Gmail's 2-Step Verification: Some FAQs

By James Fallows

Since beating the drum two days ago on the importance of protecting your Gmail account with Google's free "2-step verification" system, I've received a torrent of messages with "how do I do this?" or "what about that?" or "can this be worth the hassle?" themes.

As for whether it's worth the hassle -- well, decide for yourself. But decide after you've looked again at Mat Honan's account of the hassle when his entire online life was zeroed-out in a matter of minutes, or at my story of what our household went through when the same thing happened to my wife last year.

As for the "how" questions, I started answering a few piecemeal before deciding that was crazy. I'll answer some of the main FAQs here and then point you to the most useful online guides. Let's get started:

Q. Does the process really need to be this complicated?
A. No. Google has simplified a lot -- think of its search page, its surprisingly effective voice search, Google Earth, etc. It needs to apply a little UI brainwork to making 2-step verification less forbidding than it seems now. See this unforgiving analysis in PandoDaily.

Q. Do I need to be a tech whiz to put it in place?
A. Not really. But if the instructions below seem off-putting, get help from a friend. It should only take ten or fifteen minutes to get your entire set-up configured -- all laptops, all desktops, your smartphones and iPads and mail programs -- if you get the hang of it.

Q. What's the point of the whole "2-step approach"?
A. The main point is, 2-step makes it very, very hard for anyone to take over your email account  remotely -- from China, let's say, or West Africa or Russia or even across the street.

Without the 2-step system, hackers could get into your account if they figured out your password (as happened to my wife). With 2-step, they would need the password -- and also physical control of your smart phone, your purse or wallet, or your actual computer. With the smart phone, they could get the authorization code needed for your account. With your purse or wallet, they could get one of the backup authorization numbers that you can print out and carry around. With your computer, they could get into your account if you'd arranged the settings to require an extra code only once per 30 days.

Here's why this matters. In most cases you would have no way of knowing whether someone in China / West Africa / Russia / Las Vegas had cracked your password and was ransacking your account. My wife had the eerie sensation of finding her Gmail account very sluggish but not knowing why: in fact, the hacker was going through her account at just that moment. But if someone had taken your phone, your wallet, or your computer, you'd probably know. And you might be able to do something to change the password or protect yourself before much damage happened.

Q. Do I have to own a smartphone at all, or even a cell phone, to use this system?
A. No. You can get authorization codes -- which for your own computer you'd need only once per 30 days -- via any normal phone line. If, Unabomber-like, you have no phone at all, you can print out a list of codes to carry around and use.

Q. What if I forget to carry my phone with me. Am I screwed?
A. No. You can, again, print out a list of good-for-one-use codes and carry them in your wallet or purse. If you're ever in a situation where (a) you need to use someone else's computer, or a "public" computer, to get into your Gmail, and (b) you have forgotten to bring your phone with you, you can (c) just use one of these codes. You can generate new ones if you run out.

Q. What if my phone has no coverage. Am I screwed?
A. No. Smart phones generate their codes on a clock-based system, whether or not they're connected to any network. If somehow you had WiFi coverage on an airplane, but were not connected to a cell network, the code-generator would still work. Plus, remember those codes in your wallet.

Q. What if I am out of the country or change my mobile network. Am I screwed?
A. No. Again, your phone has a clock-based system for generating codes, wherever it is.

Q. What is this whole confusing "application-specific password" nonsense?
A. This actually is confusing, and I'll try to explain it as clearly as I can.

There are some situations in which the hardware's or software's setup means that you can't enter both your normal Gmail password and the special 2-step code. For instance: email on most smartphones, or on an iPad. Or for programs like Thunderbird or Sparrow.

For these situations, you generate a special kind of password, on a page Google provides for this purpose. It's 16 characters long; it looks like nonsense; and it is something like kxgi jikg avfi dwqi.

You copy down this password, and then you enter it -- once -- in place of your normal Gmail password for your smartphone, iPad, etc. From that point on, Gmail recognizes this as a special kind of password, signifying that you're in the 2-step system. If you lost your phone or iPad, someone could get into your email. But, again, you would know that you'd lost that device. And you could go to the Gmail setting page and de-authorize the password you had approved before. Result: as long as you had your iPad or smart phone, you could get into your mail with no hassle. But if they were stolen, you keep keep others from prowling around.

Q. Are you done?
A. Pretty much. The point is that this is more complicated than, say, using AOL -- and more complicated than it really should be. But once you've tried it you see that fundamentally it's not that difficult a process.

Q. Whom else should I believe?
A. Unfortunately, not Google. Rather, you can believe them, but you can't really turn to them for crystal-clarity in explanation. The resources I'd suggest begin with Jeff Atwood's Coding Horror site, which has an illustrated step-by-step explanation and which includes this nice riff, with emphasis in original:

"OMG, entering these email codes on every device I access email would be a lot of work! That sounds like a hassle!" Shut up. I know things. You will listen to me. Do it anyway.

Also please see this description by Matt Cutts. And, when you're on the verge of grumbling that Google's process is too complex, consider this pertinent question from a reader  (who notes that the horrific hacking episode recounted in Wired revealed gross security vulnerabilities at Amazon and Apple):

A question that came up for me:  where is Apple's two-step verification?  So much of their iTunes, iCloud interconnection is through Apple devices, so isn't there an Apple branded verification tool for the iPhone and iPad?

Good question. Complex as the 2-step Gmail system is, Google deserves credit for devising a way to let users protect themselves. Apple, what about you?

This article available online at:

http://www.theatlantic.com/technology/archive/2012/08/gmails-2-step-verification-some-faqs/260934/