Your email account is probably the most important account on the Internet other than using it to exchange messages. You will have to provide your email address for most services that you sign up or software that you buy online for the purpose of recovering your password if you somehow forgot it and for the software publisher to send you the license information. If you loses your email address because someone hacked it, the hacker can actually gain access to all your other accounts such as Facebook, Twitter, Dropbox and etc by performing a password recovery to send a newly generated password to your email address which the hacker has access to.
One of the most used trick to gain unauthorized access to an email account is by guessing the secret answer to the secret question. Sometimes the secret question is not really that secret at all because they ask for your mother maiden’s name where any of your family member would know or even a stranger would via social engineering. If you haven’t realized, you really have a lot to lose when your Google account is hacked because one single Google account can be used on all services provided by Google such as AdSense, AdWords, FeedBurner, YouTube, Google Wallet, Google Drive and etc. As much as you try to keep your Google account safe, there will always be a risk for your Gmail account to get stolen.
I recently got to know that Google has implemented a 2-step verification which is a very effective method to prevent your Gmail account from being hacked by associating the account with your phone. A password can always be stolen either through your carelessness or from a malware such as keylogger but one thing that they cannot steal is your phone which physically belongs to you. If the hacker stole your password, they still won’t be able to login to your Gmail account because they do not have the additional time limited PIN code that can only be generated from your phone.
Matt Cutts, a head of Google’s Webspam team said that he would not trust his Gmail account without having two-factor authentication and he would feel naked on the Internet if he didn’t have this sort of protection.
Similar to the excellent LastPass, some concerned users wouldn’t want to use a cloud based password manager because they are afraid of storing their password online but personally I’m not worried about it because I have associated my LastPass account with a physical YubiKey. If someone knows my LastPass master password, they still won’t be able to login to my LastPass Vault without the YubiKey that is physically with me. In fact a few months ago when a Google account manager came to meet me, I noticed that she had to connect a YubiKey on her MacBook before she can access her private Google account.
If you’re convinced that turning on the 2-step verification will greatly keep your Gmail account secured but is worried about the difficulty in setting it up, let me walk you through it.
1. First visit your Google account’s security settings page from this link https://www.google.com/settings/security and log in if necessary.
2. The 2-step verification should show the status OFF. Click the Edit button for 2-step verification.
3. Click the Start setup button.
4. Enter your phone number and select the method to receive the codes, either by SMS or voice call and click the Send code button.
5. Google will now send you a text message via SMS to the phone number that you’ve entered if you’ve selected the SMS option or will call you to read out the code. Enter the verification code and click the Verify button.
6. Google will now ask you if you’d like to trust the current computer that you’re on so that it only ask for verification code every 30 days. You should keep the checkbox ticked if you’re on your computer. Click the Next button to continue.
7. Click the Confirm button.
8. Google will now inform you that some application may need new passwords because they do not support the 2-step verification. One example is if you’re using an email client such as Outlook to check your Gmail, then you will have to use the application specific password that is randomly generated because it will no longer accept your current Gmail password. You will however need to use your current Gmail password to access the web based Gmail instead of the random generated password.
9a. Once you’re at the 2-step verification settings page, I would strongly suggest you to add a backup phone number in case you temporarily do not have access to the primary phone number that is associated to your Google account.
9b. Install the mobile application so that you can also generate the PIN codes from your mobile cellphone when you don’t have cell coverage. Currently it only supports Android, iPhone and BlackBerry but not Windows Phone.
9c. Do print out the backup codes which is really useful when you do not have access to your primary and backup phone to generate the codes. The backup codes do not expire but can only be used once. You can always generate 10 new backup codes and doing that will disable all previously generated backup codes while only the latest ones will work.
Now that the 2-step verification has been turned on for your Gmail account, logging in to your Gmail from other computers will ask for the verification code. As for your computer, you will only be asked to enter once every 30 days that is if you’ve previously allowed Google to trust your computer.
This is a great initiative by Google to further enhance the security of our Gmail account for free! If you haven’t enable the 2-step verification for your Gmail account, I suggest you to do it as soon as possible.