Main   Back to Tutorials Index 
Understanding Two-Factor Authentication
Over the years, numerous service providers across a variety of industries have gradually implemented better and more secure ways of verifying you are the person who you claim to be when interacting with them. Typically this takes the form of two steps, each asking for a different item of verification, such as a password and a phone number, or a password and a secret question. Companies implementing these solutions range from tech services (Microsoft, Apple, Facebook, Twitter, PayPal, Amazon, LastPass, BitWarden, DropBox, WordPress, GoDaddy, et al) to health, financial, government and utility services (banking, credit cards, investment firms, telephone, cable TV, electricity, gas, water, the IRS, Social Security, EDD), and more.

Google has long encouraged users to use Two-Factor Authentication (2FA) or Two-Step Verification (2SV) whenever possible, and to that end has recently begun "opting-in" accounts that they determine already support it (1, 2). If this change has been made to your Google account and you do not want it, you can (for the time being, at least) turn it back off. However, there are good reasons for embracing this security feature.

If you think the extra security is an inconvenience, keep in mind that, as the saying goes, "convenience is the enemy of security". The more convenient you make something the less secure it becomes, and vice versa. The objective, then, is to find a solution that balances an acceptable level of inconvenience with an appropriate level of security.

For instance, when you stop by the store to pick up a few groceries, it would arguably be more convenient if you left your car unlocked -- especially if your arms are full of groceries when you come out of the store. But the hassle of having to dig your keys out of your pocket seems a small price to pay when compared to the consequences if your car isn't there when you come back.

Sometimes the consequences of getting it wrong can be much more disastrous, so when your bank's ATM requires two items of authentication (your ATM card and your PIN), the extra security is welcome.

And so it is with your Google account. When evaluating whether Google's extra security measures are too much bother, ask yourself how much trouble you'd be in if your Google account was hijacked. These days it is much more than merely a place to trade funny memes or keep up with coworkers. It may be tied to your social media accounts and other Google services like your photos, music collections, schedule calendar, and location history. It may be tied to your smart-phone, Venmo, PayPal, Google Pay, and as a way to authenticate yourself with your bank or credit card companies. It may be used to access critical business or government services.

It isn't just an email account, it can be tied to your very identity. It behooves you to take the security of your account seriously.

The discussion below should help you understand 2FA or 2SV -- what it is and how it works. The details in this tutorial focus on the options Google offers, but the principles can be applied more broadly because other companies often use one or more of the same techniques, enabled in a similar fashion. You should be able to find one or more methods that are not too burdensome yet still provide better protection against your account being hacked or hijacked.

What Is Two-Factor Authentication?
"Two-Factor Authentication" (2FA) is the strategy of grouping the possible items of verification into "factors" -- or buckets of similar types of identification -- and requiring that the two items being presented must come from different buckets.

In this context, the different buckets can be categorized as:
Things You Know
This is knowledge you would know but (hopefully) a thief would not -- such as a password, Social Security Number (SSN), place of birth, favorite pet's name, combination lock code to a safe, etc.
Things You Have
These are physical items you would have but an imposter should not -- such as a house key, your cell phone, a credit card, a key to a filing cabinet, etc.
Things You Are
These include biometric characteristics that are unique to you -- such as your fingerprints, iris scan, face id, DNA profile, etc.

When enabled, a user signing in will start by providing a username and password as before, but the service will then respond by asking for a second piece of verification. After this second step is completed, the user is signed in and can continue to use the service as before.

Requiring things from two buckets is considered to be more secure than two things from the same bucket. After all, if a hacker knows you well enough to have your password, then he might also know your mother's maiden name or your high school mascot, but is less likely to have your house key. A burglar who breaks into your home or steals your wallet might get your driver's license or ATM card, but probably wouldn't get your bank PIN code.

Services that ask for two items from the same bucket -- such as, for example, a password and a secret question, or a PIN and the last four digits of your Social Security number (both "Things You Know") -- are not as strong as true 2FA. While it's at least better than asking for only one item, two items from different buckets is a more secure policy.

Once you have been authenticated signing in from a given device, the web service can optionally remember that device (by "fingerprinting" the unique characteristics of your computer and browser) so it can skip 2FA on subsequent sign ins from the same device. The service can afford to be less stringent if you're signing in from a device it's fingerprinted before, while still maintaining a stronger posture to sign-in attempts coming from an unfamiliar device.

