Online accounts such as Google are a major target for criminals and yet disturbingly large numbers of people protect this asset with little more than an email address and a weak password.  The simple solution is to use a longer and more complex password but this isn’t fool-proof. Hackers can sniff passwords using keyloggers while data breaches furnish them with the email addresses to attempt a social engineering (i.e. phishing) attack in which the user is tricked into handing over their credentials.

A few years back, entering passwords over unencrypted Wi-Fi  when using public hotspots was another weakness although major services including Google now enforce SSL security by default so this at least is no longer an issue unless someone shoulder surfs.

Of course Google already offers a simple way around all of this which is to use the firm’s 2-Step Verification setting which can be found by accessing the user’s account/security settings tab and simply enabling it. Alternatively, Google has a landing page.

It’s free and it significantly enhances security on a Google account so why don’t more people use it? Most likely there are two reasons; a lot of people have never heard of it or have heard of it but are convinced it will make logging in slower and less convenient. In fact, the latter worry is not the case as long as you set it up correctly.

A strong password is still essential

Before diving into the detail it’s important to underline that using 2-Step Verification is not an alternative to using a strong password. As with all authentication systems, Google’s 2-Step Verification is designed to work in tandem with a strong password so that each form of authentication protects the other.

Two-Step Verification is not a magic forcefield

Just because the users chooses a strong password and enables 2-Step Verification this is not a 100 percent protection against a successful hack. As this technology becomes more popular, criminals will inevitably start attempting to phish verification codes in the same way they currently do user names and passwords, probably by trying to get users to persuade users to load bogus mobile apps on people’s smartphones. For this reason Google has now launched a Security Key system, discussed at the end of this article. 

Enabling 2-Step Verification

The first task when turning on 2-Step verification is to check the strength of the Google account password. A good place to start is with a random string of at least 12 characters of more, including upper and lower case letters, numbers and, ideally, symbols. Most security-conscious users store passwords in an online or offline database but it’s important that this password isn’t too long and hard to remember because it will still need to be entered manually from time to time.

By default the computer used for the initial sign-up is treated as a trusted device (i.e. the user isn’t asked for verification from this device after the initial registration), with the same option available for every subsequent device. There is a balance of security and convenience at work here – trust too few devices and you’ll need to enter an authentication code every time you log into Gmail but enter too many and security reduces.

Set a backup number

Anyone receiving the verification code via SMS should enter a backup phone number in case their mobile is lost or not to hand, which can be either a second mobile (contactable by SMS) or an old-world home phone number (contactable by voice).

Application verification

Third-party apps also need to authenticate themselves to a Google account, for instance the Gmail app on Apple’s iOS or when using with Outlook. Normally, this will be the Google password but turning on 2-Step Verification requires a second 16-digit code to be entered too. This will only need to used the first time although a new one will be needed if setting up the same access from a second device.

Print or store backup codes

What happens if the user doesn’t have access to the primary or backup phones or devices? This is most likely when travelling but can happen at any time. In this case, but also as a last-ditch line of security, Google makes it possible to print out (or securely store as a text file) a series of 10 backup codes, each of which can be used once. Once these have run out, more can be generated, voiding any of the old ones that haven’t been used.

And Google Authenticator?

Google isn’t the only one offering two-factor authentication of course:  equivalents exist for Twitter, Facebook, Dropbox, PayPal Microsoft, Yahoo, WordPress and a growing number of others. Some of these offer their own systems while others require users to use something called Google Authenticator, an app that runs on Android, iOS and BlackBerry devices.  Some also allow the user to choose.

The point of Authenticator is that is provides a simple multi-platform way to provide what 2-Step Verification does for multiple sites, which saves the user a lot of time. Google Authenticator can also be used as an alternative to SMS authentication and has the advantage for mobile users that it can generate verification codes even while offline.

Google Verification Key – better or just different?

Google’s latest announcement is that users can carry out 2-Step Verification using a physical USB Security Key based on the Universal 2nd Factor (U2F) protocol from the FIDO Alliance. Superficially, this is just another way of doing the same verification discussed above but it has a major advantage that the technology verifies that the Google site is genuine, cutting out the possibility of phishing attacks. That remains a weakness of the above password and 2-Step Verification system

At the point where a verification key would normally be entered, the user inserts the security key and presses a button on the key which sets up an encrypted key exchange.  This means that each physical key must be assigned to a single account and must be de-assigned should the key be lost.  If the key is found by a stranger it contains no data that can be used to identify its acount holder.

The limitation of this approach is that it only works with Google’s own Chrome (version 38 or later) and with most though not all of though Google’s own sites and services – Google Apps for Work is not supported yet for instance. This will change over time as more support emerges. It also doesn’t work for devices lacking a USB port although users can still fall back to conventional SMS verification codes if they need to. A finial drawback is that the key costs from $5 to $20 each and in countries such as the UK they are only just coming to market, Yubico being the current market leader.

Google’s Security Key FAQ here.