Wired writer Mat Honan fell victim to a brutal hack over the weekend. Through misplaced ingenuity and a smidgen of social engineering, hackers gained access to his iCloud account and wiped his iPhone, iPad, and Mac drives clean. The actual attack involved breaking into Honans Amazon account, and then using information found there to break into his iCloud account. Things only got worse from there.
Amazon and Apple clearly need to institute security policy changes to better protect their users. And Honan made mistakes of his own, most notably not backing up his Mac regularly. But the hackers initial entry point into Honans digital life was through, of all things, the forgot password functionality offered by Gmail. When they first plunked Honans email address into that form, Gmail displayed a redacted version of Honans MobileMe account: m""""firstname.lastname@example.org. Honan has plenty of if only's on his mind, but one biggieto quote Honans story for Wired, is this: If he had used two-factor authentication for Gmail, everything would have stopped here.
(Note: Google calls it two-step authentication, but two-factor authentication is just as common a name. Well use them interchangeably.)
Understand two-step authentication
First, lets clarify what two-step authentication actually means. In Googles case, it works this way: If you enable two-factor authentication, when you next log in to your Gmail account, youll first proceed as you always doby providing your username and password. But before you get to your inbox, Google will next demand a separate code.
Of course, you wont know what the code is offhand. Thus, for the second factor of authenticating that you really are who youre claiming to be, Google will send a text message to your phone containing the six-digit code to use. (As well discuss later, there are numerous other options for getting a six-digit code.)
Only after youve provided that code do you gain access to your inbox.
On the whole, the process sounds simple. And for simply logging in to your webmail account, it is. But added complexities can crop up, since some apps dont yet support two-factor authenticationlike, say, Mail on the Mac or iOS. That makes configuring Googles two-factor authentication a bit more complicated.
Set up Googles two-factor authentication
Go to Google.com and log in. Click on your name or photo at the upper right corner of the main Google homepage, and choose Account. Then choose Security from the navigation options at left. Now you can see the option youre looking for: Click the Edit button along side Two-step Authentication.
At this point, Google will most likely ask you to login again. Thats for additional security. Enter your password, and click Sign In.
Next, Google will ask you to provide the phone number of the device youd like to use. Its understandable if youre hesitant to give out your phone number, but note that Google promises it will only use this number for account security. You can provide a landline or a cell phone number, and you can choose whether Google should send codes to that number as text messages or via a voice call. (Note: You really shouldnt use your Google Voice number, since you could get stuck in a Catch-22 situation where you cant access your Google Voice account to get the code you need to log in to your Google Voice account.)
After you click to proceed, you should receive the text message (or phone call) within a few seconds. Type that code into the webpage and click to continue. At this stage, youre nearly done with the initial setup. Google will want to confirm whether it should trust this computer. That setting is a bit misnamed; essentially, if you leave it enabled, logging in to Google on that Mac with that browser wont add the second step for the next 30 daysunless you delete your browsers cookies.
Fix everything two-step authentication breaks
Now, just when you feel like youre finished, Google throws up a gotcha: Some apps cant support verification codes. If you use a third-party email app to check your Gmail account via POP or IMAP, for example, that app wont be configured to prompt you for the second step code.
Thus, for email appsand Google Reader-using apps, and Calendar or iCal, and so onyoull need to configure special, one-off passwords instead. You can generate as many of these so-called application-specific passwords as youd like. You provide a label (for your own records), like, iPhone Mail, and then Google presents you with a 16-character password. You can never retrieve that password again, but it doesnt matter. Dont bother jotting it down. Copy and paste it (or painstakingly retype it) wherever it needs to go, and then click the Done button.
If you use more than one Mac, consider going specific with your application-specific password names, like Adium (MBPro) and Adium (MBAir). Because Google lets you revoke any application-specific password at any time, you can log in and revoke access to the apps on your MacBook Air should that get stolen, without giving yourself extra work on your MacBook Pro.
Dont worry that you might be forgetting about an app or three. Youll remember that you need to generate unique application-specific passwords for those as soon as those apps start prompting you to re-enter your password.
Ensure you can always access your account
Once youve configured all the necessary application-specific passwords, there are a few additional important steps to take. Go back to your Google profile, click again on Security, and then click to Edit your Two-step Verification settings. (Surprise! Youll get prompted to confirm your password again.)
Near the top of the screen, look for the Backup Phones setting and click on Add a Phone Number. There, you can set other phonesyour home phone, another cellas backup numbers. That way, if you lose your phone for any reason, youre not locked out of your Google accounts; you can receive your codes on the backup phones instead. (Presumably, once you did log in, youd immediately go to your settings and change your two-step verification number.)
Once youve set up some backup numbers, find the Printable Backup Codes option and click Show Backup Codes. Doing so generates a list of ten eight-digit verification codes that you can use in situations where you dont have access to your phone, or where your phone has no service.
Each of these codes can be used only once. Google suggests printing out the list and keeping it in your wallet. You mightmight!consider saving the list in Dropbox or somewhere else in the cloud, so that you can always get to it even if youre without your phone or access to your Google account. Obviously, if someone then figures out your Google password and also breaks into your separate cloud account, they could then break all the way into your Google account, too. You can generate a list of ten new backup verification codes whenever youd like, but doing so invalidates all of your old ones.
Instead of relying on text messages or phone calls, you can instead install the free Google Authenticator app. With the app installed, you can generate verification codes even when you have no active network connection. That is, the app can generate codes even when theres no Wi-Fi or cellular signal available for your phone.
First-time setup of the app is a bit confusing. Ignore the login form, and instead tap the Scan Barcode button at the bottom of the screen. (If its not there, tap the Plus (+) button first.)
Over in your Google Two-Step settings, find the Mobile Application section, and click on iPhone. (There are also appsand thus linksfor Android and Blackberry phones.) Point your phone at the QR code that Google presents on screen, and the app will configure itself for your Google account. Now, when you need a verification code, launch the app, and it will present you with a new one to use.
Two-step authentication is annoying, a bit tedious to set up, and makes more work out of the seemingly simple act of logging in.
Of course, locking your doors or buckling your seatbelt takes a little extra energy, too. We make tradeoffs to ensure our safety, and digital safety is increasingly becoming just as important as physical security. If you rely on Googles services, two-step authentication is probably worth the hassle.
Lex Friedman is a staff writer for Macworld.