What Is Two-Step Verification?
"Two-Step Verification" (2SV) is Google's variation on 2FA.

In fairness, the term may also be technically more accurate than 2FA, as pedants could argue some methods don't fall neatly into one factor or another. For example, if a sophisticated hacker convinces your phone carrier to redirect your text messages to a phone under his control, he doesn't need to have your physical phone to intercept a SMS verification code sent from your bank. The presumption of your phone serving as "Something You Have" is broken.

Also, calling it "two steps" rather than "two factors" is probably easier for some customers to understand. These security measures are for the customers' benefit, so it's helpful if users can appreciate why these enhancements are a good thing. If the terminology is easier to understand, they're more likely to accept the slight imposition as being a net positive.

Google's Second Steps
Google has five acceptable ways you can provide 2SV's second step. You can enable one or more of the following methods. To avoid locking yourself out if something should go awry at some point in the future, it's highly recommended that you enable multiple methods in case one method becomes unavailable or compromised when you need it.

Google's allowable second steps include:
Google Prompt
This is a pop-up alert sent to a smart-phone associated with your Google account. When you attempt to sign in to Google on a given computer, that computer will instruct you to check your smart-phone, to which a pop-up is pushed asking, "Is that you trying to sign in?" Answering "Yes" to the prompt on the phone tells Google that the person with your phone is the same as the one on the computer, and lets the sign-in proceed. This is "Something You Know" (your password, entered on the computer) and "Something you Have" (your phone, to respond to Google's prompt).


(Note: If you have more than one smart-phone associated with a given account, the Google Prompt will appear on all devices simultaneously. Answering the prompt on any device is sufficient to authenticate the sign-in attempt.)

The Google Prompt is an easy, one-tap solution that is best used if you are the only one with access to the account, and if your phone is always with you, and if you're in a good signal area. It is not so convenient if you don't have your phone with you or if you are sometimes in a weak cell signal area.

It is not very convenient if a team or coworkers share access to the same account. If your phone is registered with the team's account the Google Prompts can be a nuisance, constantly interrupting you when coworkers may be authenticating their own sign-in attempts. Even worse, team members who have not added the Google account to their phones will need to bother a coworker if they need to authenticate their sign-in attempt.

If enabled, Google Prompt is automatically Google's first choice for 2SV. However, the device on which you are trying to sign in may also offer a link to "Try another way". (See above image.) This is useful if you are signing in on one device but your phone is not readily available to answer the "Is that you?" prompt. If you've enabled other 2SV methods, "Try another way" lets you skip the Google Prompt and use one of the other methods of authentication.

Authenticator App
An authenticator app generates a frequently changing 6-digit code to be entered during your sign-in attempt. This “Time-based One-Time Password” (TOTP) is a kind of temporal numeric password that is typically good for only 30 seconds. Your authenticator app generates it by mixing the current time with a very long alphanumeric key string -- say, 20-30 characters, which would be difficult or impossible to memorize. Every 30 seconds the code is regenerated, with the same key but a new time.

The website to which you are trying to login does the same. As long as you and the website are using the same key and the same clock time, you should both come up with the same result for that 30-second window. If the 6-digit code you type in during a login attempt matches what the website expects, the website will know both of you are using the same secret key.

In effect, this is a way of verifying that you both know the same secret without either of you having to reveal it during the login process. This gives a potential hacker nothing he could steal or later use to hijack your account. While a hacker may know the current time, he cannot generate your TOTP code unless he also has your secret key, and that is never revealed during the login process.

"Google Authenticator" is Google's version of a TOTP app, but there are others. Most are interchangeable. Google Authenticator, Microsoft Authenticator, Facebook Authenticator, Lastpass Authenticator, Aegis, Authy, WinAuth, KeePass, Bitwarden, et al, all follow the otpauth standard, so are functionally identical and will produce the exact same results.

If a website offers any of these choices, you can be certain any of the equivalent alternatives will also work just as well. Thus, you should be able to use one app configured with multiple tokens for various accounts, rather than having to hassle with installing a different app for each and every service you access.

