Having a strong password is a good first step towards securing your Google Account, but it won't necessarily defeat someone determined to access your data. What if there was a way for you to secure your account so that even if an attacker knows your password, they STILL can't log into your account? 2-Factor Authentication is one solution that can provide this kind of security for your online accounts.

What is 2-Factor Authentication?

Let's start by defining 'authentication'. This is the computer sciencey term for "how a computer knows that you're really you". A Factor is one of the ways you can prove your identity to someone. There are four different classes of factors:

  • Something you ARE: Something about your body that would be hard for someone else to duplicate. Examples: your fingerprints, your retinal pattern, your face, or a DNA blood test
  • SomeTHING you KNOW: A secret piece of knowledge that's private to you. Examples: passwords, PINs, and security questions
  • Something you HAVE: A physical object that only you have access to. Examples: electronic key fobs, debit cards, house keys
  • SomeONE you KNOW: A trusted party who can vouch for you. Examples: you vouch for your friend at the gym who forgot her key fob, "I know her, she's been a member for years."
For most online services, we're used to the second factor on this list- 'Something you Know', a password. 2-Factor authentication adds an additional factor from the 'Something you Have' category (usually), such as a phone or a laptop. In order to log into a site using 2-factor authentication, you need to KNOW your password and you need to HAVE access to your phone or computer.

There's already an example of two-factor authentication that you already use when you interact with an ATM. In order to withdraw money from your account you need to HAVE your ATM card and you need to KNOW your PIN code. 

Should I Enable It?

2-Factor Authentication makes it much more difficult for unauthorized people to access your accounts. Even if an attacker knows your password, they still need your 2nd Factor in order to log into your accounts. 2-Factor Authentication isn't unbeatable security, but it raises the bar considerably for an attacker and will protect you against casual snooping. This video explains it pretty well:

Should you enable 2-Factor authentication? That's a personal choice, but here are some questions that can help inform your decision:

  • Do you have access to secure personal or financial data? If the answer is yes (you work in Finance, HR, or Development), then 2-Factor Authentication will help bring extra security to this sensitive information.
  • Do you move between computers a lot? If the answer is yes, 2-Factor Authentication will be more inconvenient for you. Graduate Students, AmeriCorps, and Instructors trade between shared computers all the time, which means they'll also need to enter this second code more often than, say, a TVCS teacher who has an assigned laptop.
  • Do you have reliable cell service at your campus? If the answer is no, 2-Factor Authentication won't be a great fit for you unless you use an app like Google Authenticator (more on this below).

How To Enable 2-Factor Authentication for Your Google Account:

1. First of all, make sure you have a cell phone next to you and that you have cell service. Go to accounts.google.com and log in with your TSS credentials. Click on the link on the left side of the page: "Signing in to Google".

2. Click on the link for '2-Step Verification'.

3. In the next box that shows up, click "Get Started". You'll be asked to re-enter your password, then you'll be asked to enter your cell phone number. Go ahead and do this.

4. Google will send an SMS message to your phone with a 6-digit code, which you'll be prompted to enter.

5. You're all set up! The next time you log into your Google Account, Google will send you a SMS text message with a 6-digit code. You'll need to have this code, as well as your password, to log into your Google Account. If you're logging in with a computer or device that you use often (such as your laptop or your personal phone), you can choose for Google to 'don't ask again on this device' so that you can skip getting the text message when using that particular device.

Notes and Caveats:

First of all, there's an obvious problem that 2-Step Verification can create for you: what if you need to get into your Google Account but you don't have your phone? Or you don't have cell service (quite possible at the Kelly Campus)? Google allows you to create backup codes that you can print and put in your wallet. These codes are good for one-use only and will work as a second factor in the event you can't receive a text message. You can access your 2-Step Verification settings by following steps 1-3 of this guide, then scrolling down to the section where you see Backup Codes. Another option is to contact the IT department via phone call; we can help you get into your account if you've lost your phone.

One more potential issue with using SMS messages is that the security of sending and receiving text messages isn't quite as robust as you might think. There are several ways attackers can spoof or redirect phone calls in order to intercept these messages. This issue is real enough that the National Institute for Standards and Technology has issued official recommendations for users NOT to use SMS-issued codes as a second factor for authentication. Great. So what other options are there?

There are several Authentication apps for smartphones that generate 6-digit codes on their own, no SMS message, data connection, or even WiFi required. There are many options in this space, but Google Authenticator is probably the simplest for most users to use and install (iOS AppAndroid App). I've used this app for years and it's my preferred app for 2-Factor Authentication.