• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Two factor authentication for GMail anyone?

A.Nonymous

A.Nonymous

Extreme Android User
I've seen a few posts on here where people have mentioned their GMail accounts got hacked. I wanted to post and encourage everyone to turn on two factor authentication in GMail. It does take about 15-20 mins to set up, but it makes your account ultra-secure.

I'm sure you've all heard the old security adage about "something you have and something you know" in order to log in. That's what two factor authentication is. It's similar to what you might see at a bank or a doctor's office where the person carries around a keyfob that randomly generates a number that changes every 60-90 seconds or so. In order to log in, someone must have their user name/password (which can be guessed/hacked) and that random 6-7 digit number (which is virtually impossible to guess).

GMail does this with an app on your phone that randomly generates a number. When you log on to a computer you've never logged into before it asks for your user name/password and that number. You can have it cache your credentials on that computer for 30 days so you don't have to do this every time you log on to your home computer for instance. If you log on at a public computer, you can tell it not to save your credentials so if you log on there again it'll ask for your number.

It makes your account uber-secure. If you hacked my password right now, it wouldn't do you any good. You would need the randomly generated number. That number is 6 digits and changes every 60-90 seconds. There are literally a million different combinations and there's no way you could try them all in just 60-90 seconds.

Mobile apps like GMail, Google Voice and other apps that access your Google account don't support two factor authentication. Google gets around this by randomly generating passwords for those apps. You generate a password from your browser, enter it in the app and you're good to go. If your phone gets stolen, you can revoke that password from any browser and it's no good any more. That password is all letters and is 16 characters long and is something like - mufabpnigwbprhcl (password I just randomly generated and then revoked). This password would be hackable as someone could guess it, but there are literally 4.36 x 10-22 combinations to guess. If someone does hack it, they're extremely determined.

Sorry for the long post, but everyone really should turn this on. Makes your account more secure and if your phone gets stolen, you can revoke the master password for you phone and all your personal data on the phone is secure again without you having to change your main password.
 
Agree with you completely, Gmail is probably the most important account you have, with your email someone can request forgotten passwords to all your other sites!.

So pleased Google did this. No doubt it is a bit of a pain, but the security is pure gold.
 
mazka said:
Agree with you completely, Gmail is probably the most important account you have, with your email someone can request forgotten passwords to all your other sites!.

So pleased Google did this. No doubt it is a bit of a pain, but the security is pure gold.
Click to expand...

The pain is well worth it. I have my phone with me all the time and I don't use my GMail account on other computers very often. Generating passwords for apps is a pain. I'll admit that. Once you do that though, the passwords are remember and you don't have to enter them again. The small bit of pain is very well worth it to make your account virtually unhackable from the script kiddies out there.
 
We were just discussing this in the guides / mods section. I've turned it on last week and like it quite a bit.

Just a FYI for those who wonder what happens if you flash ROMs often or have to do factory resets - there are reports that if you download the app again, sometimes the Google Authenticator may work, and others report it stopped working for some reason.

So JUST TO BE SAFE, before you flash a new ROM, or do a factory reset, turn OFF 2 step authentication online in Gmail settings, flash the new ROM / factory reset, and then re-install the Google Authenticator app, and turn on 2-step authentication again, to make sure everything is peachy and works fine.
 
I don't quite follow this. Is it on your phone? Or just GENERALLY on your gmail account?
The gmail account I have attatched to my phone is not an account I use, it's literally created for the phone requirement. I originally used my own gmail account, but then didn't like how easily accessible it was and so made a new one solely for the phone.
So does this 2 step verification not apply to my actual gmail account then?
 
keatingschick said:
I don't quite follow this. Is it on your phone? Or just GENERALLY on your gmail account?
The gmail account I have attatched to my phone is not an account I use, it's literally created for the phone requirement. I originally used my own gmail account, but then didn't like how easily accessible it was and so made a new one solely for the phone.
So does this 2 step verification not apply to my actual gmail account then?
Click to expand...

Its for any gmail account, not just the one you use for your phone (in the event they're different). In your case, you could do it for either one you wish. The phone ap/part is so you can receive the codes generated by google for you to enter when logging in, so you'd receive the code on your phone and enter it when logging into your main gmail account.

I personally did it for both of my gmail accounts, and the thing I really like about the authenticator app that receives the codes is that it supports more than one gmail account.
 
It also cuts down on how accessible your GMail account is to others. Even if someone steals your phone, you revoke the password from the web interface and that phone is useless as far as getting into your stuff goes.
 
For Thunderbird or any other App, you generate a App-specific password on the 2step authorization page. You can revoke this at any time.
 
mazka said:
For Thunderbird or any other App, you generate a App-specific password on the 2step authorization page. You can revoke this at any time.
Click to expand...

This password is also where you're going to be most "hackable" because it's static and never changes. However, it's 16 characters long and those characters can be any of the letters in the alphabet. So there literally billions of combinations. It would take someone many, many weeks if not months to hack your account this way and I'm sure Google would notify you that there were twenty million logon failures for your account.
 
A.Nonymous said:
This password is also where you're going to be most "hackable" because it's static and never changes. However, it's 16 characters long and those characters can be any of the letters in the alphabet. So there literally billions of combinations. It would take someone many, many weeks if not months to hack your account this way and I'm sure Google would notify you that there were twenty million logon failures for your account.
Click to expand...

Years even, if these things are correct.


Also wonder what the scope of them is, can you use one App generated password in a different App?
 
I have to use google 2-step for work. it works great, but i do have a problem. I like to browse Market.android.com for my apps instead of using the actual app. Now when I goto login to my google account thats attached to my phone, i need to generate a password for Market, but I cant seem to get it to generate a password. anybody else seem to have this problem? anybody know how to get around it?
 
Questkev said:
I have to use google 2-step for work. it works great, but i do have a problem. I like to browse Market.android.com for my apps instead of using the actual app. Now when I goto login to my google account thats attached to my phone, i need to generate a password for Market, but I cant seem to get it to generate a password. anybody else seem to have this problem? anybody know how to get around it?
Click to expand...

I'm able to get to market.android.com with nothing more than my standard google password.
 
A.Nonymous said:
I'm able to get to market.android.com with nothing more than my standard google password.
Click to expand...

with 2 step on? when I type in my google account (the only account on my phone, and its also my work email) it tells me incorect passord. So then I realized I needed an application based password for my account since I have 2-step verification on, except I cant get it to generate a password....

I can access and browse the market with out logging in, I need to log in so i can download to my android from the site.
 
I'm very confused. I go to market.android.com. It asks me to log in. I use my Gmail account and my standard password. It lets me right in. It's already asked me for the randomly generated number from my computer so it knows that my computer is allowed. I never get asked for a randomly generated password from a web browser on my computer.
 
I think that this is a pretty easy question but I can't get it to work.

I've done the sign up for the two step verification and created the application specific password. Now I have to replace the password on my phone. How do I do that?

From the 'Settings' app, I've tried:
'Accounts and sync'
I see a section which is Manage accounts, and I have my gmail and facebook accounts.

But when I click on the gmail I only get to the 'sync contacts' and 'sync calendar', but I don't see where I can change the passwords.

Do I need to delete the account and add a new one with the new password? If so, would I loose all the information? Or when it signs in again I would see all the stuff assigned?

The phone displays a warning message that removing the account will also delete all of its messages, contacts and other data from the phone.

Will this include the apps and SMS messages?
 
You must log in or register to reply here.
Back
Top Bottom