Shared publicly  - 
 
Whether or not your account has ever been compromised, it's still a good idea to make sure you're taking precautions to keep your account safe. 2-step verification adds an extra, but still quick, step that has you enter a numeric code in addition to your password in signing it in, making it even more difficult for unauthorized users to find their way into your account.

Learn more here: http://goo.gl/qpY26
466
156
Patti Lev's profile photoVern Vonheeder's profile photoJohn Bankson's profile photobob shemang's profile photo
97 comments
 
I set this up last night after reading that article on the +Amazon Lovers Fan Page and Deal Watcher and Apple security holes. It was a bit bothersome because I hadn't realized how many different types of +Google products I was using between my MacBook Pro and my iPad. But I feel better with more security.
 
I've been using 2-step verification on my google account ever since it was available. Thanks for providing this additional security step. I wish all of my accounts offered similar. I'll take security over convenience.
 
AKA how to keep China out of your Google business.
 
Did it today. Now can you please buy Amazon and Apple and make them implement 2-step verification. Thanks
 
Works great, I've installed Google Authenticator a few months back. 
 
The 2-step verification page said that it wouldn't work on tablets, but it worked fine on my Nexus 7. Is it a fluke or is the page just a bit outdated?
 
I tired this and i have numerous devices each time i opened google product ie G+ or chrome they want the 2 step verification information
 
I suspect “user security” is not the only motive behind Google’s wish to get my phone number. They can easily match locations with phones and generate a map of people’s actual location, much more precise than with an IP.
Greg S.
 
It kept an earlier phone of mine from ever picking up my gmail.  I'll have to see if it works any better on my current (Android/ICS) phone.
 
Love the service and would like more sites to use it. I wouldn't mind being able to get an actual authentication device, like an RSA token my company gives. My phone has broken twice and each time I had to reset everything. WoW creators, Blizzard, gave the option of a device and it works like a charm (only $2). I would pay for that additional piece of mind. 
 
Has been working fine on my Nexus 7 too. Not a fluke, I think. 
 
i just have much too many devices, i'll wait for fingerprint or iris idendification to feel safe. presently i decide to live on the edge
 
+Henning von Vogelsang can you elaborate? Because it sounds like you are talking non-sense. A phone number itself does not provide a location at all. You don't need a smart phone with GPS to make use of #2step.
 
+Henning von Vogelsang They already have that. It's called Google Latitude. Pretty handy actually.

+Lloyd Bosworth I don't understand posts like this... You sign up for social networks (Google's network no less) but you are worried about them having your phone number? 

+jens sudip nandi Fingerprint technology is not as secure as people think... They do have facial recognition on newer machines but that isn't entirely secure either. I would still rather have a public/private key system, which this kind of imitates.
 
No no no, that's not user friendly. Why you don't just link the Google account exclusively to specific devices via IMEI code and device ID's? It would be easy to use like a MAC filter on a router.
 
+Henning von Vogelsang what should this phone number help Google tracking your location? If you use any Google-Services on a smartphone (preferably an Android device) they'll have your location information anyway.. and if you don't: I don't think Google has already gained access to any location information provided by the network operators? But please correct me if I am wrong.
 
They don't have my phone number yet. And I am not paranoid, but also not naïve. Location is vital for advertising, which is the current reason for Google’s existence.
 
+Gmail One thing it asks is if I clear my cookies, which I do often.  Why does that matter?
 
+Hüseyin Arslan you can't seriusly think browsers should be able to access this kind of information.. then you would surely be hacked !
It works great with two-way authentication with mobile - i'v been using this for a long time.
 
No, I'm talking about devices and their specific Mac addresses. It's the best way to solve the problem for the average user. +Benni Bennetsen
 
Excellent service! Thanks, Google!
 
+Patrick Lynch it ask's because if you don't delete your cookies Google will keep a cookie identifying your device as "trusted" and therefore it won't ask for your security code for 30 days (if you check this option on login). If you clear your cookie information regularly you'll have to enter this code everytime you log into your account.
 
