Main   Back to Tutorials Index 
Understanding Two-Factor Authentication
Over the years, numerous service providers across a variety of industries have gradually implemented better and more secure ways of verifying you are the person who you claim to be when interacting with them. Typically this takes the form of two steps, each asking for a different item of verification, such as a password and a phone number, or a password and a secret question. Companies implementing these solutions range from tech services (Microsoft, Apple, Facebook, Twitter, PayPal, Amazon, LastPass, BitWarden, DropBox, WordPress, GoDaddy, et al) to health, financial, government and utility services (banking, credit cards, investment firms, telephone, cable TV, electricity, gas, water, the IRS, Social Security, EDD), and more.

Google has long encouraged users to use Two-Factor Authentication (2FA) or Two-Step Verification (2SV) whenever possible, and to that end has recently begun "opting-in" accounts that they determine already support it (1, 2). If this change has been made to your Google account and you do not want it, you can (for the time being, at least) turn it back off. However, there are good reasons for embracing this security feature.

If you think the extra security is an inconvenience, keep in mind that, as the saying goes, "convenience is the enemy of security". The more convenient you make something the less secure it becomes, and vice versa. The objective, then, is to find a solution that balances an acceptable level of inconvenience with an appropriate level of security.

For instance, when you stop by the store to pick up a few groceries, it would arguably be more convenient if you left your car unlocked -- especially if your arms are full of groceries when you come out of the store. But the hassle of having to dig your keys out of your pocket seems a small price to pay when compared to the consequences if your car isn't there when you come back.

Sometimes the consequences of getting it wrong can be much more disastrous, so when your bank's ATM requires two items of authentication (your ATM card and your PIN), the extra security is welcome.

And so it is with your Google account. When evaluating whether Google's extra security measures are too much bother, ask yourself how much trouble you'd be in if your Google account was hijacked. These days it is much more than merely a place to trade funny memes or keep up with coworkers. It may be tied to your social media accounts and other Google services like your photos, music collections, schedule calendar, and location history. It may be tied to your smart-phone, Venmo, PayPal, Google Pay, and as a way to authenticate yourself with your bank or credit card companies. It may be used to access critical business or government services.

It isn't just an email account, it can be tied to your very identity. It behooves you to take the security of your account seriously.

The discussion below should help you understand 2FA or 2SV -- what it is and how it works. The details in this tutorial focus on the options Google offers, but the principles can be applied more broadly because other companies often use one or more of the same techniques, enabled in a similar fashion. You should be able to find one or more methods that are not too burdensome yet still provide better protection against your account being hacked or hijacked.

What Is Two-Factor Authentication?
"Two-Factor Authentication" (2FA) is the strategy of grouping the possible items of verification into "factors" -- or buckets of similar verification methods -- and requiring the two items being requested come from different buckets.

In this context, the different factors can be defined as:
Things You Know
This is knowledge you would know but (hopefully) a thief would not -- such as a password, Social Security Number (SSN), place of birth, favorite pet's name, combination lock code to a safe, etc.
Things You Have
These are physical items you would have but an imposter should not -- such as a house key, your cell phone, a credit card, a key to a filing cabinet, etc.
Things You Are
These include biometric characteristics that are unique to you -- such as your fingerprints, iris scan, face id, DNA profile, etc.

When enabled, a user signing in will start by providing a username and password as before, but the service will then respond by asking for a second piece of verification. After this second step is completed, the user is signed in and can continue to use the service as before.

Requiring things from two buckets is considered to be more secure than two things from the same bucket. After all, if a hacker knows you well enough to have your password, then he might also know your mother's maiden name or your high school mascot, but is less likely to have your house key. A burglar who breaks into your home or steals your wallet might get your driver's license or ATM card, but probably wouldn't get your bank PIN code.

Services that ask for two items from the same bucket -- such as, for example, a password and a secret question, or a PIN and the last four digits of your Social Security number (both "Things You Know") -- are not as strong as true 2FA. While it's at least better than asking for only one item, two items from different buckets is a more secure policy.

