Google’s corporate users have had the option of using two-factor (two-step) authentication for nearly five months now, and the time has finally come for non-paying customers to receive the same option.
The feature will be opt-in and to set it up, users should go to their Account Settings page and click on the “Use 2-step verification” link in the Security section.
Setting it up should be easy because Google has provided a user-friendly set-up wizard to guide the users through the process, which also includes setting up a backup phone and creating backup codes in case the user loses access to his primary phone.
“Once you enable 2-step verification, you’ll see an extra page that prompts you for a code when you sign in to your account,” explains Nishit Shah, Product Manager at Google Security. “After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device.”
This is how the new sign-in process is going to look like:
A hacker would need to know the user’s login credentials AND have access to his phone in order to access the account, so this could definitely thwart most current phishing scams.
For those who think that they would find entering the code each time the access the account annoying, there is the option of making the account remember the verification for that computer for 30 days (see above).
“You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code,” says Shah.