However, beware that not all websites follow the standard. For instance, as of this writing sites like eTrade.com and the US Social Security Administration, among others, will insist that you use a proprietary app instead of an otpauth-compliant authenticator.

There are authenticator apps available for smart-phones, tablets, laptops, and desktops. While several companies provide phone apps, some don't support laptop or desktop computers. However, equivalent apps exist for laptops and desktops that will do the same thing -- such as WinAuth, KeePass, Authy, and a variety of browser extensions. So if desired, you can use one app on your phone and a different app on your computer, both configured with the same tokens.

Note that Google's websites will default to presuming you're using Google Authenticator, but that doesn't matter. Given the same secret string, they all generate the same 6-digit number every 30 seconds. Just set one up and use it like you would Google Authenticator, and Google won't know or care which one you're using.

While many TOTP authenticators can be installed on a smart-phone, don’t be misled into thinking they are tied to your phone number. They are not. You can install and use the app on multiple phones or other devices simultaneously. The only requirement is that you use the same secret key string when replicating a token to other devices.


One advantage of TOTP authenticator apps (and hardware keys, as well) is you don't have to wait for a code to be sent to you via text or email. That makes them ideal if you happen to be in a location with poor cell phone reception.

They are also great for teams or family members sharing access to the same account. Since the same secret key can be replicated to multiple authenticators, each person can have their own access to the same TOTP codes without bothering the others.

Those interested in delving deeper into TOTP QR codes may want to spend some time exploring Stefan Sundin's nice little webpage on github. With it you can create QR codes, or if you load an existing QR image it will decode the embedded parameters for you.

As you alter parameters, the QR image changes in real time, and the line right above the image shows the “otpauth” text string that is encoded in the image. When a given website generates a QR code for you to scan into your authenticator app, this text string is all the app sees. Note there is nothing in there that is specific to any brand of authenticator, so it should be evident that the brand of authenticator you use is immaterial.

Hardware Security Key
This is a physical device such as Yubico's YubiKey or Google's Titan Security Key. These can be USB or Bluetooth devices that connect to your computer and emulate a keyboard, injecting a TOTP code with a touch of a button.

A hardware key is not a convenient option if a team of coworkers or family members needs to share access to an account because only one person has the device.

Voice or Text Message
Google can also use the old, familiar method of sending a verification code by SMS message or by automated voice call to your telephone number. These are also time-based codes, but the codes may be set to expire in 10 minutes or longer because there can be an inherent time lag waiting for your phone to receive the message containing the 6-digit code. In contrast, security keys and authenticator apps can employ a 30-second timeframe because no waiting period is required.

Voice or SMS messages are also not a convenient option for multiple users sharing an account because the 6-digit code is sent to only one phone.

Experts consider this method to be slightly less secure than the other methods because it is possible for a sophisticated hacker to trick the phone system into redirecting your messages to a different phone under his control. That would allow a hacker trying to sign in as you to receive your second step code and convince Google he's you. This is probably a remote risk for most people, though (and nevertheless is still better than having no second step at all), so users shouldn't be discouraged from using this method if other methods are not practical.

(Ironically, it's baffling why many banks and financial services only offer this less secure method and fail to offer stronger methods like authenticator keys or apps.)

Backup Codes
You can have Google generate a list of ten 8-digit authentication codes, which can be printed or written down and stored in a safe place until needed. These codes can be used like Google Authenticator, but the codes do not expire until they are used. Each code can be used only once, with the remaining unexpired codes retained indefinitely for future use.

Backup Codes can be a "when-all-else-fails" option. They can be a lifesaver when everything else gets messed up, so it's not a bad idea to enable this option so you have a "last-ditch" alternative to verifying yourself if it ever should come to that.

Regardless of which method you choose, signing into your Google account with 2SV on a given device should also offer an option to "Don't ask again on this device". (See above image.) If that option is enabled and you successfully sign in, Google will deem that device to be "trusted" and you won't be required to jump through the 2SV hoops in the future when signing in on the same device. If you're using somebody else's computer, though, and don't want it to become a "trusted computer" on your behalf, just be careful to deselect that option when signing in.