Once you have been authenticated signing in from a given device, the web service can optionally remember that device (by "fingerprinting" that computer+browser combination's unique characteristics) so it can skip 2FA on subsequent sign ins from the same device. The service can afford to be less stringent if you're signing in from a device it's fingerprinted before, while still maintaining a stronger posture to sign-in attempts coming from an unfamiliar device.

What Is Two-Step Verification?
"Two-Step Verification" (2SV) is Google's variation on 2FA.

In fairness, the term may also be technically more accurate than 2FA, as pedants could argue some methods don't fall neatly into one factor or another. For example, if a sophisticated hacker convinces your phone carrier to redirect your text messages to a phone under his control, he doesn't need to have your physical phone to intercept a SMS verification code sent from your bank. The presumption of your phone serving as "Something You Have" is broken.

Also, calling it "two steps" rather than "two factors" is probably easier for some customers to understand. These security measures are for the customers' benefit, so it's helpful if users can appreciate why these enhancements are a good thing. If the terminology is easier to understand, they're more likely to accept the slight imposition as being a net positive.

Google's Second Steps
Google has five acceptable ways you can provide 2SV's second step. You can enable one or more of the following methods. To avoid locking yourself out if something should go awry at some point in the future, it's highly recommended that you enable multiple methods in case one method becomes unavailable or compromised when you need it.

Google's allowable second steps include:
Google Prompt
This is a pop-up alert sent to a smart-phone associated with your Google account. When you attempt to sign in to Google on a given computer, that computer will instruct you to check your smart-phone, to which a pop-up is pushed asking, "Is that you trying to sign in?" Answering "Yes" to the prompt on the phone tells Google that the person with your phone is the same as the one on the computer, and lets the sign-in proceed. This is "Something You Know" (your password, entered on the computer) and "Something you Have" (your phone, to respond to Google's prompt).


(Note: If you have more than one smart-phone associated with a given account, the Google Prompt will appear on all devices simultaneously. Answering the prompt on any device is sufficient to authenticate the sign-in attempt.)

The Google Prompt is an easy, one-tap solution that is best used if you are the only one with access to the account, and if your phone is always with you, and if you're in a good signal area. It is not so convenient if you don't have your phone with you or if you are sometimes in a weak cell signal area.

It is not very convenient if a team or coworkers share access to the same account. If your phone is registered with the team's account the Google Prompts can be a nuisance, constantly interrupting you when coworkers may be authenticating their own sign-in attempts. Even worse, team members who have not added the Google account to their phones will need to bother a coworker if they need to authenticate their sign-in attempt.

If enabled, Google Prompt is automatically Google's first choice for 2SV. However, the device on which you are trying to sign in may also offer a link to "Try another way". (See above image.) This is useful if you are signing in on one device but your phone is not readily available to answer the "Is that you?" prompt. If you've enabled other 2SV methods, "Try another way" lets you skip the Google Prompt and use one of the other methods of authentication.

Authenticator App
An authenticator app generates a frequently changing 6-digit code to be entered during your sign-in attempt. These "Time-based One-Time Passcode" (TOTP) apps take a preset, super-long (and impossible to memorize) alphanumeric string and mix it with the current time to generate a 6-digit numeric code. A new code is generated every 30 seconds.

"Google Authenticator" is Google's version of a TOTP app, but there are others. Most operate the same way, and so can be used interchangeably. You can use Google Authenticator for your Microsoft account, for instance, or Microsoft Authenticator for your Facebook account. Thus, you should be able to use one app configured with multiple tokens for your various accounts, rather than hassling with installing different apps for each and every service you use.

Note that Google will refer to it as "Google Authenticator" regardless of which TOTP app you use, but that doesn't matter. Given the same preset secret string, they all generate the same 6-digit number every 30 seconds.

There are TOTP authenticator apps available for phones, tablets, laptops, and desktops. While several companies provide smart-phone apps, some don't support laptop or desktop computers. However, there are equivalent apps for laptops and desktops, such as WinAuth, KeePass or Authy, not to mention a variety of browser extensions that will do the same thing. Just set them up and use them like Google Authenticator, and Google won't know or care which one you're using.


