2SV is enabled in your Google account settings, not your phone or computer settings.
Sign in to your account on the web and go to
to manage your settings.
2SV settings are under the Security tab. Enable one or more of the following 2SV methods.
Enabling Google Prompt
If you have an Android smart-phone, this method is automatically enabled when you add your Google account to the phone.
If the phone is set up with multiple Google accounts, it will receive Google Prompts for all accounts.
Note this method works because you're already signed in to Google on the phone, so when you try to sign in on another device Google already has a trusted device (your phone) through which to request confirmation.
If you have an iPhone, Google Prompts can be used by installing the Gmail app and adding your iPhone under your Google account's Security settings.
If you wish to disassociate a smart-phone with the Google Prompt, you have to remove that Google account from that phone. (Obviously, this is not recommended if it's the one and only Google account on an Android phone.)
Enabling Google Authenticator
When you initially setup TOTP-style 2FA on any website, the website will create a random alphanumeric key string for you both to use. On your end, you have to configure your authenticator with the same key string.
But how does the website provide that alphanumeric string to you so you can configure your authenticator?
Maybe the website can display it on screen for you to manually type it in. It’s long, though, so that can be error-prone.
Maybe you can cut-and-paste the key string into your authenticator. That may work on a computer, but won't be easy if you are setting up a mobile device.
Alternatively, if the website can embed the string in a QR code, you can use your phone’s camera to read the QR, extract the key string, and stick it in your authenticator app for you, all without error. That will be the method most people will opt to use.
Note that the only purpose of the QR code is for transferring the key string. It is not a passcode to use when logging into a website. It’s only for initially configuring an authenticator app. After the app is configured, you no longer need the QR code.
To add an authenticator app to your Google account, select "Set up" and follow the prompts. Google will create a long, random, alphanumeric text string to be used as your secret key. Google will embed it in a QR code and display the QR code on your computer screen.
Install an authenticator app (which can be Google Authenticator or one of many others) on your smart-phone, and point the phone's camera at the QR code.
The app will read the QR code, set itself up with a token, and start displaying a 6-digit numeric code. The 6-digit code is calculated based on the secret key and the current time, and will change every 30 seconds.
Finally, Google will ask you for the authenticator's currently displayed 6-digit code as a way to confirm you and Google are using the same secret key.
As long as you and Google (or whichever service you're using) are synced to the same time and using the same secret key, both sides will generate the same 6-digit code.
Thus, it is imperative that your device's time is reasonably in sync with Google's servers or they will not come up with matching codes.
A little leeway is allowed, but don't let your device's time drift too far off.
Note that there is nothing particularly special or proprietary about the QR code. It is merely a convenient way to transfer the super-long alphanumeric key string into the app.
Although more cumbersome, if you wanted to you could do the same thing by manually typing in the key.
(The alphanumeric string will be revealed if you click the "
Can't Scan It?" link when the QR code is displayed on screen.)
The key is the only crucial part of the QR code. There may be additional fields embedded in the code, such as a name and "issuer" field, but those are non-critical and only to help you differentiate tokens from one another if you use the same app for multiple tokens.
Depending on your authenticator app, you may even be allowed to rename the token after you've set it up -- but that is only for your convenience, and applies only to that particular installation on that particular phone.
Those interested in delving deeper into TOTP QR codes may want to spend some time exploring Stefan Sundin's
nice little webpage on github.
With it you can create QR codes, or if you load an existing QR image it will decode the embedded parameters for you.
As you alter parameters, the QR image changes in real time, and the line right above the image shows the “otpauth” text string that is encoded in the image.
When a given website generates a QR code for you to scan into your authenticator app, this text string is the only information the app will see.
Note there is nothing in that string that is specific to any brand of authenticator, so it should be evident that the brand of authenticator you use is immaterial.
(Caveat: in tests it seems an authenticator app cannot be the first Google 2SV method you set up.
YMMV, but you may have to enable one of the other methods first, then you can set up Google Authenticator.
You can go back and delete the first method if you don't really want it and Google Authenticator will stay, but apparently it maybe can't be the one you initially start with.)
