Wired writer Mat Honan fell victim to a brutal hack over the weekend. Through misplaced ingenuity and a smidgen of social engineering, hackers gained access to his iCloud account and wiped his iPhone, iPad, and Mac drives clean. The actual attack involved breaking into Honan’s Amazon account, and then using information found there to break into his iCloud account. Things only got worse from there.
Amazon and Apple clearly need to institute security policy changes to better protect their users. And Honan made mistakes of his own, most notably not backing up his Mac regularly. But the hackers’ initial entry point into Honan’s digital life was through, of all things, the “forgot password” functionality offered by Gmail. When they first plunked Honan’s email address into that form, Gmail displayed a redacted version of Honan’s MobileMe account: m••••firstname.lastname@example.org. Honan has plenty of “if only’s” on his mind, but one biggie—to quote Honan’s story for Wired, is this: If he “had used two-factor authentication for Gmail, everything would have stopped here.”
(Note: Google calls it two-step authentication, but “two-factor authentication” is just as common a name. We’ll use them interchangeably.)
Understand two-step authentication
First, let’s clarify what two-step authentication actually means. In Google’s case, it works this way: If you enable two-factor authentication, when you next log in to your Gmail account, you’ll first proceed as you always do—by providing your username and password. But before you get to your inbox, Google will next demand a separate code.
Of course, you won’t know what the code is offhand. Thus, for the second factor of authenticating that you really are who you’re claiming to be, Google will send a text message to your phone containing the six-digit code to use. (As we’ll discuss later, there are numerous other options for getting a six-digit code.)
Only after you’ve provided that code do you gain access to your inbox.
On the whole, the process sounds simple. And for simply logging in to your webmail account, it is. But added complexities can crop up, since some apps don’t yet support two-factor authentication—like, say, Mail on the Mac or iOS. That makes configuring Google’s two-factor authentication a bit more complicated.
Set up Google’s two-factor authentication
Go to Google.com and log in. Click on your name or photo at the upper right corner of the main Google homepage, and choose Account. Then choose Security from the navigation options at left. Now you can see the option you’re looking for: Click the Edit button along side Two-step Authentication.
At this point, Google will most likely ask you to login again. That’s for additional security. Enter your password, and click Sign In.
Next, Google will ask you to provide the phone number of the device you’d like to use. It’s understandable if you’re hesitant to give out your phone number, but note that Google promises it “will only use this number for account security.” You can provide a landline or a cell phone number, and you can choose whether Google should send codes to that number as text messages or via a voice call. (Note: You really shouldn’t use your Google Voice number, since you could get stuck in a Catch-22 situation where you can’t access your Google Voice account to get the code you need to log in to your Google Voice account.)
After you click to proceed, you should receive the text message (or phone call) within a few seconds. Type that code into the webpage and click to continue. At this stage, you’re nearly done with the initial setup. Google will want to confirm whether it should “trust this computer.” That setting is a bit misnamed; essentially, if you leave it enabled, logging in to Google on that Mac with that browser won’t add the second step for the next 30 days—unless you delete your browser’s cookies.
Fix everything two-step authentication breaks
Now, just when you feel like you’re finished, Google throws up a gotcha: Some apps can’t support verification codes. If you use a third-party email app to check your Gmail account via POP or IMAP, for example, that app won’t be configured to prompt you for the second step code.
Thus, for email apps—and Google Reader-using apps, and Calendar or iCal, and so on—you’ll need to configure special, one-off passwords instead. You can generate as many of these so-called application-specific passwords as you’d like. You provide a label (for your own records), like, iPhone Mail, and then Google presents you with a 16-character password. You can never retrieve that password again, but it doesn’t matter. Don’t bother jotting it down. Copy and paste it (or painstakingly retype it) wherever it needs to go, and then click the Done button.
If you use more than one Mac, consider going specific with your application-specific password names, like Adium (MBPro) and Adium (MBAir). Because Google lets you revoke any application-specific password at any time, you can log in and revoke access to the apps on your MacBook Air should that get stolen, without giving yourself extra work on your MacBook Pro.
Don’t worry that you might be forgetting about an app or three. You’ll remember that you need to generate unique application-specific passwords for those as soon as those apps start prompting you to re-enter your password.
Ensure you can always access your account
Once you’ve configured all the necessary application-specific passwords, there are a few additional important steps to take. Go back to your Google profile, click again on Security, and then click to Edit your Two-step Verification settings. (Surprise! You’ll get prompted to confirm your password again.)
Near the top of the screen, look for the Backup Phones setting and click on Add a Phone Number. There, you can set other phones—your home phone, another cell—as backup numbers. That way, if you lose your phone for any reason, you’re not locked out of your Google accounts; you can receive your codes on the backup phones instead. (Presumably, once you did log in, you’d immediately go to your settings and change your two-step verification number.)
Once you’ve set up some backup numbers, find the Printable Backup Codes option and click Show Backup Codes. Doing so generates a list of ten eight-digit verification codes that you can use in situations where you don’t have access to your phone, or where your phone has no service.
Each of these codes can be used only once. Google suggests printing out the list and keeping it in your wallet. You might—might!—consider saving the list in Dropbox or somewhere else in the cloud, so that you can always get to it even if you’re without your phone or access to your Google account. Obviously, if someone then figures out your Google password and also breaks into your separate cloud account, they could then break all the way into your Google account, too. You can generate a list of ten new backup verification codes whenever you’d like, but doing so invalidates all of your old ones.
Instead of relying on text messages or phone calls, you can instead install the free Google Authenticator app. With the app installed, you can generate verification codes even when you have no active network connection. That is, the app can generate codes even when there’s no Wi-Fi or cellular signal available for your phone.
First-time setup of the app is a bit confusing. Ignore the login form, and instead tap the Scan Barcode button at the bottom of the screen. (If it’s not there, tap the Plus (+) button first.)
Over in your Google Two-Step settings, find the Mobile Application section, and click on iPhone. (There are also apps—and thus links—for Android and Blackberry phones.) Point your phone at the QR code that Google presents on screen, and the app will configure itself for your Google account. Now, when you need a verification code, launch the app, and it will present you with a new one to use.
Two-step authentication is annoying, a bit tedious to set up, and makes more work out of the seemingly simple act of logging in.
Of course, locking your doors or buckling your seatbelt takes a little extra energy, too. We make tradeoffs to ensure our safety, and digital safety is increasingly becoming just as important as physical security. If you rely on Google’s services, two-step authentication is probably worth the hassle.
Lex Friedman is a staff writer for Macworld.