One advantage of TOTP authenticator apps (as well as hardware keys) is you don't have to wait for a code to be sent to you via text or email. That makes them ideal if you happen to be in a location with poor cell phone reception.

They are also great for teams or family members sharing access to the same account. Since the same secret key can be replicated to multiple authenticators, each person can have access to the same TOTP codes without bothering the others.

Hardware Security Key
This is a physical device such as Yubico's YubiKey or Google's Titan Security Key. These can be USB or Bluetooth devices that connect to your computer and emulate a keyboard, injecting a TOTP code with a touch of a button.

A hardware key is not a convenient option if a team of coworkers or family members needs to share access to an account because only one person has the device.

Voice or Text Message
Google can also use the old, familiar method of sending a verification code by SMS message or by automated voice call to your telephone number. These are also time-based codes, but the codes may be set to expire in 10 minutes or longer because there can be an inherent time lag waiting for your phone to receive the message containing the 6-digit code. In contrast, security keys and authenticator apps can employ a 30-second timeframe because no waiting period is required.

Voice or SMS messages are also not a convenient option for multiple users sharing an account because the 6-digit code is sent to only one phone.

Experts consider this method to be slightly less secure than the other methods because it is possible for a sophisticated hacker to trick the phone system into redirecting your messages to a different phone under his control. That would allow a hacker trying to sign in as you to receive your second step code and convince Google he's you. This is probably a remote risk for most people, though (and nevertheless is still better than having no second step at all), so users shouldn't be discouraged from using this method if other methods are not practical.

(Ironically, it's baffling why many banks and financial services only offer this less secure method and fail to offer stronger methods like authenticator keys or apps.)

Backup Codes
You can have Google generate a list of ten 8-digit authentication codes, which can be printed or written down and stored in a safe place until needed. These codes can be used like Google Authenticator, but the codes do not expire until they are used. Each code can be used only once, with the remaining unexpired codes retained indefinitely for future use.

Backup Codes can be a "when-all-else-fails" option. They can be a lifesaver when everything else gets messed up, so it's not a bad idea to enable this option so you have a "last-ditch" alternative to verifying yourself if it ever should come to that.

Regardless of which method you choose, signing into your Google account with 2SV on a given device should also offer an option to "Don't ask again on this device". (See above image.) If that option is enabled and you successfully sign in, Google will deem that device to be "trusted" and you won't be required to jump through the 2SV hoops in the future when signing in on the same device. If you're using somebody else's computer, though, and don't want it to become a "trusted computer" on your behalf, just be careful to deselect that option when signing in.

Enabling Google Two-Step Verification
2SV is enabled in your Google account settings, not your phone or computer settings. Sign in to your account on the web and go to https://myaccount.google.com to manage your settings. 2SV settings are under the Security tab. Enable one or more of the following 2SV methods.
Enabling Google Prompt
If you have an Android smart-phone, this method is automatically enabled when you add your Google account to the phone. If the phone is set up with multiple Google accounts, it will receive Google Prompts for all accounts.

Note this method works because you're already signed in to Google on the phone, so when you try to sign in on another device Google already has a trusted device (your phone) through which to request confirmation.

If you have an iPhone, Google Prompts can be used by installing the Gmail app and adding your iPhone under your Google account's Security settings.

If you wish to disassociate a smart-phone with the Google Prompt, you have to remove that Google account from that phone. (Obviously, this is not recommended if it's the one and only Google account on an Android phone.)

Enabling Google Authenticator
To add an authenticator app, select "Set up" and follow the prompts. Google will create a random, very long alphanumeric text string to be used as your secret key. Google will embed it in a QR code and display the QR code on your computer screen. Install an authenticator app (which can be Google Authenticator or one of many others) on your smart-phone, and point the phone's camera at the QR code. The app will read the QR code, set itself up with a token, and start displaying a 6-digit numeric code. The 6-digit code is calculated based on the key and the current time, and will change every 30 seconds. Finally, Google will ask you for the authenticator's currently displayed 6-digit code as a way to confirm you and Google are using the same secret key.


