Wednesday, 19 June 2013

Two-step verification on Google (and Twitter and Facebook)

After hearing enough stories of "identity theft can't happen to me" and then getting a mail from Google whether i'd like to connect my new mail account to this one, i decided to ramp up my Google account security a bit. Didn't want my mail snitched. This mail is my life.

There's an easier way than using v€rY-c0M₱£æ⨉-Ƥάßw0r𝑑Ƶ, and it's Two-step Verification. That's securitech lingo and basically means that you log in to a site using something you know and something you have, eg a secret handshake and a funky looking hat. Or your signature and a hot wax seal. Or, as is more convenient in the on line world, your password and your cell phone.

Setting up Two-step verification will probably take less time for you than reading this post.

Setting up two-step verification is fairly painless on Google. Go to the Google Two-step landing page and watch a video to get comfortable. Click the big blue Get Started-button. Enter your password (which should be fairly non-guessable by a computer and at least nominally different from the password you're using on Facebook, Twitter, Reddit, Hotmail, your bank account and all those p0rn sites).

If you have an Android/iPhone/Blackberry phone, you can now download the Google Authenticator app. Or if you're lazy, don't want more apps on your phone, or have some other technology installed, you can use SMS authentication. This is what i used first. Click the appropriate buttons and you're go.

What now will happen is this: When you log on to a service using your Google account, you use the password you know and you'll get an additional step (hey, it's called two-step for a reason). Goog will ask for a secret code, which you'll either get from the Authenticator app or as a text message. From the phone that you have. Enter this and you're in.

Next time you access the same application with the same computer, you will not be bothered by the second step. Unless you really want to :)

Now: devise and implement a backup plan. It'll take you two minutes and save you when the situation hits the fan. Add a backup phone number or two into the system for when your phone falls into water or gets trampled by a moose. Print out some backup codes on actual paper, cut off the bits that identify them as Google codes, and save them far from your phone. And the moose. And water of any kind.

Google of course is bigger than GMail. You can authenticate to a bunch of sites using your Google account. There are apps that don't know about the two-step dance. My Apple TV thingy can play Youtube videos but don't know wits about no two-steps. For instances like these, you can create passwords for those apps, called application-specific passwords. From the two step management page you set the verification settings in the first place, click the appropriate link, enter a name for your password (eg "Apple TV") and press Generate password. Then copy-paste this into the application. The password is split into bits by spaces, which you don't need to fill in.

Twitter has also implemented two-step verification. They do, however, not yet have the provision for extra phone numbers, so if you lose your phone to a moose or the gods of salt water, you are basically spinning around with that fan and the situation. IWS has the details.

Facebook also has a two-step verification in place, called login approval, which uses your phone to ask for logins from new devices. While you can't add more phones to your arsenal, you can manage login sessions from a browser that's already approved. To enable, go to your Facebook page, click the little padlock icon which currently lives on the top right of the page, next to your name and face, and the Home link and the cogwheel. From the dropdown, click See more settings, click Security → Login notifications and check Mail and/or Text message. You'll need to register your phone number with Facebook if you want the second option to work.

And that's it. You are now a lot safer than you were.