Main   Back to Tutorials Index 
Understanding Two-Factor Authentication
Google has long encouraged users to use Two-Factor Authentication or Two-Step Verification whenever possible, and to that end has recently begun "opting-in" accounts that they determine already support it (1, 2). If this change has been made to your Google account and you do not want it, you can (for the time being, at least) turn it back off. However, there are good reasons for using the feature, so it's helpful to understand what it is and how it works.

What Is Two-Factor Authentication?
Over the years, numerous service providers across a variety of industries have gradually implemented better and more secure ways of verifying you are the person who you claim to be when interacting with them. Typically this takes the form of two steps, each asking for a different item of verification, such as a password and a phone number, or a password and a secret question.

"Two-Factor Authentication" (2FA) is the strategy of grouping the possible items of verification into "factors" -- or buckets of similar verification methods -- and requiring the two items being requested come from different buckets.

In this context, the different factors can be defined as:
When enabled, a user signing in will start by providing a username and password as before, but the service will then respond by asking for a second piece of verification. After this second step is completed, the user is signed in and can continue to use the service as before.

Requiring things from two buckets is considered to be more secure than two things from the same bucket. After all, if a hacker knows you well enough to have your password, then he might also know your mother’s maiden name or your high school mascot, but is less likely to have your house key. A burglar who breaks into your home or steals your wallet might get your passport or ATM card, but probably wouldn’t get your bank PIN code.

Services that ask for two items from the same bucket -- such as, for example, a password and secret question, or a PIN and the last four digits of your Social Security number ("Things You Know") -- are not as strong as true 2FA. While it’s at least better than asking for only one item, two items of verification from different buckets is a stronger and better policy.

What Is Two-Step Verification?
"Two-Step Verification" (2SV) is Google’s variation on 2FA.

In fairness, the term may also be technically more accurate than 2FA, as pedants could argue some methods don’t fall neatly into one factor or another. For example, if a sophisticated hacker convinces your phone carrier to redirect your text messages to a phone under his control, he doesn’t need to have your physical phone to intercept a SMS verification code sent from your bank. The presumption of your phone serving as "Something You Have" is broken.

Also, calling it "two steps" rather than "two factors" is probably easier for non-technical users to understand, so they’re more likely to appreciate why additional proof is being requested beyond merely the password they’ve just submitted.

Google’s Second Steps
Google has five acceptable ways you can provide this second step. You can enable one or more of these methods. To avoid locking yourself out if something should go awry at some point in the future, it’s probably wise to enable multiple methods.

Google’s allowable second steps include:

Regardless of which method you choose, signing into your Google account with 2SV on a given device frequently offers an option to "Don’t ask again on this device". If that option is enabled and you successfully sign in, Google will deem that device to be "trusted" and you won’t be required to jump through the 2SV hoops in the future when signing in on the same device. If you’re using somebody else’s computer and don’t want it to become a "trusted computer" on your behalf, just be careful to deselect that option when logging in.

Enabling Google Two-Step Verification
2SV is enabled in your Google account settings, not your phone or computer settings. Sign into your account on the web and go to https://myaccount.google.com to manage your settings. 2SV settings are under the Security tab.



Back to Top
last revised: 01/12/2022

Valid HTML5 author: Dan Goodell