As long as you and Google (or whichever service you're using) are synced to the same time and using the same secret key, both sides will generate the same 6-digit code. Thus, it is imperative that your device's time is reasonably in sync with Google's servers or they will not come up with matching codes. A little leeway is allowed, but don't let your device's time drift too far off.

Note that there is nothing particularly special or proprietary about the QR code. It is merely a convenient way to transfer a super-long alphanumeric key string into the app. Although more cumbersome, if you wanted to you could do the same thing by manually typing in the key. (The alphanumeric string will be revealed if you click the "Can't Scan It?" link when the QR code is displayed on screen.)

The key is the only crucial part of the QR code. There may be additional fields embedded in the code, such as a name and "issuer" field, but those are non-critical and only to help you differentiate tokens from one another if you use the same app for more than one account. In fact, depending on your authenticator app, you may even be allowed to rename the token if you wish; but that is only for your convenience, and applies only in that specific installation of the app.

To configure a second device with the same secret key, take a screenshot of the QR code (or make a note of the key's text string) when Google offers it. You do not need to change anything within your account settings when setting up an additional authenticator -- just reuse the same QR code (or type in the same text key manually). As long as all your authenticators use the same key for the token, they will all generate the same 6-digit code when Google 2SV asks for it.

Warning: A hacker could impersonate you if he were to get this key, so keep your copy of the key string or QR code stored in a safe place. You only need it when reinstalling or setting up an additional authenticator, so it doesn't need to be readily at hand all the time.

If you have already enabled an authenticator app for your Google account but forgot to record the key string or QR code, you can delete it and start over, enabling it anew. Google will generate a new key string, which you can record this time.

(Caveat: in tests it seems an authenticator app cannot be the first Google 2SV method you set up. YMMV, but you may have to enable one of the other methods first, then you can set up Google Authenticator. You can go back and delete the first method if you don't really want it and Google Authenticator will stay, but apparently it maybe can't be the one you initially start with.)

Enabling Hardware Security Key
To add a Security Key, select "Add Security Key" and follow the prompts. You will be asked what kind of Security Key you have and guided through the process of registering its secret string.

A hardware key is another form of TOTP authenticator, with its own unique key embedded in its firmware. In contrast, an authenticator app is software, so it can be installed on multiple devices using the same key. This may mean hardware keys are technically more secure, but software authenticators will be more convenient if multiple people need to share access the same account.

Enabling Voice or Text Message
To enable a voice or text message, select "Set up" and follow the prompts. You will be asked for a phone number to use, and whether you want to receive voice calls or SMS text messages. Google will send a message to that phone and ask you to confirm the code that was sent. This verifies the process is working properly.


Note this can work with any phone and, unlike a Google Prompt, does not require the phone number to have any association with Google. It can even be used with a land-line phone that can't receive text messages because Google can send automated voice calls instead.

Creating Backup Codes
In your account settings, click the "Backup codes" option. Google will create and remember a set of ten random, 8-digit numeric codes that can be used to verify yourself to Google when necessary. Print and save these codes in a secure place. A hacker could impersonate you if he was to acquire these codes, so keep them safe.


Use any one of the 8-digit codes when you need to authenticate yourself. (They don't need to be used in a particular order.) Once used, that code is expired but the rest of the codes remain available for future use. Each code does not expire until you use it, or unless you delete them from your account settings.

At any time you can ask Google to generate a new set of ten codes. Any unused codes are discarded when Google generates a set of ten new codes.

In summary, enabling at least one of the above 2SV methods will help make your Google account more secure. Enabling more than one can make things easier for you if your primary 2SV method happens to be temporarily unavailable at the moment you need it. And allowing Google to fingerprint your trusted devices can make it easier for you if you frequently sign in from the same devices.

Hopefully, you'll see these extra security measures are not really as inconvenient as they may at first appear, and will be well worth it if they stop a hacker from taking over your account.



Back to Top
last revised: 03/15/2022

Valid HTML5 author: Dan Goodell