I read a lot about 2-factor, often also referred to as 2-step, authentication and considering all the recent data breaches (e.g iCloud hack) I thought why not give it a go? Google offers 2-factor authentication for its account for free. It’s well documented on the Google pages, but I will sum it up in just a few steps and explain what you need for it to work. I will also explain the culprits that come with it, because it looks easier than it is (especially, if you have older Android devices)

First of all,

What is 2-factor authentication?

2-factor authentication is a security mechanism that secures your (google) account with another additional lock. This means in order for you to login successfully into your (google) account you need an additional key/password/token to unlock it. Ok, this sounds painful, why would I want this?

A lot of accounts have been hacked recently due to weak passwords. Even if the password isn’t so weak, it can still be hacked open with a brute force attack. (a brute force attack is simply an algorithm that tries every possible password combination until it finds the password that fits, if the password is short/trivial/weak this can be done in a very short time.)

However, if you do have a strong password I would still recommend to enable the 2-factor authentication just to be on the safe side.

Got it? Ok, now let’s move onto enabling 2-factor authentication for your account.

What you need?

Before you enable it, I’d recommend you to download/install the Google Authenticator app in the play store, while you’re at it, also install the Barcode Scanner app (the one from the ZXing Team). Don’t ask me why this specific barcode scanner, it’s a prerequisite for it to work.

So it is:

  • Google Authenticator App
  • Barcode Scanner App

Now head over to your Google Account by going to https://www.google.com/settings/security

There you can enable the 2-step-authentication. There’s a wizard that will guide you through, it’s essential that you insert your correct phone number because you will receive txts/sms with the authentication code from Google. Why would I want to reveal my phone number to Google? Yes, I asked myself the same question. Bottom line, if you don’t insert your phone number it won’t work, and besides that Google probably knows your phone number anyway, since most of your friends sync their phone numbers (including yours) to the Google cloud anyway ;-) This is what in the end made me realise that privacy or a secured account is more important to me than Google having my phone number ;-) Anyway, make sure it’s correct because otherwise you wouldn’t receive your authentication codes (which saved my ass a couple of times already…)

Ok, once this is done, you are now being asked to login to your google accounts on various devices…this could be:

  • your laptop/computer
  • your android phone(s)
  • your android tablet
  • your XMPP google hangouts/talk account (if you use it with a 3rd-party application like Pidgin*)

Setting up your laptop and Android 4.x devices should be fairly trivial….you open the Google Authenticator app and go to “Set up an account” Next you press “Scan a barcode” and you will just scan the barcode that you will see in your browser (on your laptop screen), and also make sure that you insert the 6 digit code for the first time you see in the Authenticator app into the little box in your browser window. This is essential because otherwise the app won’t be connected to your Google Account properly. In the end the 6-digit code that you see in the App won’t work for the Google Authentication.

Once this is done, you’re good to go.

What about the older Android devices, I have an old Android 2.3 device.

The problem is that these older devices don’t quite support the 2-factor authentication method but there’s a cool workaround. You go back to your Google account security settings in your browser, to the 2-step authentication settings. There should be a menu item called “App passwords”, basically you set up an “account” with a 16-digit code which you enter on your Android 2.3 device instead. More information to App passwords can be found on the Google help page: https://support.google.com/accounts/answer/185833?hl=en&ctx=ch_b%2F0%2FSmsAuthConfig

It is fairly easy and does the trick.

The same method also works for 3rd-party applications like Pidgin…Pidgin can’t handle the normal 2-factor authentication and therefore you should configure this 16-digit code instead. It works fine for me ;-)

It was just a pain to figure this all out myself.

Having now successfully configured all my devices, I do feel more secure now.

If you run into problems or have a question regarding the setup, then don’t hesitate to get in touch with me ;-)