Since beating the drum two days ago on the importance of protecting your Gmail account with Google's free "2-step verification" system, I've received a torrent of messages with "how do I do this?" or "what about that?" or "can this be worth the hassle?" themes.
As for whether it's worth the hassle -- well, decide for yourself. But decide after you've looked again at Mat Honan's account of the hassle when his entire online life was zeroed-out in a matter of minutes, or at my story of what our household went through when the same thing happened to my wife last year.
As for the "how" questions, I started answering a few piecemeal before deciding that was crazy. I'll answer some of the main FAQs here and then point you to the most useful online guides. Let's get started:
Q. Does the process really need to be this complicated?
A. No. Google has simplified a lot -- think of its search page, its surprisingly effective voice search, Google Earth, etc. It needs to apply a little UI brainwork to making 2-step verification less forbidding than it seems now. See this unforgiving analysis in PandoDaily.
Q. Do I need to be a tech whiz to put it in place?
A. Not really. But if the instructions below seem off-putting, get help from a friend. It should only take ten or fifteen minutes to get your entire set-up configured -- all laptops, all desktops, your smartphones and iPads and mail programs -- if you get the hang of it.
Q. What's the point of the whole "2-step approach"?
A. The main point is, 2-step makes it very, very hard for anyone to take over your email account remotely -- from China, let's say, or West Africa or Russia or even across the street.
Without the 2-step system, hackers could get into your account if they figured out your password (as happened to my wife). With 2-step, they would need the password -- and also physical control of your smart phone, your purse or wallet, or your actual computer. With the smart phone, they could get the authorization code needed for your account. With your purse or wallet, they could get one of the backup authorization numbers that you can print out and carry around. With your computer, they could get into your account if you'd arranged the settings to require an extra code only once per 30 days.
Here's why this matters. In most cases you would have no way of knowing whether someone in China / West Africa / Russia / Las Vegas had cracked your password and was ransacking your account. My wife had the eerie sensation of finding her Gmail account very sluggish but not knowing why: in fact, the hacker was going through her account at just that moment. But if someone had taken your phone, your wallet, or your computer, you'd probably know. And you might be able to do something to change the password or protect yourself before much damage happened.
Q. Do I have to own a smartphone at all, or even a cell phone, to use this system?
A. No. You can get authorization codes -- which for your own computer you'd need only once per 30 days -- via any normal phone line. If, Unabomber-like, you have no phone at all, you can print out a list of codes to carry around and use.
Q. What if I forget to carry my phone with me. Am I screwed?
A. No. You can, again, print out a list of good-for-one-use codes and carry them in your wallet or purse. If you're ever in a situation where (a) you need to use someone else's computer, or a "public" computer, to get into your Gmail, and (b) you have forgotten to bring your phone with you, you can (c) just use one of these codes. You can generate new ones if you run out.