Share this Story

How To: Set up Google’s Two-Step Authenticator Application

With the story of the Wired writer who had his entire digital life wiped out this weekend by hackers taking center stage this week, we figured now would be a good time to make sure all of you are taking the proper steps to ensure your online safety. Google’s two step authentication process has been public for some time, but is only just now starting to see wider use. Sometimes, it takes an event such as the one that happened to poor Mat Honan for people to realize that their digital lives could use a bit more security. 

1. What is two-step authentication?

In this context, Google Authenticator works as a second line of defense if your account is compromised. When setup of Authenticator is complete, you log in to your account as you normally would, but much like you would see on a banking website, there is an additional step for signing in. A numerical authentication code is messaged to the mobile device tied to your account for entering, which will then allow you to gain access to your account. The authentication code is never the same twice, which ensures for a more secure experience for users.

2. Setting up Google Authenticator.

Setting up Authenticator isn’t the easiest process, especially if you have multiple devices on a single account. First, you must enable the feature in your Google account under the “Security” option. Once enabled, you set it up to send a six digit code for authentication purposes to your cell phone. Select your main phone’s number and not a Google Voice number that is tied to your account. Once you have paired both your 2-step authentication and your smartphone, you can then start adding your other Android devices and also download the Authenticator app from Google Play, which does not need a data connection to create your codes for logging in.

After these steps, it will ask you to mark the computer you’re signing up on as a “trusted computer,” meaning it won’t ask you to verify log ins from that computer except for every 30 days or sometimes longer. At this point, you’re at the landing page for all of your two-step settings. From this page and this page alone, you can change individual application access, add or remove trusted computers, and add more backup phones.

Once you’re done adding your backup devices and you have optionally printed out your manual backup codes (for safe keeping), you’re pretty much good to go. I had to re-log into my Google Account on my phone and have a code handy for accessing, but after that, it seems to be doing its job.

Play Link

Note: For habitual ROM flashers that wipe their data every week or so, this may not be a fun process. When logging into your Google account at the setup screens, make sure to have authentication codes and a computer handy. If you run out of manual codes from your account’s dashboard, you can have them generate more codes. We wouldn’t want you to be locked out of your device.

  • ARGH

    So the application-specific password simply isn’t working on my PS3. Am I doing something wrong? (And yes, I’m using the correct email address.)

  • Pentago

    Here’s a brief tutorial i put up on how to use GoogleAuthenticator to secure Facebook logins:

  • Borgis1

    just installed the 2 step. I looks to me that if somebody has access to your phone or if you lost it. They can use the authenticator and password recovery from gmail to reset the password. The authenticator tells them what email address to type in.

  • How can I get this to work on two devices at once? I want them to both generate the same code. Blizzard allows this with a recovery code, can Google facilitate it?

    • Borgis1

      Install the authenicator on both of your devices. Then inside google, remove the phone app authenicator as a security device. Then add the phone back in again, but this time when it asks you to scan the bar code, scan your phone and your tablet or all other devices. All your devices should be in sync and showing the same verification code. Enter the code and you’re set. Google thinks you only have 1 device but you have 2 or 3 setup.

  • Havoc70

    I received notification from Google mail when i logged in one day that some Asshat in Mexico logged into my account. I immediately switched all passwords and setup 2 step. Yes its a pain and if you ROM its difficult but well worth not getting screwed by some meat head with too much time on their hands.

  • Lucky Armpit

    When I read this article, I was absolutely horrified. Not that I was naive about the Internet, mind you, but the fact that someone’s digital life can be ruined so horribly in the space of just a few minutes. And for no other reason then to get to a Twitter account, and from the sound of it, boredom. Why else would you wreck the digital life of someone you don’t know?
    I’m so glad I don’t have a Facebook/Twitter/MySpace/LinkedIn/Instagram/Pinterest account.

  • Jon

    I used to use this then stopped after a while because it’s a pain in the ass, and I had to setup each individual google app manually. I’m gladly back on 2 step verification though and honestly wish that Amazon, Paypal and other sites I use would use this as well. I just don’t have the time in life to deal with identity theft and being hacked.

  • WARNING: DO NOT USE IF YOU FLASH ROMS A LOT! You can only have the Authenticator app installed on one device at a time (Why, Google?), so if you are flashing the device that has it, you’re gonna have a bad time logging back in when it comes back up.

    • Jon

      Crazy. So can you deactivate the authentication program before flashing a new ROM, and then re-install it afterwards???

      • Pete

        yes you can remove the app first and get sms instead, or disable it completely. Alternatively you can just use one of the 10 backup codes, then reset the codes to get another 10. its easy, just dont forget where you put the codes.

    • Liquidretro

      Are you sure? I have had it on phone and tablet I am pretty sure.

