You log into a public terminal at a net cafe to check your email while travelling.
After a very nice conversation with your mom, she discovers the next day that you had a terrible accident and that you need money sent to a random foreign bank account to deal with your medical bills.
She has no reason to doubt your claim as your request happened to originate from your own email account!
That’s one of the possible scenarios if your password has been hijacked. You never know when there could be a key logger attached to the computer physically, or a software version that sends your username and passwords to a hacker.
Fortunately, there is a solution for this: two step authentication.
For the past three years, all my Google accounts have made use of this extra step in security.
How this works is that when you log into any of your Google accounts, you are asked for an extra code.
This code changes with time, rotating every minute and you are asked for that code when you log into a system that you haven’t flagged as trusted.
There are only two ways of generating this code. One, via a long random secret that’s shared between you and the Google Authenticator app, or via SMS from Google any time you require that code.
I’ll walk you through setting up this layer of security, but do note that because it is secure, once you lose the ability to generate the token (lose your phone, back up codes and/or change your phone number) it might be very difficult to gain access to your account.
The Set Up
To begin, we go to the url
After you have read through the benefits and proceeded with set up, enter your phone number.
This number could be a local number (in the city you’re travelling) or your home number. What’s important in choosing a number is that this could be your last chance to get your account back if you lose your phone or back up codes. You will, however, get to change this number after you have set this up.
Now keep your phone handy beside you because you will receive a six digit code via SMS at the number you just provided. This is one of the ways you can receive your code.
Enter this number and you’re almost done!
If you’re setting up your account from a computer that doesn’t belong to you, don’t click this setting. It negates the security provided by two-step on this computer.
I would prefer to obtain my codes from the app instead of through SMS. If my hostel has no reception or if I don’t have a sim card nor reception for my location then I won’t be able to log into my account.
Thus, I immediately switch to using the app.
A Useful Trick
This is probably the most important and useful step – but also one that somewhat degrades your security.
If you scan the bar code and lose your code generator app, you will need to generate a new code. Your old codes will be rendered useless, including but not limited to all your app specific passwords and backup codes. These are explained later.
If you click on “cannot scan bar code”, you will be provided with that sixteen character string that you can save!
This means, should you lose your code generator all you have to do is enter that string into a new code generator app and you’re all set.
- Why this isn’t insecure: you store this string with your backup codes anyway. So if someone gained access to your backup codes, they are just as likely to have access to your account with or without the code generator.
Why this is insecure: if you lose your phone to some who is really trying to gain access to your account, they might try to hack the information out of your phone’s code generator. This means that you probably should change the code.
For most of us, the first part is the most likely scenario. People who steal your phone would probably just reformat the phone and try to sell it, rather than milk it for information. Your photos of the one night stand you had are probably more of a liability than your codes.
At this point, you should generate a series of back up codes and store them securely.
App Specific Passwords
Now, to access your account via your phone, email client, or any other system, you need to create app specific passwords.
This are one time use passwords. It is a bit of a hassle having to log into Google to get a new password per device.
However, should you lose that device, it is just as easy to log into Google and revoke that password, without having to change your password on every single device you own.
To create a password, you just click on app password tab then follow the steps.
- Remember not to close the window before entering that password into the app you wish to gain access to or you’ll have to generate a new password.
There you have it. I hope you have some peace of mind now if you’re logging into a public terminal while travelling, or even knowing you are way less likely to get hacked while going about your day to day life.
If you found this useful, please share it with your friends. It might help them avoid some online mishaps too!