+Hüseyin Arslan MAC addresses can be changed depending on the hardware. There are several network card manufacturers that allow MAC addresses to be rewritten. So that is not an entirely reliable way, either.
Greg S.
 
It's still inaccurate.  Nothing in my house responds to pings.  I guess they could tell where my ISP's last-hop router is located though!
 
Thanks +Chris Gnida I was assuming it had something to do with not having to enter the code every time.
 
+Jeremy Perez doesn't matter. They just have to check when asked if they want to use mac filter and Google will do the rest like my router does already. +Thomas Aschemann but they first have to get your Mac adress. It's pretty secure.
 
+Greg S.: Good point. I meant to say “I did not give them my number”. What they don’t have is the match between my laptop at home (with a dynamic IP) and my phone number. And apparently Google is not smart enough to guess my language based on my behavior patterns, so I think I am on the safe side. ;)
 
is easier to lose your phone than to get cracked, making you pontentially a victim of the 2-step lock
 
+Hüseyin Arslan MAC address does not cross LAN boundaries.
And if it could cross LAN boundaries, I still want to check my account from several machines/devices without need to configure any MAC.

And as +Thomas Aschemann say, it isn't an entirely reliable way.
 
+S. J. Cait how do you figure? Losing your phone doesn't provide the password needed to log in. They would only possess 1 of 2 parts.
 
+S. J. Cait there are provisions you setup so you can still access account if without phone. I've used 2 step for about a year even in cases I didn't have my phone.
 
Can you set up Google what ever it is called to accept donations?
Sean M
 
+Hüseyin Arslan and +Jeremy Perez, from a networking standpoint, MAC addresses (of attached devices) won't leave a local network. So, to use them for identification would require appending them elsewhere in data traffic. And, as +Thomas Aschemann mentions, it is not that hard for MAC addresses to be spoofed or changed. How much trust can we really put in them, then? 
 
I know this is great, but it gets annoying
 
I love this as a security feature, (it helps me sleep at night), but the swear jar gets full when browsers expired.  Can we have a verification code per device, rather each app on each device.
 
+Lloyd Bosworth I'm just saying that any info you post, message or email is logged somewhere. So even if you don't directly give your info to a "profile", they may have the information from another source. I just don't understand the tin foil hat mentality where people expect and demand privacy on the Internet. Its the internet... an internetwork created for the sole purpose of sharing information.
 
+Brent Drew if I have to put in a 6 digit numbers every 30 days in return of knowing that my account will not be compromised, I do not see that an annoying at all.  It's a life saver really!
 
No issues with re-entering the verification code every 30 days, but i use multiple browsers on the same device. Each browser needs a separate code. So I require up to 3 codes per 30days which expire at different times. It Can get annoying. but overall, love the security feature.
 
I've been using this feature for a while now.
 
If I understand correctly, a cell phone is required. However, many of my users do not have them. 
 
Two step verification was awful for my phone. Desktop and laptop was fine, but every thirty days I'd have to re-verify on all the apps on my Android. If I didn't have a laptop handy to get the codes, it was quite the pain in the ass.
 
I set up an app specific password for gmail  like it said on the video and hey it works. I'll see after 30 days.
 
Been using it for a while now. Love it!
 
I added the 2 step a while back.  Some times I would think it was annoying but things like what happened this week I wont be thinking that anymore.
 
+Philip Weiss once you have 2-step verification activated, you should be logging into the apps with the app specific password. Those don't expired. You create a new one for each application you use and once you done with the app, you can simply delete it. This way the app won't even know what your real password is. Or if an app or site is compromised, you just delete that app password and don't have to worry about changing your gmail password.
 
After reading about the writer who lost everything through his Apple account, I did this.
 
The only annoyance in 2-Step is the fact that you have to reset application specific password for all apps and devices
 
Get it done, it's easy to do and just feels secure.
 
Yeah and every time you change an android device
 
I like the fact that even in securing your accounts there are personalization options offered. Well done, Google! :)
 
when u changed your system date to Future date... Then your 2 step verification code will not work ... Beware!!
 
+Kannan Babu , IIRC, the Authenticator app recently received an update to circumvent this (AFAIK, it uses time servers).
+Gmail , do you have more information?
 
