Do you really think security is too much trouble? That no one is ever going to bother with your accounts? Ask former Gizmodo employee Mat Honan if he feels that way after his accounts and devices were wiped clean. That could have been you, and it could have been worse. There are several ways to try to protect your online accounts and one of the more important of these is two-factor authentication.
Since Google played a role in the Honan case and almost everyone uses some Google service or the other--and Apple doesn't support two-factor authentication—let's go over how to turn on Google's version of two-factor authentication: two-step verification. Before jumping in that though here are some other basics. First, don't use passwords, use passphrases. “Always color outside the lines!” is both much easier to remember and far harder to break than say "Tr)ub4DORm1."Second, use different passphrases for each of your accounts. These days, as in both the Honan situation and the recent Dropbox breach, a major reason things went bad was that one password was used for multiple accounts. If you use a different passphrase for each account, you limit your damage to that one service.And, if you have trouble remembering all those passphrases—as we all do—I suggest you invest in a password management program. I use, and like, LastPass myself. I have many tech. savvy friends, however, who swear by 1Password. Got all that? Good. What Google two-step verification adds to your security blanket is to get access to your Google account and all its services is that to break in a cracker needs not only your password but your phone as well. To use Google 2 step verification, you'll need your phone as well as your PC. Next, you need to sign-in to your Google account and head to the two-step verification settings page. Once there, you'll need to choose “Using 2-step verification” from the menu. From here, you'll enter the country your phone is registered I and enter your phone number. You can also choose whether to get your verification code by voice or SMS on your phone. In a matter of seconds, you'll get a call with your verification number. You then enter this code into the data entry box provided by your Web browser. Your computer will then ask you if you want it to remember the computer you're using. If you answer, “yes” that computer will be authorized for use for 30-days. Finally, you turn on 2-step verification and you're done.Well, not really. You see, you're not really authorizing your computer,as you might think from the instructions, you're authorizing the use of a particular Web browser on that computer with 2-step verification. If, like me, you run more than one browser you'll need to go through this process with every browser. You'll also need to go through it with every computer you use. Since on an average day I use half-a-dozen different computers that adds up to a lot of time for the initial setup. Also, while most Google services work with 2-step authenticaiton, not all of them do. Services that don't support the 2-step authentication dance include: POP and IMAP email clients such as Outlook, Mail and Thunderbird
Gmail and Google Calendar on smartphones
ActiveSync for Windows Mobile and iPhone
YouTube Mobile on Apple devices
IM clients for Google Talk and Adium
3D Warehouse, Sketchup, and installed applications
Sync for Google Chrome
Gmail NotifierSo, if like me, you use a smartphone and clients for email and IM, you'll also need to set up application specific passwords. This will not, can not, be the same as your master Google password. Google, not you, generates your application specific passwords. From this same page you can also see all the services you've authorized to use your Google ID as your identification. So long as you're cleaning up your security act anyway, you might as well go through the list and Revoke Access to any service you're no longer using. Let's say though that you don't have your phone, or you're somewhere without a signal when your laptop's 30-days of grace are up. No problem. Google gives you two answers.The first is to download the Google Authenticator app for Android, Apple and Blackberry tablets and smartphones. With this you can generate a PC/browser password. You can also create a batch of ten backup codes, which you can use to authorize a computer. Is this perfect? No. There's no such thing as perfect security. A man in the middle attack can still grab your password and your authentication number. And, a good old fashioned people hack led toCloudFlare CEO's losing control of his Google account even with two-factor authentication.Even so, if you don't want your personal security disaster you should follow all these suggestions. Yes,setting Google, or any other two-factor authentication, up can be a pain but you'll be far safer with it than without it.