by sliding the floppy disk TAB to the open position. Now even if you have Windows XP installed and Windows 98SE installed if you boot up with the floppy disk it will take you straight to your Windows 98 desktop in full operational mode. If for some reason your computer needs drivers for graphics and sounds and you cannot install them simply start your computer whilst holding the F8 key down and select the safe mode option. This will allow you to use the system in safe mode but still allow you to use windows explorer file manager to Delete, Backup or Restore files or full systems.
Final note: the above will only work on a hard drive that has bened partitioned into 32-bit system. I have never tried it on a NTFP setup system but with the NTFP system the above would probably not work.
Thanks for sharing, this is absolutely helpful information.
I have one question, What happen if my mobile number is blocked or I lost my mobile phone.
–
Ronak
I am a big supporter of 2-step authentication, and my advice is; if you haven’t yet taken advantage of 2-step verification offered, I’d encourage you to take a moment today and do that. I have not had any issues with giving them my mobile number as the some want to claim. You are not going to find a more secure and easier user experience anywhere. So activating the two-Factor Authentication technology where you can telesign into your account by entering a one-time PIN code, is worth the time it takes to set it up and have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. This should be a prerequisite to any system that wants to promote itself as being secure. I wish others would follow suit.
I use 2-Step Verification from day 1 without any problem. I use the Authenticator application on my iPhone to create the pin code number each time I log-in. I never keep the pin for 30 days.
You have to pay attention that you need to create a unique password/Token (replacing your Gmail password) for any application that logs on to you Gmail account, like Gmail on your smartphone, Microsoft outlook, Gmail backup application like MailStore…..
These passwords are created at :
google.com/accounts/IssuedAuthSubTokens
@Raymond It’s not the spam I was worried about, just the phone not being able to do what may be necessary for it to work. Thank you for the information/reassurance that it will, and at no cost! :)
I can’t say for sure about the phone spam, but I can only tell you that I signed up for the two-step verification and within 2 weeks my rarely used cell phone (which does not have internet capability and is used ONLY for emergencies or important calls to family members — only FOUR people know the number) started getting calls, eventually up to 8 per day ! The caller display said “unavailable.” I *never* got these calls before in the 4 years that I’ve had the phone !
It may not seem like a lot of calls, but the fact that it’s an emergency phone (unshared number) and the fact that the ‘phone spam’ started so close to the Google two-step sign-up makes me wonder whether Google has been sharing my number with companies. I value my phone’s limited minutes, so this kind of thing is very annoying and upsetting.
Someone gaining access to your email can already be a huge disaster because the unauthorized user can perform password recoveries on accounts that you signed up with that email. This will already cause you to lose access to many other accounts.
It’s true about what you said on the secret answer. I personally don’t use the correct answer to the secret question but the fact is there are many normal computer users who are not aware of it and uses real answers to the provided question. Careful users like you and me probably are safer from such attacks but there are many out there that doesn’t realize such problems.
You only need to enter the pin code once every 30 days, and not every night.
It’s a bit of hassle but it gives so much more protection to your Google account. It’s up to you to weigh the pros and cons.
First, this is not the best way to do this. The verification should only be required if you (or someone) wants to CHANGE the password or the security questions.
Second, re the security questions, just because the program asks for your mother’s maiden name, that doesn’t mean that you have to put that in when you set up the account. I have a (password protected) list of the answers I have given to these questions on various sites. For instance, for mothers maiden name, I might have used Chicago on the Google site and Miami on the Yahoo site. For first pets name, I might have used Columbia on Google and France on Yahoo.
I’d rather see a security key like Paypal uses. I don’t always have my phone in hand late at night when I am checking sites.
@Zapped Sparky: Google has came a long way to be one of the biggest brand on the Internet and I believe the last thing they want to do is spam your phone. If you have an old phone that cannot install the apps, Google will still send the codes to you via text message and it’s free.
I’ve been a bit wary of handing my mobile number over to google, the last thing I want is phone spam :) That said it seems like a good thing, however I just have a plain simple phone. It doesn’t have “app” capabilities, it’s an old phone, but so far damn near indestructible so I’m not parting with it :) Will I be able to use it? More importantly, will I be charged to receive text messages?
Thanks for moving me off my *** Raymond.
Yahoo needs to do this. I only use Gmail as a backup email account in the very rare occasion some site doesn’t like Yahoo accounts. Google is only as famous as they are because of their funny little name.
You can download the google auth app on android and ios to generate token offline.
Started using 2-step a while ago because there were multiple attempts to login to my gmail accounts from all over the world. Since I started using this, that has completely stopped and I feel much safer. At times it can be a pain but it’s worth it.
Thank you, Raymond. I was procrastinating doing this because “I don’t have the time right now” to go thru all the details. Just like putting off visiting my doctor because “I’m too busy”right now.”
Like a trusted friend, you gave me the push to do what is necessary… NOW.
Thanks again.
Raymond thank you for this great article! didnt know that.
More Secure.
i have already using this.
Great article Raymond.
I’m using 2-step verification for years and I feel SAFE.