Enabling Google Two-Step Verification
2SV is enabled in your Google account settings, not your phone or computer settings. Sign in to your account on the web and go to https://myaccount.google.com to manage your settings. 2SV settings are under the Security tab. Enable one or more of the following 2SV methods.
Enabling Google Prompt
If you have an Android smart-phone, this method is automatically enabled when you add your Google account to the phone. If the phone is set up with multiple Google accounts, it will receive Google Prompts for all accounts.

Note this method works because you're already signed in to Google on the phone, so when you try to sign in on another device Google already has a trusted device (your phone) through which to request confirmation.

If you have an iPhone, Google Prompts can be used by installing the Gmail app and adding your iPhone under your Google account's Security settings.

If you wish to disassociate a smart-phone with the Google Prompt, you have to remove that Google account from that phone. (Obviously, this is not recommended if it's the one and only Google account on an Android phone.)

Enabling Google Authenticator
When you initially setup TOTP-style 2FA on any website, the website will create a random alphanumeric key string for you both to use. On your end, you have to configure your authenticator with the same key.

But how does the website provide that alphanumeric string to you so you can configure your authenticator? Maybe the website can display it on screen for you to manually type it in. It’s long, though, so that can be error-prone. Maybe you can cut-and-paste the key string into your authenticator. That may work on a computer, but won't be easy if you are setting up a mobile device. If the website can embed the string in a QR code, though, your phone’s camera can read the QR, extract the key string, and stick it in your authenticator app for you, all without error. That will be the method most people will opt to use.

Note that the only purpose of the QR code is for transferring the key string. It is not a passcode to use when logging into a website. It’s only for initially configuring an authenticator app. After the app is configured, you no longer need the QR code.

To add an authenticator app to your Google account, select "Set up" and follow the prompts. Google will create a long, random, alphanumeric text string to be used as your secret key. Google will embed it in a QR code and display the QR code on your computer screen. Install an authenticator app (which can be Google Authenticator or one of many others) on your smart-phone, and point the phone's camera at the QR code. The app will read the QR code, set itself up with a token, and start displaying a 6-digit numeric code. The 6-digit code is calculated based on the key and the current time, and will change every 30 seconds. Finally, Google will ask you for the authenticator's currently displayed 6-digit code as a way to confirm you and Google are using the same secret key.


As long as you and Google (or whichever service you're using) are synced to the same time and using the same secret key, both sides will generate the same 6-digit code. Thus, it is imperative that your device's time is reasonably in sync with Google's servers or they will not come up with matching codes. A little leeway is allowed, but don't let your device's time drift too far off.

Note that there is nothing particularly special or proprietary about the QR code. It is merely a convenient way to transfer the super-long alphanumeric key string into the app. Although more cumbersome, if you wanted to you could do the same thing by manually typing in the key. (The alphanumeric string will be revealed if you click the "Can't Scan It?" link when the QR code is displayed on screen.)

The key is the only crucial part of the QR code. There may be additional fields embedded in the code, such as a name and "issuer" field, but those are non-critical and only to help you differentiate tokens from one another if you use the same app for multiple tokens. Depending on your authenticator app, you may even be allowed to rename the token if you wish; but that is only for your convenience, and applies only in that individual installation of the app.

(Caveat: in tests it seems an authenticator app cannot be the first Google 2SV method you set up. YMMV, but you may have to enable one of the other methods first, then you can set up Google Authenticator. You can go back and delete the first method if you don't really want it and Google Authenticator will stay, but apparently it maybe can't be the one you initially start with.)

Backing Up Google Authenticator
A second device can be configured from the same QR code, so I recommend taking a screenshot of the QR code (or copy and paste the alphanumeric key string) when Google offers it. You can subsequently use the same key to setup another authenticator app on another phone or another computer at any point in the future.

(If you have already enabled an authenticator app for your Google account but forgot to record the key string or QR code, you can delete it and start over, enabling it anew. Google will generate a new key string, which you can record this time.)

To configure a second device with the same secret key, simply install your authenticator app of choice, click the setting to add a new entry, display the QR image you saved earlier, and point the phone’s camera at your computer screen. That's all there is to it. You do not need to tell the website you have multiple authenticators, you merely reuse the same QR code or key string. As long as all your authenticators use the same key for a given token, they will all generate the same 6-digit code when Google 2SV asks for it.