  • Steve

    Sweet! I was just trying to set my phone up last night. It was such a pain in the @SS!

  • RandomJSF

    There was a point where, after turning on two-step authentication, I was flashing ROMs so frequently that I had a set of application-specific passwords memorized…

    • Liquidretro

      I thought the app specific passwords wer one time use.

      • RandomJSF

        The app-specific passwords can be used as often as you like, but they’re only ever DISPLAYED once. I just reused one of mine yesterday.

  • Flyinion

    Been using this for a couple years now. Was getting ready to leave for
    work one day and my phone chirped a few times. Figured it was text
    messages, nope it was bounced back GMails because the hackers malformed
    some of the addresses in my contacts when trying to send emails. GMail
    showed they’d logged in from NY and somewhere else on the East coast,
    I’m on the West coast lol. After trying to figure out what to do about
    it I ran across the 2 step authentication and have used it since.

    It’s actually pretty easy to use. If a website supports the PIN number,
    you just generate one and give it to it (it will ask for the Auth
    code). Otherwise you just generate an application specific password and
    tell the app, website, etc. to remember it (if you trust it of
    course). Note that you will also need to do this for your phone as well
    since logging into your account for syncing does not support the 2 step
    6 digit code. I think that’s probably by design.

    For those who flash ROMs a LOT constantly, it will be a pain no matter
    what. For those that go through cycles and run a ROM for a while then
    maybe spend a few days or so trying out new ones, it’s not a big deal.
    Just turn off the 2 step for a few days and turn it back on when you’re

    • Caleb Martin

      The same thing happened to me, except I got a notification from Android telling me my login was invalid. I was able to get my account back via the password reset and found the hackers had sent a few spam emails. I immediately activated 2-step authentication and haven’t turned it off since.

  • Does it ask for the code every single time you login or just once every now and again

    • John

      You can make it remember you for 30 days (or until you clear cache/cookies within that 30days) or not at all(for public computers etc).

  • Great idea toward security, but two-step authenticator seems inconvienient: sometime long wait for the text message to come, not all devices/apps support two-step authentication. What Google should do is allow users to buy a small token-generator device (such as RSA key-fob) or token-generator app/software, and use the generated-token as the 2nd-step authentication. Safe and convienient.

    • ddevito

      The Authenticator app acts like an RSA token.

      • Liquidretro

        Ya the app takes the place to the Physical token, and is much cheaper. Quick too. It’s also not another device to loose or carry.

  • Tiyjuan

    For the ROM lovers, you can use Titanium Backup to backup your G.A. app and it will reload your codes as if nothing changed. I use this for two google accounts and LastPass, works great.

    • Tiyjuan

      To add on to my last comment, you could always print out the QR codes too. This way all you need to do is scan them again to get your G.A. app working again.

      • MKader17

        I’ve used 2 step verification before but I’m not sure where this would help, can you explain more? Frequent ROMing is the sole reason I don’t use it.

        • Tiyjuan

          Are you familiar with Titanium Backup? It’s a must app for people who change ROMs a lot. After backing up the G.A. app, flash a ROM, go back into Titanium Backup and restore the “data” for G.A. If you’re not familiar with it, I’m sure there are videos out there to demo how it works.

          • MKader17

            I was talking more about the QR. I only use Titanium for batch restore and backup normally.

          • Tiyjuan

            Oh, in regards to the QR, just print it out or do a screen shot of the QR and store it in a safe place on your computer, this way when you need it again you just rescan it into the G.A. app.

  • Laura Graham

    I enabled it and it was a B**CH to try and re-encrypt ALL my passwords on all my devices. And since my life pretty much runs on Google/Android, that’s a wee bit of stuff I have. I drew the line at not being able to sign into my phone because of a damn password and reverted everything back.
    Yes, it is more secure, but it’s a pain in the a** to manage. Set yourself a strong password, numbers, symbols, caps, everything and you should be in tip top shape.

    • George264

      Yeah I tried it a couple months ago. Don’t. It’s a PAIN IN THE A**. Don’t. It’s really hard to get the passcodes generated, and all that stuff.

      • ddevito

        If you can install a custom ROM this is a walk in the park

      • Jon

        It is a pain in the ass, but screw it. I intend on not being an easy target. I’m just going to accept that this world sucks and it’s just something you gotta do if you don’t want to have a really horrible time if and when someone hacks your stuff.

    • Liquidretro

      No, even a strong password does not compare to 2 factor authentication. With a conventional system you still have to guard your password with your life. With 2 factor if someone does get your password with say a keylogger than your ship is sunk. If you have 2 factor enabled you are still riding high.

