How to enable double authentication for gmail. How to set up two-factor authentication for Gmail

Let's talk about the security of Gmail mail, namely about access settings. If you do not activate double authentication, then your Gmail mail will be the most ordinary mail that can be hacked, like many other mailboxes.

In this article I will clearly show how to link Google mail to a mobile phone. Separately, the issue of using such systems as The Bat!, Outlook, Thunderbird, etc. will be addressed.

And who needs this security?

A completely reasonable question that many may ask: why do I need it? Who needs me? Well, if you use your mailbox once a month to exchange a couple of links with friends, then yes, there will be no need for extra hemorrhoids. But for those who have mail linked to many accounts on the network, especially financial ones (Webmoney, for example), then protecting your mail is simply a sacred matter! Many services allow you to link a mobile number to your account, but most still rely on an email address - one of the biggest security bottlenecks! Also, don’t forget about the password “reminder” function, which works successfully on many Internet sites.

Once, having gained access to your mailbox, the attacker will not show it, he will sit quietly and wait for some “important” letter to arrive that can be used for personal gain. Having access to your mailbox, you can quickly “remember” almost all of your passwords... Basically, if you care at all about the information you can access, you need to set up Google Mail correctly.

Gmail Security Settings

To go to Gmail settings: click on the gear in the upper right corner and select “Settings”

Although using email programs greatly simplifies working with mail, it is another security hole. For those who are not going to use them, we disable this feature. To do this, go to the “Forwarding and POP/IMAP” tab and check the “Disable POP” and “disable IMAP” checkboxes.

Google Double Authentication

After enabling dual login, to gain access to your mail you will need to enter the code sent via SMS to your phone. As you can imagine, this greatly increases the security of your mailbox. Go to the “Accounts and Import” tab and click “Change password recovery settings”

Or log in from any Google service via “My Account”

On the new page, in the “Login to Google Account” section, link your mobile phone number.

Here you can also link an additional mailbox, which can be used to recover a lost password. So, I advise you not to tie anything, because... This is another security hole. But you can link an additional phone number to which a code is sent if the main number is unavailable.

Enter the two-step authentication settings:

What are application passwords will be below. A window will open, click “Proceed”. Follow the wizard's instructions:

In the first step, enter the phone number to which Google will send verification codes. If the phone is already linked, then you don’t need to enter anything - the number will already be there. Choose how you will receive codes: via SMS or phone call, I recommend SMS:

Confirm with the PIN code that you will receive on your phone, this will mean that your number is working.

If you left the “Remember on this computer” checkbox when entering the code, then Google considers it as a “Trusted device.” Now, when logging into your account from this computer, you will only need to enter a confirmation code in rare cases.

Now try logging out of your mail and logging in again. Google will request a verification code sent to your mobile phone.

Here you can also mark your computer as trusted. But keep in mind that once an attacker gains access to your computer, he will be able to log into your email from your own “trusted” computer. Who needs maximum security, take this point into account.

It happens that an SMS with a code does not arrive. Then you can order a call. In this case, the Google robot will call and dictate a confirmation code. I myself used this opportunity several times, the phone rang immediately, and the SMS arrived later.

How to log into your account without SMS

Additional settings provide several options for receiving codes, in addition to SMS and calls. The first is Google Prompt notifications:

After setting it up, all you have to do is click “Yes” in the Google notification on your phone. The wizard will prompt you to add a mobile device to your account:

If you have Android, then you probably use a Google account on your phone, if only because it is needed for the Play Market to work. If not, then add it. The adding process depends on the device model, in general it is in the section “Settings -> Accounts -> Google”.

The second method is the Google Authenticator app

You need to install the Google Authenticator application for Android or Apple devices. The wizard will ask you to scan the QR code in the application with your phone camera. Now, to log into your account, you will need to enter a unique code generated by the application. The code is updated every minute.

Thirdly, you can do without a phone at all using backup codes. This may be useful abroad or if you lose your phone, but you will have to take care in advance, otherwise there is no other way. Everything is simple here, create “Backup Codes” and print out the plate.

Then you can enter these codes one by one instead of the codes from SMS. There are only ten backup codes, so after using them you need to generate new ones.