Some apps may offer a function to backup or migrate your configured 2FA tokens to another device. However, if you copy the key string or QR code right from the beginning (i.e., while it’s still on the screen at initial setup) you can always recreate the token whenever you want, so there's no need to be concerned with which apps may or may not have a migrate function.

Besides, most people aren't likely to have more than 5 or 10 tokens, and with that amount you could probably recreate them all anew faster than it would take to even begin researching how to migrate from a prior authenticator. Best of all, recreating tokens will work with all TOTP apps, regardless of whether or not they support backup/restore or migrate functions -- and hence will not limit your choice of which app to use.

To summarize, you don’t setup multiple devices via the website, you setup once and then use your copy of the QR code to replicate to additional devices. If both you and your spouse need access to the same bank account, for instance, you setup 2FA at the bank once, and replicate it to both of your phones. You don’t setup each device with the bank.

Warning: Whatever you do, understand that the key and QR code are, quite literally, the keys to the kingdom. If a hacker gets either, he can generate your 2FA TOTP codes himself, and you’re in trouble. So while I recommend saving them, do make sure you save them securely. You don’t need either in day-to-day use, so stash them away on an off-device backup and delete them from your daily-use devices. You only need the key when reinstalling or setting up an additional authenticator, so it doesn't need to be readily at hand all the time.

You can save the key string, the QR code, or both if you wish. They’re functionally the same thing, though, so it's really only necessary to backup one or the other. Any ordinary QR code reader can read the key string from the QR code and vice versa, a new QR code can be regenerated from the key string. So if you backup only one you can always recreate the other at will from the one you saved.

Enabling Hardware Security Key
To add a Security Key, select "Add Security Key" and follow the prompts. You will be asked what kind of Security Key you have and guided through the process of registering its secret string.

A hardware key is another form of TOTP authenticator, with its own unique key embedded in its firmware. In contrast, an authenticator app is software, so it can be installed on multiple devices using the same key. This may mean hardware keys are technically more secure, but software authenticators will be more convenient if multiple people need to share access the same account.

Enabling Voice or Text Message
To enable a voice or text message, select "Set up" and follow the prompts. You will be asked for a phone number to use, and whether you want to receive voice calls or SMS text messages. Google will send a message to that phone and ask you to confirm the code that was sent. This verifies the process is working properly.


Note this can work with any phone and, unlike a Google Prompt, does not require the phone number to have any association with Google. It can even be used with a land-line phone that can't receive text messages because Google can send automated voice calls instead.

Creating Backup Codes
In your account settings, click the "Backup codes" option. Google will create and remember a set of ten random, 8-digit numeric codes that can be used to verify yourself to Google when necessary. Print and save these codes in a secure place. A hacker could impersonate you if he was to acquire these codes, so keep them safe.


Use any one of the 8-digit codes when you need to authenticate yourself. (They don't need to be used in a particular order.) Once used, that code is expired but the rest of the codes remain available for future use. Each code does not expire until you use it, or unless you delete them from your account settings.

At any time you can ask Google to generate a new set of ten codes. Any unused codes are discarded when Google generates a set of ten new codes.

If you enable multiple 2SV options, remember that security is only as good as the weakest link. For example, if a website lets you bypass your TOTP authenticator app and ask the server to send you a code via SMS instead, then a hacker could do the same. The superior security provided by an authenticator app is all for naught if the bad guys can go around it and revert to SMS. (After enabling an authenticator app on a website, you may want to consider disabling any SMS/voice option.)

I like to have a backup 2FA option in addition to the authenticator. That might be email (and no SMS/voice option), or a hardware token, or maybe an account “recovery code” that can be written down and saved. It depends on what 2FA options a particular website offers. There are advantages to enabling multiple 2FA methods, but if you do, be sure you recognize your resulting security is only as good as the method most vulnerable to compromise.

In conclusion, enabling at least one of the above 2SV methods will help make your Google account more secure. Enabling more than one can make things easier for you if your primary 2SV method happens to be temporarily unavailable at the moment you need it. And allowing Google to fingerprint your trusted devices can make it easier for you if you frequently sign in from the same devices.

Hopefully, you'll see these extra security measures are not really as inconvenient as they may at first appear, and will be well worth it if they stop a hacker from taking over your account.



Back to Top
01/12/2022, revised: 04/28/2024

Valid HTML5 author: Dan Goodell