  • I’ve been using this since it was available. It can sometimes be a bit of a hassle, but the extra security and peace of mind that it provides is more than worth it. Highly recommended.

  • john red-horse

    Is there a way to do the 2-Step Authentication thing if you don’t have access to your mobile phone? I work in a place that doesn’t allow them in the office, but I can think of other situations, such as out-of-country travel, etc, where it’d be a problem.

    I’d rather they did something like Lastpass with keys and one-time passwords. That seems just as robust.

    • 4n1m4L

      Yes. You set up an application specific password. Its the same amount of characters as a credit card number but it is letters. Its randomly generated n the website. You have to use an app specific password to activate a phone. Figured that out last time I flashed to stock

    • Liquidretro

      Yes you can generate a paper sheet of one time passwords, much like lass pass.

  • envoy510

    It DOES NOT WORK on Jelly Bean (I have a stock GNex). When you try to reenable syncing on your phone, it will ask for a code, then you switch to the Authenticator app, get the code and switch back. Wait, you can’t switch back. There’s nothing to switch back to. Notification bar. Recent apps. Start each of the browsers on my phone (Browser and Chrome). Nothing.

    FAIL, google.

    • You’re a moron, it works just fine with Jelly Bean on my GNex.

      • envoy510

        Being an a**hole because you are anonymous: priceless.

        • Writing that long of a story about your problems, yet still wrong because you’re incompetent. Honestly it’s a 2 minute setup. 3 for monkeys. FAIL, envoy510

          • envoy510

            It must be sad having a fragile ego such that you need to tear down anyone that disagrees with you. Pathetic, really.

    • Yes it does work on Jelly Bean (Galaxy Nexus).

      • envoy510

        Do you use text messaging or the Authenticator app to get the code? Do you have Chrome installed? What is the default browser on your phone?

        • I use the authenticator app. I don’t have Chrome installed though, I use the stock browser.

          • envoy510

            I have a feeling it’s Chrome that is causing the problem. I see the Chrome icon in the notification area, but there’s nothing to click on there when I swipe down. I suppose I could uninstall Chrome, but I’ve already wasted 45 minutes on it and I’m not sure I want to waste more.

            Thanks for replying in a civil manor. Appreciated.

          • Tiyjuan

            For Chrome you are supposed to use an application specific password. This is the case for Chrome, Picasa, Google Music and any other sub-Google application.

          • envoy510

            I’m not authenticating Chrome! I’m trying to authenticate my phone after turning on 2-factor from my computer. The *phone* is what redirects to chrome for me to enter the code.

          • Tom Ball

            You need an application specific password.

          • Tiyjuan

            Yeah sorry, I should have added that part too. Your phone needs it’s own app specific password too.

    • ddevito

      No Sir, YOU fail. It certainly works in Jelly Bean

      • envoy510

        OK, I should have added “for me”, and then I wouldn’t have raised your ire?

    • Andilicious217

      I had the same problem as you describe. I ended up using one of my printed out passwords because I couldn’t go back after going to the authenticator app.

      • envoy510

        I didn’t think of using one of the printed passwds. Thanks for that. I will be a pain to do this every 30 days, though.

  • John

    Have been using 2factor auth since it was available. It’s been great. I now use it on lastpass as well..and soon dropbox once they implement it. Such a great feature. Thx Google.

  • ddevito

    It should be mentioned that for apps that do not use password authentication that this two step process uses application specific passwords.

  • ddevito

    I’ve been using this since its launch. It can be a major pain in the ass to set up, but once it is set it becomes much easier to deal with. My advice is to print the backup codes and leave them in a secure place, like a safe.

  • My account got compromised somehow (keylogger?) by a computer with an IP in Indonesia I think, luckily Google helped me catch it in time and I immediately enabled 2 step verification. No more problems.

    • 4n1m4L

      Me too, but from italy

      • ddevito

        ¡Mamma Mia!

  • EvanTheGamer

    I set up this two-step security awhile ago, but my cookies kept getting stolen so I had to turn it off. Started getting extremely annoying having to wait to receive a text with a verification code every time I wanted to log into my account.

    Just use lots of random letters and numbers and you’ll be fine.

    • Matt

      For devices/software that don’t support the two-step authentication, Google will generate random passwords that you can associate directly with a given device, and disable from within your account, in case you lose it. I’ve done this for the same problem you’re having and it works fine.

      • EvanTheGamer

        Ahh, I was not aware, awesome! Thanks for the tip man.

    • Liquidretro

      Stolen cookies? I don’t understand exactly. That may point to much more serious problems going on. For the PS3 problem use the app specific passwords.

      • EvanTheGamer

        “stolen cookies…” hahahah, was just trying to be funny..but guess it did not work. 🙁

        And yep, thanks!