I tried this out... it told me that desktop Picasa would need an application specific password.  However, when I logged out of picasa and tried to log back in, it refused the application specific password and instead insisted that I use my normal account password with a 6 digit code.  I of course checked "remember this computer", but the next test I did by logging out/back in to picasa again required another 6 digit code.  This is all after Google said that applications like picasa need an application specific code.  Google needs to make sure this process actually works the way they say it will, because right now I don't trust it very much.  It's going to be extremely confusing to the average user.  
 
I haven't tested out Chrome sync or GEarth yet, and after Picasa failed to work as they said it would, I'm hesitant to even try.  
 
The one thing I don't like about the application specific passwords is that if they are compromised somehow, there is no monitoring of them.  The specific password allows full login to account, however, if there is any malcious abuse of them, the user has no way of knowing.     They are hard to guess, but not invulnerable to theft, for example by a virus reading the password saved into Microsoft Outlook, and then being able to access my account from some random country without me ever knowing.  They should also detect activity, even with correct password, from random IP addresses and such. Or allow me to set, that any access outsite certain countries is not me etc.
 
Plus there is some confusion, setting up application specific passwords with Google Chrome Sync first asks you to enter your normal password..!
 
I just tested this out with Google Earth.  Essentially the same experience with Picasa - it insists that you enter a 6-digit code, every time you login.  And with GoogleEarth, you have to login every time you start up the software.  At least I do; would love to know how to make it automatic.  

Having to open up my phone to get a code every time I login to GEarth or Picasa is a huge pain.  
 
+Ryan Goldstein Cheers Ryan, thanks for pointing that out, it's a useful start but I think it also needs Last IP Address / Country as a bonus aswell as date, and a mechanism to automatically lock unusual access on that password.  Having today's date listed for each one doesn't tell me if my iPhone checked my mail, or someone else did using the same password.  Because there's no guarantee of secure password storage in these applications, the security comes with detecting irregular access. :-)
 
+Charles Carrigan as I understand, the general rule is if its a Google owned website then you use your regular password+6 digit code. Any 3rd party site will that ask for a Google login will use the app specific password. This applies to apps (google owned or 3rd party) and devices on android also. I know it can get a bit confusing sometimes.
 
I am having trouble getting google notifier to work after setting up 2 step.  I can't find a place to enter the generated password in notifier itself.
update: uninstalled and reinstalled notifier entering the generated application specific password.  It works.
 
+Sam Kelleher I have the feeling the same about application password also, it's a password that grant access to your google account.  At the moment, there is no way to know what the app or site did to your account with that password.  However, I don't think you can use the application specific password to login to Google from the browser.  

There should be some method to grant only certain access to the account on a per password basis, or like you said, at least some way to show what information was accessed and from where.  But like what others have said, it's a start.  There are definitely room for improvements.
 
I think this is a amazing security feature and I wish all companies that deal with cloud/email/public would allow this feature on their ends. It would make everything that much safer on the web.
 
+Kin Chau that's fine, but the idea behind this was that you would only have to input the 6-digit code or the app specific password once for your own personal computers.  That way it prevents someone from logging into your account from some other computer, but doesn't get in your own way on your own computers.  My experience with Picasa & Google Earth shows that this isn't the case, and instead, every time I login with those applications I'm going to have to enter a 6-digit code.  That's incredibly annoying, esp. since I use picasa & GEarth regularly on three different PCs.  I don't mind setting each one up one time, but every time I login?  Ridiculous.  
 
You lost me after two minutes of instruction
 
If I'm forced to re-enter codes every 30 days even on machines I haven't changed, it's more hassle than it needs to be, and you're doing it wrong.
 
And quit asking for my phone number. No means no.
 
So if they are doing it wrong, what better method do you proposed? I don't think you have to put in the phone number. Just quit trying.
 
+Kin Chau or how about the obvious answer that you shouldn't need to have pointed out to you: only ask for the code when it actually needs asked for, like when a device is lost or weird login? If someone can get to the keyboard of the desktop machine in my house, I'm already boned. Thanks for playing, Kin.
 