Create Google App Passwords

The fact is that not all programs can request a verification code, for example, email clients and some applications for smartphones. If you don't use them, just skip this setup step.

After enabling dual authentication, all applications that used your Google account name and password will no longer work. The error “Invalid username or password” will be displayed. For them to work, you need to generate special passwords.

To do this, go to “Application Passwords” as in the screenshot at the beginning of the article. Select the application type and device:

The wizard will show you the password - save it, because... You won’t find it anywhere else, the application password is created once. Then you can only cancel it and create a new one. You can call it whatever you want, it will still work in any application.

Then we just take this password and paste it instead of the Google account password. For example, in Outlook we enter this password instead of the old one. Yes, this will be a security hole, because... The application password is not tied to the computer. Once in possession, the attacker will be able to read mail and send letters, but will not be able to log into his Gmail account. I have already said that for better security it is better to disable the ability to receive mail through mailers and then you will not have to use application passwords.

How to turn off protected mode

To cancel login via SMS, go to the dual authentication settings, as in the screenshot at the beginning of the article, and click “Disable”

To completely disable binding to a phone, you need to go to “Phone number” there and delete it. On the account settings page

conclusions

In this article, we figured out what needs to be done to make mail more secure:

Be sure to link Gmail to your phone and enable double authentication
For greater security, disable the ability to use email clients
If you are not sure about the security of your computer, then do not mark it as “trusted”
If you have difficulties using GSM communication, use Google Authenticator

And of course, don’t forget about complex passwords. A normal password should be at least eight characters long, including uppercase and lowercase letters, numbers, and punctuation marks.

You can change your password on the “My Account” page.

In this video I showed the whole process live

That's all, be careful!

Two-step authentication enhances account security. If enabled, two components are used for login:

Something only you know (for example, a password).
Something that only you have (for example, a phone or an electronic key).

Step 1: Set up two-step verification

Open the Google Account page.
Safety.
In chapter Sign in to your Google account click Two-Step Verification.
Select Begin.
Follow the instructions on the screen.

Select the second authentication step

When setting up the second stage of authentication, you can choose one of several confirmation methods: notification to phone, SMS, voice call or electronic key.

After you provide your username and password on the login page, Google will send a 6-digit verification code to your phone. Enter it in the appropriate field on the screen. You can choose how it is more convenient for you to receive codes: via SMS or voice call.

Electronic key

is a small device with which you can confirm that your Google account belongs to you. If necessary, simply connect it to your phone, tablet or computer.

The electronic key provides additional security and allows you to log in without your phone.

Notice from Google

When you log into your account, a notification will be sent to your phone. Confirm that it is you by selecting "Yes". If you click "No", Google will understand that someone else is trying to log into your account and will prevent attackers from hacking it.

– a safer and faster way to log into your account than a verification code.

Step 2: Set up backup methods

Set up backup methods for logging into your account in case you forget your password or lose your phone. To do this, follow these steps:

Open the Google Account page.
From the left navigation bar, select Safety.
In chapter Sign in to your Google account Click "Two-Step Verification."
Select Begin.
Click Choose another method.
Select the appropriate option, for example:

Step 3: Change your account recovery information

Using a backup email address and phone number will help you regain access to your account if it gets hacked or you forget your password.

How to add or change a recovery email address

Open the Google Account page.
Personal data.
In chapter Contact Information select Email.
Provide or update your recovery email address.

How to add or change a backup phone number

Open the Google Account page.
On the left navigation bar, click Personal data.
In chapter Contact Information select Telephone.
Provide or update your backup phone number.

Undoubtedly, two-factor authentication to verify the security of access to your accounts is a necessary thing, but, you see, constantly entering a verification code several times a day to access your mail is very impractical. Just a couple of months ago, Google simplified this procedure and in this article we will tell you how to protect your account using your smartphone as an authorization device in conjunction with two-factor authentication.

What is two-factor authentication?

First, let's understand the concept of two-factor authentication. In most cases, we use a login and password to access our accounts. Such a simple procedure has one significant drawback - this data can be stolen and used by third parties. Two-factor authentication involves accessing personal accounts in two steps. The first stage of authentication is a login and password, the second stage is confirmation of the account owner using a digital code (SMS, email), voice message or a special device. Today this is the most optimal authorization method from a security point of view. Two-factor authentication has long been offered to its users by Google, Apple, Microsoft, social networks VKontakte, Twitter, Facebook and many other popular services.

