Google Rolls Out Optional 2-Step Authentication For All: Secure but Frustrating

Google just announced that it is rolling out its 2-step authentication program to all of its users over the next few days. Until now, this enhanced security feature was only available to Google Apps users. I’ve been using Google’s 2-step authentication process on a standard Google Account for the last few months already. While it does indeed represent a major step forward in ensuring the safety of your account, it can also be a bit of a hassle.

Here is how this program works: Today, when you use your Google account to sign in to Google’s or a third-party’s services , you simply type in your password and go your merry way. The moment somebody gets a hold of your password, though, all of your data and accounts are compromised.

account settings pageWith 2-step verification, you still enter the same password, but the first time you use a new machine or browser now, you will also have to enter a verification code. To get this code – and this is similar to some bank authentication systems – you must have your phone at hand to run the Google Authenticator app. The app is available for iOS devices, as well as Android 1.5+ and BlackBerry phones.

As non-browser based apps can’t access this 2-step authentication mechanism, you will also have to set up application-specific passwords for every app on your smartphone or desktop that accesses your Google account. To do this, you have to first head to your account settings page to generate a new 16-digit password (think “zpcszdavwxhg7bc4”). Thanks to this, you can easily revoke access to any app in case you think your account has been compromised or your phone has been stolen.

Google also rightly warns users that the setup process can take 15 minutes – which is not an exaggeration. The process also isn’t for the faint of heart. Thankfully, Google will walk you through the process step by step.

All of this greatly improves your online security, but it’s also a bit of a hassle. Using the verification code is easy enough and usually only required once every 30 days – assuming you have your phone handy (though Google will also email you a list of 10 fall-back codes in case you can’t access your phone). Entering the long passwords on your mobile phone, however, is a real hassle and is really only practical if you have access to a laptop or desktop at the same time to generate the code. As long as the process remains this complicated and annoying, chances are that few mainstream users will opt to use this process.

That said, though, by all means give it a try to see if it works for you. The current username/password system is anything but safe and anything that can add an extra layer of security is a good thing . Even though it’s often frustrating, I’m still using it.