Network News

X My Profile
View More Activity
Posted at 4:58 PM ET, 02/10/2011

Google adds optional two-step Gmail security

By Rob Pegoraro

Google just launched a new, secured login for Gmail and other Google services. Done right, it can greatly increase a Google Account's defenses--but I worry that the less security-concious users who could use the help most will shy away from its complexity or get locked out of their service by mistake.

Google calls this option "2-step verification," although it's often referred to as "two-factor authentication." By either name, it adds an extra line of defense beyond your password: a numeric code generated on the spot for each login and then discarded.


Google's blog post and help page explain how this will work. First you'll activate this from your Google Account settings page through a "Using 2-step verification" link, and then you'll be asked to enter a numeric code after having it generated by a smartphone application or sent by Google to your phone via text message or phone call.

This won't take the place of the traditional username-and-password combination, nor do you have to go through this ritual every time; you'll be able to tell Google to save it for every 30 days.

You won't need to have a working Internet connection or even cell service on your phone. Google's free Google Authenticator--available for Android, the iPhone, iPad and iPod Touch, and BlackBerry devices--works offline. You can also use one-time codes generated when you first set up 2-step verification.

But this extra security only works in Web pages; applications such as Microsoft's Outlook or Apple's Mail that connect to Google services don't support this. For those cases, Google lets you create passwords only good for those installations--for example, one for a smartphone's mail program and another for a desktop computer's mail client.

All that sounds good--though I can't speak from personal experience, since none of my Google accounts offer this option--and comes highly recommended. Lifehacker's Adam Pash, for example, writes: "start using this feature as soon as possible." The headline on Jason Kincaid's post for TechCrunch ends "You Should Use It." Google search guru Matt Cutts Twittered: "*Everyone* should do this."

But... I fear that the people who most need to strengthen the security of their Gmail won't follow any of this advice. They don't know who Matt Cutts is, don't read Lifehacker or TechCrunch and they're likely to get lost on the way to setting up two-step verification--or will balk at following advice that may seem like something cooked up by a paranoid IT department.

Fortunately, there are simpler ways to defend your Google account. You can choose a password that you haven't used at other sites and isn't in the dictionary or easily guessed from public details of your background; be smart and skeptical about not installing strange new software and ignoring phishing scams; and set up the account-recovery options already available to ensure you can regain control of your account if it's hacked.

Do those things, and then we can think about two-factor authentication. But whatever you do, please don't read Google's advice today and think "oh, security is obviously too hard to do right."

By Rob Pegoraro  | February 10, 2011; 4:58 PM ET
Categories:  E-mail, Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: A first look at the Verizon iPhone - and what that can't tell you
Next: Report: Apple to introduce cheaper iPhone


This is a good idea, but unfortunately I won't be able to use it. I can connect to my office (Google-powered) e-mail from my customers' site, but I can not take my phone in there. I just can't imagine waiting for a phone call to my desk from Google so that I can check my mail.

Posted by: slar | February 10, 2011 6:09 PM | Report abuse

Hi slar@,

If you choose to use the Google Authenticator app for your smartphone (Android, BlackBerry, or iPhone) you can generate the codes locally, without a network connection - instantaneously.

Posted by: chinushah | February 11, 2011 12:26 AM | Report abuse

Not everyone has a smartphone. How are those of us who don't have one (and have no interest in having one) supposed to take advantage of this?

Posted by: borealis998 | February 11, 2011 7:44 AM | Report abuse

Huh, i wonder if thats gonna make life complicated for backup services like I like getting that DVD in the mail.

Posted by: easymovet | February 11, 2011 1:08 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2011 The Washington Post Company