Smartphone instead of code

To use your smartphone as an authorization device, the first thing you need to do is enable two-factor authentication for your Google account. This can be done either through the web interface or directly in the account settings on your mobile device.

Method 1. Through the web interface
Method 2: On a mobile device
Now that you've enabled two-factor authentication, your account will be accessed in two steps. As a backup login method for the second stage of authentication, Google offers several options. In our case, it is necessary that the second factor, instead of an SMS message with a code, be a smartphone. To do this, look for the Google Prompt option and add your smartphone there.

It's worth noting that this procedure requires a device with an active screen lock. iOS device users will additionally need to install the Google app from the App Store.

How it works

After you have added your smartphone, you can try logging into your Google account through a browser on your PC. After entering your username and password, you will see a window with instructions on what actions you need to perform on your smartphone in order to log in. At the same time, the system will send you a login request to your phone. On your smartphone, you just need to confirm these actions and you will automatically log in to Google on your computer.

Using a smartphone as an authorization confirmation device is very convenient. But keep in mind that this method only works with an active Internet connection. Otherwise, you can always choose an alternative login option, for example, using a confirmation code from an SMS message.

We've previously written about - this is an additional layer of security to help protect your information on sites you frequently use.

If you want to get started with 2FA but don't know how, this is part of a series that will walk you through how to set up this service from popular websites and services.

Today, let's install 2FA for Gmail. It will only take a few minutes. All you need is your desktop computer and mobile phone.

Here are the steps:

1. Log into your Gmail account on your desktop computer (not your phone) - but keep your mobile phone handy, you'll need to do this in a few steps.

2. Once you're signed in, click on the round icon with the Google Account icon (or an email on your behalf) - it's on the very top right corner of the screen. Then click the "My Account" button.

3. You are now in the My Google Account area. On the left side, under "Sign in and security," click the "Sign in to Google."

4. On this "logged into Google" page, you will see an option for "2-Step Verification" - which should currently say "off" - left click to begin the process of turning it on.

5. Click the "Get Started" button on this small but convenient introductory screen.

6. Google will prompt you to re-enter your password.

7. On this screen, you need to enter your phone number, preferably a mobile number that you will often have on hand. (Make sure you select the correct country where your mobile phone is registered in the drop-down list!) Select if you prefer a text message or a phone call, then click the "Try It" button.

8. At this point, you should receive either a phone call or a text message – depending on the one you selected. Enter the numeric code you were given and click "Next".

Now 9. Google should confirm that 2FA will work for your account, and you can now tell Google that you would like to enable 2FA for your account. Don't forget to click the "Enable" button!

And with that, two-factor authentication is enabled for your Gmail account.

In addition, you will receive an email to your Gmail account confirming this:

Next time you try to login to this Gmail account, after entering your username and password, you will see a screen like this:

You can select "Don't ask on this computer" if you're on a computer you trust, like the one you have at home, but this somewhat defeats the point of having 2FA in the first place.

All in all, it takes less than 5 minutes to get 2FA set up on your Gmail account—and it's something we highly recommend, especially if you use Gmail for sensitive transactions or billing.

Two-step authentication. A good idea, but in practice it only simplifies getting access to your data, because... includes too many additional participants who may also have their own vulnerabilities.

I've been meaning to write about this for a long time, but somehow never got around to it. The other day, having already experienced all the charm of this method of protection, I decided that the time had come.

So, two-step authentication implies additional protection of your electronic data by linking your mobile phone and confirming logins or other transactions via SMS.

Situation: a man loses his phone. In my case, not a new, but favorite, phone given to a girl. Half an hour after it was “lost,” it was successfully unlinked from iCloud. A non-standard unlock password was set on the phone, TouchID was activated, the iCloud password confidently falls into the category of complex ones. The phone is blocked through the FindMyIphone service.

First case

The attacker finds out the Apple ID under which the phone is linked, as well as the phone number. There are methods for this for every taste, so let's skip this point. Let's say this is an email registered with Google.

