Sophos Cloud Optix
Last week, Google rolled out two-factor authentication prompts to its updated Gmail app, all in the hopes that more people using Google products will use two-factor authentication to protect their accounts, and that users will choose prompt-based authentication over less secure methods, like SMS codes.
Why turn on two-step verification (also known as two-factor authentication, or 2FA)? Because a password, even a strong one (which you aren’t using anywhere else, are you?), isn’t enough to keep your account secure.
If the service you’re using offers 2FA, you should enable it — it’s another layer of protection on your account that stops someone who can steal or guess your password from getting access.
The beauty of what the Gmail app offers is that it makes two-step authentication easier to use.
Instead of waiting for an email or SMS to appear on your phone, or setting up an authentication code on a 3rd party code generator, and then typing in the code you receive or generate, it’s just one touch to authenticate.
In this case, you simply open Gmail app, which will ask if it’s you trying to sign in on a new device. You just hit a button to confirm, yes, it’s actually me trying to sign in to my account on that computer.
Ease of use is important because, for all the security benefits that 2FA brings, Gmail users just haven’t been using it.
The prompt-based approach to 2FA is something many organizations, including Google, have been pushing for a few years, as the SMS-based 2FA method can be vulnerable to fraud. It is better than nothing, but push-based methods—like the Google prompt—are more secure, and easier to use.
If this is something you’ve held off on doing, here’s how to get the prompt-based 2FA set up on your Google account. (Note that the setup is slightly different for Android and iOS users.)
Android users: Google Play Services deliver the prompt on your phone, so make sure your version is updated for this feature to work.
iOS users: The Google prompt works on iPhone version 5s and higher via the Google app and now the Gmail app as well.
First, you’ll need to navigate to the two-step authentication setting on your Google account on a computer (for Android or iOS users), or via the settings within your Google app (for iOS users). To find the 2FA setting from either a computer or the app, go to the settings of your Google profile, and select “signing in to Google” from under the Sign-in and Security area.
The screenshots below are from iOS on an iPhone 7, but it’s very similar when going through this process on a computer.
In the “signing in to Google section,” click the “two-step verification” option and hit the “try it now” prompt.
You’ll now see what the prompt looks like:
If it was you trying to sign in, hit “Yes,”.
You’re not done yet though! The app will ask you to confirm that you want to turn this feature on, so tap “turn it on.”
Now you should be ready to go with the prompts on your Google account, and the 2-step verification screen will show you that Google prompts are enabled, along with any other prior 2FA methods you may have enabled (like the Authenticator app, SMS or physical keys).
If you have notifications enabled for the Google app, next time you (or anyone else!) tries to sign in to your Google account on a new device, you’ll be pinged to open the app and verify that it’s you. If you don’t have notifications enabled, you’ll need to open the Google app yourself to verify the login.
I have set up prompt based 2FA some time ago and it really asks me on the phone (Sony Xperia XZ) if i am currently logging in on the computer (latest Chrome on Windows 10). But when hitting “yes” it says on the phone that access on the computer will be granted but on the computer nothing happens. Retrying it or waiting some time does not help. I have this problem since months and always have to use a fallback solution like SMS code which then works.
So this would be a good solution if it would work.
I’ve used SMS 2FA for a long time. I just now enabled Google Prompt, and it worked seamlessly**
Android, Google Chrome on Linux Mint XFCE (all updated), so YMMV.
** Though when I hit [yes] on the phone, the workstation said “it worked, you’re all done” instead of asking if I want to enable it. I figure this is since I’d already been using 2FA, and it’s not as significant a disruption of process to merely shift the method of out-of-band auth.
If people want security, they should use Google AP…
You must have heard this before, but what happens if I don’t have my phone available? For example, it has been stolen and I am trying to email people on a computer I haven’t used before. What’s the answer to this kind of situation?
You have back-up codes you may print and/or download, as well as alternative ways to get the one time use code (alternative mobile, landline).
For that scenerio, one must have an alternate recovery email. Basically one has to be protected several ways.
You can have backup codes generated and then store them in a physically secure space.
You can set an alternate email I believe as well.
Versat’s comment is the same on my computer when I use it in Outlook. When I turn off the two-step authentication Outlook will then send my Gmail.
They do not play nicely together so unfortunately cannot put 2-Step authentication on Gmail as I use Outlook on my computer. Would be nice if that could be corrected as everyone wants more security why Outlook try to prevent Gmail from using this feature to work
Whenever you have enabled 2 step verification and want to use applications like outlook, you must create an app based password. Basically from your google account under the sign in you will find an option to create app passwords. You create passwords and use them. It works!
Hmm… I set this up back on January 27th of this year.
This has been an option for a good bit over two years now. I personally like using a YubiKey as my 2FA.
This is YEARS behind Microsoft–both on this long-overdue authentication step and in the new security features of GMail.
I have been using 2fa security on Gmail for several years. When on my desktop and accessing my account under sign-in security I see no way to set the prompt option. I see references to an app above. Maybe I am missing something there?
Rats. I have a Windows Phone, and as we know, Google and Microsoft share mutual enmity, so Google’s Authenticator is unavailable in the Microsoft Store. Too bad this doesn’t work with anything other than Google’s own code generator. (If it does, please kindly point me to where I can learn how to proceed with setup.)
AFAIK There’s no “magic” about the Google Authenticator that means you need Google’s app to generate the needed codes for Google’s services. The authentication itself is just TOTP (short for Time-based One Time Password, not the long-running British TV programme Top Of The Pops).
The software combines a unique seed (the weird code you enter to initialise the sequence when you add an account to the authenticator app) and the current time, rounded off to 30 seconds, to make the code for each login. That’s why the codes change twice a minute if you sit and watch the app running.
Sophos Authenticator (available as a stand-alone app or built into our free Sophos Mobile Security tool) will do the trick – it’s what I use – but sadly we don’t support Windows Phone any more either.
Microsoft ought to have an app you can use… TOTP support is what you need.
You’re absolutely correct. I somehow completely missed the option to scan a QR code into any authenticator. Hopefully Microsoft’s Authenticator doesn’t fail on me…