In Part 1 of this 2-Step Verification for Google Apps series, we talked about the benefits of Google's 2-Step Verification (2SV) solution. Now in part 2, we're going to look at enabling 2SV in your own Google account. If you're a Google Apps admin, you should walk through setting up 2SV for your own account so that you are familiar with the process before moving on to Part 3: Enforcing 2SV for Your Users. If you're an end user, you can use this guide to learn how to enable 2SV for your account as well as some watch points and best practices when using 2SV. Let's get started!
One Time Setting For Admins Only
In order to use 2SV with your Google Apps domain, admins must first enabled 2SV in the Google Apps Control Panel. Don't worry, it's as simple as checking off a box and hitting save. Just go to your Google Apps control panel and Advanced tools tab. Under the authentication section you'll see a checkbox for "Allow users to turn on 2-step authentication". Click the checkbox and you're all set. Your users now have the ability to turn 2SV on for their account.
Get Ready to Enable 2SV For Your Account
Make sure you have some free time available in order to setup 2SV, it's not a long process but if you get distracted and don't finish, you might accidentally lock yourself out of your account and need administrator assistance. Be sure to gather together:
- Your primary computer
- Your mobile devices (smartphones, tablets, touchscreen mp3 players) that you either synchronize your Google Apps account to, or wish to use to generate verification codes from.
- A printer in range (more on that later)
Let's Do This! Turning 2SV On
1) Now we're ready to turn 2SV on for your account. In the top right corner of your Gmail, click your profile image and then click the Account link.
2) On the Accounts page, click Security to the left. You'll notice 2-step verification status is off for your account. Click the Edit button.
3) You may be prompted to re-authenticate with your Google password, this is just an extra layer of protection to prevent others from turning 2SV on for your account. Now you will be presented with a wizard that will walk you through setting up 2SV. Click Start setup.
4) Now you are prompted for a phone number that you can receive either SMS text messages or voice calls on. Enter your number, select whether you prefer texts or voice calls and hit Send code. One watch point here, don't enter a Google Voice number! Doing so may lead to a chicken-egg scenario where you need to login to your Google Voice account to retrieve the verification code but you need the verification code to access your Google Account...
5) Within a minute or two, you will receive a SMS text message or voice call on that phone which gives you your verfication code. Enter the code and hit Verify.
6) Next you'll need to decide if you trust the computer you are using. Trusted computers only require a verification code every 30 days while untrusted computers require a code much more often. Since this is your primary computer, you should leave 'Trust this computer' checked in most cases.
7) Now you're ready to turn 2SV on for your account. Simply hit the Confirm button and 2SV will be enabled for your Google account. Don't go away yet though, there's a bit more to do.
Adding more verification methods
Phone verification generally works well but sometimes due to carrier delays you can be stuck waiting for a verification code a few minutes. You also have only one method of getting into your account. If you forget your phone at home, you won't be able to login. We recommend setting up multiple methods of retrieving an authentication code so you're never stuck without one.
Printed Backup Codes - Don't Skip This!
Here's where that nearby printer comes in. Backup codes are one time use codes that you can use whenever your phone isn't handy. Google recommends keeping your backup codes handy in a purse or wallet. You can print backup codes by going to the main 2SV page and clicking the Show backup codes link. If you're low on spare codes or lost the paper, you can always generate new backup codes.
Mobile Applications - Convenience Method
Google has mobile apps that can generate verification codes for your account which are good for one minute. Once installed and configured, the mobile apps don't require an Internet or phone connection in order to generate the codes making them very convenient and cutting down on your wait time for a verification code. It also means the apps work well on an iPod or old Android phone that doesn't have a data plan or phone service. Setting up your mobile device is as easy as clicking the link provided and installing the app from the phone's app store. Google walks you through scanning a QR Code which provides your phone with the algorithm used for generating short-term authentication codes. Remember, even if you enable a mobile app, you can still use the SMS / Voice call method by clicking "Don't have your phone?" when prompted for the verification code at login.
The last step in setting up 2SV is creating application-specific passwords. Some applications and devices that connect to your Google Account data don't support 2SV because they only understand usernames and passwords, they have no protocol for handling the verification code. The most common need for application-specific passwords is Google Sync mobile devices (iOS and Windows Phone), Google Talk desktop client and IMAP/POP clients.
Does My Device or App Need an Application-specific Password?
Maybe not, especially if it's a Google product. For example, Google Apps Sync for Microsoft Outlook, allows you to sign in with your browser rather than directly entering a password, just choose the "No, help me sign-in." option. Android also has the ability to Sign-in via a browser instead of requiring an application specific password, just hit the Menu button when you're prompted for your Google username and password and you'll see a "Browser sign-in" option. In both cases, application specific passwords will still work but it might save you some time to not create them. Chrome Sync and Google Talk desktop client two of the few Google developed applications that still requires an application specific password.
Creating Application-specific Passwords
It's easy to create application-specific passwords when you need them. Just click the link to "Manage application-specific passwords". Then you'll be prompted to give your application-specific password a name. Choose something descriptive like "Thunderbird IMAP on Macbook" so that it's easy to later decide if an application-specific password is still needed. Hit Generate password and Google will show you a random, 16-character string. Enter the password into the application or device, verify it's accepted and then hit Done. Once you've hit Done, it's impossible to recall the password from Google but you can always Revoke old application-specific passwords and create new ones.
Best Practices When Setting Up 2SV
- Print your backup codes immediately!
- Have 2 or 3 methods for getting an access code.
- You can configure 2 or more mobile devices (for example, your phone and tablet) with the Authenticator app by scanning the same QR Code on both devices. After scanning, you should notice the devices are generating identical access codes.
- Many Google services can use browser-based login rather than needing an application-specific password. Use the browser-based login where possible.
- Give your application-specific passwords descriptive names
- Never write down an application-specific password, they're meant to be "set it and forget it".
- If you're locked out by 2SV, contact your Google Apps administrator, after verifying who you are, they can provide you with a backup code so that you can login and reconfigure 2SV.
If you're a Google Apps administrator, you'll want to check out Part 3: Enforcing 2SV for Your Users. Be sure to leave us some comments on your views of 2SV and share this post with others!
Labels: 2-step, 2sv, cloud security, two factor, verification