Action one: a person goes to the mailer’s address and clicks on recovering the password for the existing address, selecting SMS confirmation.
Act two: The phone is password protected and the display of incoming messages on the screen is disabled. Okay, we ask Siri to voice the last message and, despite the device being locked, we get the code.
Alternative option: after sending the SMS, select the call and calmly receive it on the locked device. We receive the code by voicing it with IVR.
Act three: We enter the password reset code into the mailer form, come up with a new password and gain control over the account.
Act four: we go to appleid.com, request a reset and receive a code for this on the already captured mail.
Act five: We unlink the device from the account, having already completed very simple operations to change the security questions.

A curtain.

It is worth noting that the procedure for restoring access to an Apple account may differ and in some cases imply an easier method - choosing in the form of restoring access to the “phone” account and receiving a code to enter the password directly on the Apple ID website. The method works if the device has already been assigned to an account for some time and is protected with a password or TouchID. Let's not dwell on this.

Second case

Let's assume that an attacker needs to gain access to data, but there is no phone to which confirmation via an access number is connected. Moreover, unlike the first case, the attacker initially knows “who” he is trying to hack. The target is mail.

I won’t undertake to talk about other countries, but in Ukraine, cellular operators have procedures by following which and answering certain questions from the call center operator, you can ask to reset your personal account password.

Action one: The attacker calls the operator’s CC while the victim is sleeping, from any phone, saying that he needs to gain access to his personal account, but there is no way to call back from the phone to which this account is linked. What follows is a series of questions, the answers to which are easy to obtain in advance. I won’t dwell on this point, but with about five attempts, without attracting attention and using different phone numbers for test calls to the CC, you can collect a list of all the necessary questions, which are the same for obtaining information on the subscriber’s expenses and for restoring the SIM card of prepaid subscribers forms of communication and to restore access to your personal account.
Act two: the attacker gains access to the victim’s account, where he sets all calls to be forwarded to his phone number. Or SMS forwarding, if the account technically allows it.
Act three: gmail requests password reset via phone number. After sending an SMS, you can indicate that it was not received and request a call, test, the call button appeared 60 seconds after sending the SMS.
Act four: Having received the code to reset the password for gmail through the mailer’s IVR, the attacker gains access to the victim’s mail, and, accordingly, to most of the accounts that are assigned to this mail.

Above, I indicated that such actions are usually performed at night. The expectation is that when receiving an SMS with a code, the victim will not see it because will sleep. If the personal account of the hacking victim’s mobile operator supports the function of setting up SMS message forwarding, the time of day ceases to play a role.

Third case

The case can be applied when the hacking victim represents a certain financial or personal interest that lies beyond the “read correspondence on social media.” networks" or unlock a stolen phone. The third case is identical to the second, but involves large financial costs.

It is not difficult to find a person who will get a job in the call center of the telecom operator of interest, where, from the first days of the internship, this employee will be given a personal password to the subscriber service system, including the function of viewing call details (with or without the last digits, perhaps), as well as control panels for user services, including redirects, which I wrote about in the case above. It is possible that a personal password will be provided later; in this case, the training of a new employee is carried out using the login/password of an already experienced CC employee, who most likely already has access to all the necessary functions. This case is expensive only if there is nothing to compare it with and, of course, depends entirely on the goal.

Using the given elementary cases, or their variations, which there is no point in dwelling on, it is quite easy to gain access to various services and accounts. Unfortunately, well-functioning security measures, when combined, can sometimes backfire only by increasing the chance of hacking.

Protection methods: do not use two-step authentication in any important services. If possible, avoid adding the phone number you use to any Internet services, even if the number is ultimately hidden by privacy settings. It may be hidden from display, but obtained through search tools or password recovery tools for these same services.

Some telecom operators have other procedures for servicing subscribers, which to one degree or another increase user security, but in any case, the only question is how personally interesting you are to the person who will work to gain access to your personal data. In addition, I tried to superficially describe possible and proven attack vectors, but this does not mean that I described them all, just as it does not mean that when defending against some, we will not be exposed to others.

At the end of the post, I would like to add that I am not an expert in information security issues, I have nothing to do with it by occupation, rather it’s just a personal interest.

This is my first publication. Do not judge strictly, perhaps for some I described obvious things, but maybe for someone else this information will be useful and will at least slightly reduce the chance of losing or compromising your personal information.