+Michael Kerney I don't find it obvious at all. I think for all systems, an authenticated session should be timed out, and required users to reauthenticate himself again. Anyway, if that is your issue, then Google has already taken care of that for you.  It's called a "Trusted Computer."  You can definite one or more computers to be trusted, and it will not ask you for the code at all. On a trusted computer, you just login normally with your username and password.  

So, Thank you for playing, Michael
 
+Kin Chau Funny you didn't mention that option before, eh? I have yet to see it rolled out to me. And thanks for your opinion on timeouts. I don't care. Maybe YOU should just quit trying? Feel free to fuck off now.
 
+Michael Kerney  Feel free to go learn some manner and talk like human being.  if you can't hold a civilized conversation, please keep your mouth shut.  I was merely responding to what you think is obvious maybe isn't so obvious to other people.  You have a great day.
 
+Kin Chau Somehow I just knew you wouldn't be able to bugger off. I never asked for your condescending opinion in the first place. I think you're the one that could learn something about keeping his mouth shut.; it's like you're the designated Google Fanboy for the thread, with some weird need to address everyone in it. Leave me alone, like you should have in the first place.
 
then you should of stop, why are you still writing back?  I wouldn't be writing my condescending opinions, if you hadn't started with your sarcastic comments first.  This post and comments are public, so state it clearly if you don't want anyone to respond to it.  I am done with this, feel free to write anything else that you want.  Again, you have a great day.
 
And this is where the "block" feature comes in handy. At least it more or less works.
 
OK +gmail, I'd love to turn on 2-step.  But you tell me not to use my Google Voice number.  But you partnered with Sprint to make my mobile phone number by GV number.  So now what?
 
I work at a place where the design of the building inhibits mobile(GSM) frequencies...CDMA work though........It becomes an inconvenience using 2-Factor Authentication. So, some new mechanism needs to be devised. We can also use security token as an option!!!

UPDATE: Google Authenticator App saves the day.
 
It seems that most of the people complaining about 2-step not working correctly are misinformed about how it is actually supposed to work. The others who are saying it's too inconvenient to re-authenticate every thirty days must not be very serious about the security of their Gmail accounts in the first place. If you'd like a good reason to get serious, Google the name Matt Honan and check out what all happened to him a couple weeks ago.

The worries about application specific passwords I think are a little exaggerated, these passwords do not allow account management access, so the worst I could see happening from one of these passwords being compromised is someone accessing your Gmail content with POP or IMAP. This still could be bad, but my point being, with one of these passwords alone, there is no way someone could hijack and change your Gmail account password. +Sam Kelleher if you look at the very bottom of your inbox, you'll see the words "last account activity" with a link for more details. This gives you all the information you're looking for, time of access, IP address, geographic location, as well as the type of access, such as browser, POP/IMAP, or application password. Also from there you can sign out all other sessions.

Also, these passwords do not expire, and you don't have to go a computer and update your applications every thirty days, I'm honestly confused how some of you would claim this happened to you. Actually, if you absolutely have to make the feature more convenient at the cost of a bit of security, you can just use the same application specific password for all of your applications that require them, this includes android devices. You don't actually have to create a new one every time, you can just reuse the same one over and over, and just go revoke it if you ever feel there is an issue.

Lastly, one more thing that makes 2-step verification a lot faster, easier, and more convenient, is instead of using the Google authenticator app, opt for SMS notification. This way, when you go to the site and begin to login, put in your username and password, and by the time you get your phone in your hand and turned on you're receiving an SMS with your code in it, on Android devices you can read it right out of the status bar notification and don't even have to unlock your device, much less open the app drawer, launch the app, etc.

For people that have their entire digital lives tied to their Gmail accounts, a feature like this should be a no-brainer. To me, giving my phone number to Google is a small price to pay for the benefit of added security, and the hopefully never needed account recovery options.
 
Mi Nombre EA VIANNEY MOSQUERA GARCIA Nacido en el Departamento del Choco Capital Quibdo 
Translate
Add a comment...