Sophos Cloud Optix
We’ve previously written about why two-factor authentication (or 2FA) is a good idea – it’s an extra layer of security to help protect your information on sites you use frequently.
If you’d like to get started with 2FA but aren’t sure how, this is part one of a series that will walk you through how to set up this service with popular websites and services.
Today, let’s set up 2FA for Gmail. It only takes a few minutes. All you need is your desktop computer and a mobile phone.
Here are the steps:
1. Log in to your Gmail account on a desktop computer (not a phone) – but keep your mobile phone handy, you will need it in a few steps.
2. Once you’re logged in, click the round icon with your Google Account icon (or letter from your first name) – it’s at the very top right of the screen. Then click “My Account.”
3. Now you’re in the My Account area of Google. On the left side, under “Sign-in & security,” click “Signing in to Google.”
4. On this “Signing in to Google” page, you’ll see an option for “2-Step Verification” – which at the moment should say “off” – click this to begin the process of turning it on.
5. Click “Get Started” on this handy little introductory screen.
6. Google will prompt you to re-enter your password.
7. At this screen, you’ll need to enter your phone number, preferably a mobile one that you’ll often have handy. (Make sure you select the correct country where your mobile phone is registered from the drop-down list!) Select if you prefer a text message or phone call, and then click “Try It.”
8. Within a moment, you should receive either a phone call or text message – depending on which one you selected. Enter the numerical code you were given, and hit “Next.”
9. Google should now confirm that 2FA will work for your account, and you can now tell Google that you’d like to enable 2FA for your account. Make sure to click “Turn On”!
And with that, two-factor authentication is enabled for your Gmail account.
You’ll also receive an email to your Gmail account confirming this:
Next time you try to log in to this Gmail account, after entering your username and password, you’ll see a screen like this:
You can select “Don’t ask again on this computer” if you’re on a computer you trust, such as one you have at home, but it does somewhat defeat the point of having 2FA in the first place.
All in all, it takes less than 5 minutes to get 2FA set up on your Gmail account – and it’s something we highly recommend, especially if you use Gmail for important transactions or billing.
Hi
Can I suggest that you expand this to explain how to generate app-specific passwords for things like the Gmail app on your phone etc. I suggest this because I once attempted enabling 2FA, and disabled it again as I found the process of getting one-time use passwords for all the apps that didn’t support 2FA too arduous and confusing
Thanks,
Jono
That’s a great question – I think it might merit its own post.
nice article thanks for teaching me to be more secure
It is good to see a step through of how to setup 2 factor authentication, but I would recommend users who have a smartphone use the Google Authentication app instead of SMS based codes.
On other websites that insist on using SMS codes (Linked In, UK tax returns), I frequently have difficultly logging in because the SMS message with the code does not arrive promptly. By contrast the Authentication app is always available instantly.
The other thing that has been missed out, is the need to make sure account recovery works. By locking down your google account, you make it much harder for yourself to get it back if you loose your phone. I think it is very important to setup a backup phone number (perhaps a trusted family member), a backup email address (your work email), and to download and print out the recovery codes, and store them in a safe place.
This is a really good point. I’m a fan of the Authenticator apps myself as well. I do find that they have a higher barrier to entry, but I will be covering them in my next post. Thanks for your feedback!
I tried the Google Authentication app and had issues getting it to work. I don’t remember what it was but I do use the 2 Factor Authorization on G-mail, Facebook, and Twitter. I’m not on any other social media. I only actively use Facebook & Pinterest, while Twitter & Instagram are only when & if I remember to check them. I’m not very tech savvy either.
Would be nice to see alternatives to using a device that will eventually break or might get hijacked/infected for a 2 factor. Like a Master password to make account changes, 25 character master password maybe. Or a letter sent to a real mail address upon request if hijacked.
How does GMail 2fa work if GMail is being used as a POP account to forward all to Outlook on the user’s PC. I use Outlook as the central collating point for e-mails to all my e-mail addresses GMail or otherwise.
2FA only works for people who have mobile phones and do texting. Techno “Luddites” need a viable alternative, as well as those who do not want to give away their mobile phone number or who do not want to depend on their phone and poor or unreliable mobile phone service for access to sites.
Please cover methods that don’t require giving up the identity of your Personal Tracking Device. The Sophos blog has documented how companies are using location data from mobile phones to target advertising; requiring SMS for 2FA is just another way for companies to extract that data. There are alternatives but it seems everyone likes to ignore them since they don’t generate advertising revenue.
I value the ease of logging into my gmail account using a client application such as Apple Mail or Outlook. I wouldn’t want a time-consuming hassle such as this, where there is far more to go wrong, and the fear of entering something wrong and being locked out. My emails rarely need to be private anyway.
One cannot use Mac mail if they set up 2FA on Gmail, which Apple freely admits.
You cannot use Microsoft Outlook (mine is 2010) with Gmail 2FA now. I am attached to my Outlook system for keeping mail I might have to refer to, so I have had to give up 2FA (which worked just fine before 6/23).
Thank for your post.
Since the 2FA is mobile phone based ( either by sms or by the app) what happens when you loose your phone or it is damaged? Can you get a new phone with same sim card and be able to access your 22FA?
Swapping SIM cards is indeed possible – you need to do it if you buy a new phone that takes a differently-sized card, for instance, or if you phone is lost, stolen or dropped into Sydney Harbour and ruined by salty water. (It happens.)
Your mobile phone operator will encode a new SIM card with your subscriber identity (your “phone” number), and the old SIM will no longer work. In theory they ought to make a more-than-casual effort to identify you, to prevent someone else pulling the digital rug from under your feet.
In practice, though fortunately it’s fairly rare, SIM swapping is a trick that crooks can use to take over your digital life. Your phone goes dead and theirs lights up in its place, so the crooks gets your calls (and can call out as you), and receives your messages, including your SMSes.
We wrote about how to protect against unlawful SIM swaps (there are different protections available in different regions) here:
https://nakedsecurity.sophos.com/2016/06/14/deray-mckessons-twitter-account-hacked-with-just-his-name-and-four-digits/
Very informative article thanks for sharing.
Those complaining it cannot be used with certain mail applications are overlooking the feature to generate single use application passwords, that can indeed be used for just that purpose. While not 2FA, these randomized strings used a single time, generally afford enough protection for the service in question. Balanced with the careful use of trusted devices and browsers, it’s possible to get better security without it being an onerous undertaking.
What if I’m using Mozilla Thunderbird to receive and send e-mails? This program provides GnuPG encryption and signatures (after installing an extension Enigmail and GnuPG program) – it’s also important for privacy and security. Of course Google doesn’t provide it in it’s apps, because they wouldn’t be able to spy on users… If someone wants to login to GMail with something else than official GMail mobile app or a web browser, they have to enable it in account’s settings, making it “less secure”. However, Facebook is even worse – for some time I was using ChatSecure app (it’s open source and provides optional end-to-end encryption) to connect with messenger, but they blocked their API, so now it’s impossible at all.