10 Comments

Summary:

After my Gmail account was hijacked last year, I looked into Google’s two-step verification process. It relies on your having your smartphone with you, even when logging in on a PC. Here are two ways to use your smartphone to better protect your Google account access.

google-authenticator

UPDATED. My Google account was briefly hijacked last year, and although nothing major happened as a result, I decided to look into Google’s two-step verification process. This adds a second layer of security because it combines “what you know with what you have,” says Google. You know your Google password, of course, but the second step requires the smartphone you have with you. Without the handset, your Google account can’t be accessed if two-step verification is enabled.

On Monday, PC Magazine wrote up one way to log in to your Gmail account on a PC by using a smartphone. It’s a clever and simple method. On the PC, you simply browse to https://accounts.google.com/sesame, where you will see a QR code.

Use a bar-code-scanning app on your Android or iPhone (which is already configured with your Google account credentials) to snap a pic of the code, which is a URL. Browse to the URL on your phone and tap the “Start with Gmail” button or “Start with iGoogle” button, whichever you prefer. Doing so causes the phone to shoot a verification to the PC, which immediately opens up Gmail.

[UPDATE: This method appears to be experimental. The day after this article was published, Google shut down the login service. Clicking the link now shows the following message from Google: "Hi there - thanks for your interest in our phone-based login experiment. While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms. Stay tuned for something even better!"]

I tested the function on my Galaxy Nexus and it worked perfectly. But I was already using a smartphone to verify my Google login with two-step verification. Google actually offers an application called Authenticator for Android, iOS and BlackBerry devices. Instead of calling or texting a verification code to your smartphone, Authenticator creates six-digit verification codes on the fly, without any connectivity required. Each code lasts only 30 seconds, much like a rolling code. Entering the code when prompted during log-in to a Google account provides access.

Although I have been using the Authenticator app for some time, I like the QR code method better. There are no verification codes to manually type; it is a simpler process that still combines “what you know with what you have.” And if you add in passcode security on the phone itself, there is another layer of security with either approach to help out in case you lose your handset.

If you are not familiar with Google’s two-step verification feature, here are the details from the rollout last February, as well as this video to explain how it works.

  1. MerryMaker846 Monday, January 16, 2012

    This is a dead issue. Google botched this so badly. I unplugged it because it BURIED me in text messages. BURIED. Even if you were logged in, you got text after text after text. They’ve got loads of smart folks, this was not a smart way to handle it.

    Share
    1. Totally understand. Neither of these two methods use text messages at all, FWIW.

      Share
    2. Totally agreed, not smart at all.

      Share
  2. OK, now I am really lost.
    Does either or both send text messages or not? From reading the first 2 comments it sounds like yes then no!

    Share
    1. No, neither of the two methods sends or uses text messages. One use a barcode scanner and camera on the phone, while the other is an app that generates a verification code.

      Share
  3. The Google QR code linked in this article no longer works. Apparently, the “experiment” has concluded with no further information.

    Share
    1. Thanks Robert. That’s a shame, because I liked the implementation! I’ll update the story — and stick with Google’s Authenticator app on my Android and iOS devices. :)

      Share
      1. Yeah, it’s too bad. It sounded like a clever way to do it. I’ll try the other app today.

        Share
  4. This is a smart attempt but I find the Google authenticator better at the moment.Anyway may Google continue experimenting with new features.That is the purpose of Google Labs after all,features are born and buried here.

    Share
  5. I never understood how to get google to send code 2step paswrd. I
    Sent request none inbegining it would automaticlly done ??? Then came app specific paswrd. Never explained where I enter the code
    Enter in log inter as contact how to identify contact. For next entry
    Etc google never explained its detailed procedure android has multiple settings button per feature not all few/ main issue is my statement “these words hurt my eyes”. ovr&ovr I explained got more of translate these letters

    Share

Comments have been disabled for this post