Backing Up Google Authenticator
A second device can be configured from the same QR code, so
I recommend taking a screenshot of the QR code (or copy and paste the alphanumeric key string) when Google offers it.
You can subsequently use the same key string to setup another authenticator app on another phone or another computer at any point in the future.
(If you have already enabled an authenticator app for your Google account but forgot to record the key string or QR code, you can delete it and start over, enabling it anew. Google will generate a new key string, which you can record this time.)
To configure a second device with the same secret key, simply install your authenticator app of choice, click the setting to add a new entry, display the QR image you saved earlier, and point the phone’s camera at your computer screen. That's all there is to it.
You do not need to tell the website you have multiple authenticators, you merely reuse the same QR code or key string.
As long as all your authenticators use the same key for a given token, they will all generate the same 6-digit code when Google 2SV asks for it.
Some apps may offer a function to backup or migrate your configured 2FA tokens to another device.
However, if you copy the key string or QR code right from the beginning (i.e., while it’s still on the screen at initial setup) you can always recreate the token whenever you want, so there's no need to be concerned with which apps may or may not have a migrate function.
Besides, most people aren't likely to have more than 5 or 10 tokens, and with that amount you could probably recreate them all anew faster than it would take to even begin researching how to migrate from a prior authenticator.
Best of all, recreating tokens will work with all TOTP apps, regardless of whether or not they support backup/restore or migrate functions -- and hence will not limit your choice of which app you use.
To summarize, you don’t setup multiple devices via the website, you setup once and then use your copy of the QR code to replicate to additional devices.
If both you and your spouse need access to the same bank account, for instance, you setup 2FA at the bank once, and replicate it to both of your phones. You don’t setup each device with the bank.
Warning: Whatever you do, understand that the secret key and QR code are, quite literally, the keys to the kingdom. If a hacker gets either, he can generate your 2FA TOTP codes himself, and you’re in trouble.
So while I recommend saving them, do make sure you save them securely. You don’t need either in day-to-day use, so stash them away on an off-device backup and delete them from your daily-use devices.
You only need the secret key when reinstalling or setting up an additional authenticator, so it doesn't need to be readily at hand all the time.
You can save the key string, the QR code, or both if you wish. They’re functionally the same thing, though, so it's really only necessary to backup one or the other.
Any ordinary QR code reader can read the key string from the QR code, and vice versa, a new QR code can be regenerated from the key string.
So if you backup only one you can always recreate the other at will from the one you saved.
Enabling Hardware Security Key
To add a Security Key, select "Add Security Key" and follow the prompts.
You will be asked what kind of Security Key you have and guided through the process of registering its secret string.
A hardware key is another form of TOTP authenticator, with its own unique key embedded in its firmware.
In contrast, an authenticator app is software, so it can be installed on multiple devices using the same key.
This may mean hardware keys are technically more secure, but software authenticators will be more convenient if multiple people need to share access the same account.
Enabling Voice or Text Message
To enable a voice or text message, select "Set up" and follow the prompts.
You will be asked for a phone number to use, and whether you want to receive voice calls or SMS text messages.
Google will send a message to that phone and ask you to confirm the code that was sent.
This verifies the process is working properly.
Note this can work with any phone and, unlike a Google Prompt, does not require the phone number to have any association with Google.
It can even be used with a land-line phone that can't receive text messages because Google can send automated voice calls instead.
Creating Backup Codes
In your account settings, click the "Backup codes" option.
Google will create and remember a set of ten random, 8-digit numeric codes that can be used to verify yourself to Google when necessary.
Print and save these codes in a secure place.
A hacker could impersonate you if he was to acquire these codes, so keep them safe.
Use any one of the 8-digit codes when you need to authenticate yourself. (They don't need to be used in a particular order.)
Once used, that code is expired but the rest of the codes remain available for future use. Each code does not expire until you use it, or unless you delete them from your account settings.
At any time you can ask Google to generate a new set of ten codes. Any unused codes are discarded when Google generates a set of ten new codes.