2-Step Verification – My Best Advice for Gmail Users

If a good portion of your personal life now takes place on the web, then I have a bold statement to make: your email account may be as important as your social security number. In fact, it may be more important. Your email account may very well be a master key for access to your credit card, bank accounts, and your favorite web shopping sites. If someone can access your email account, they have a good chance of gaining access to just about every website you use. Using hard passwords and using different passwords (two common recommendations) probably won’t protect you if someone gains access to your email account.

Why is this true?

Just about every website provides a mechanism to retrieve passwords or reset passwords via email to your email address on file. The bank I use most often does do a little bit of a better job. It doesn’t use my email address as the login name, it uses a User ID that can’t match my email address. And if I forget my User ID, it will email it to me, but I have to provide the last 6 digits of my social security number. But it isn’t hard to get someone’s social security number so I rate it as only slightly better. The bottom line is that most websites use your email address as part of granting you access to their website and use that same email address to help you regain access when you forget your password. This makes your email account incredibly valuable!

What to do?

One step you can take that will add another layer of protection to your email account and adds only a little bit of inconvenience is to use two-factor authentication (TFA). TFA requires that you provide two pieces of information. Generally, one of those is something you know (usually a password), but the second is usually something you have (like a fingerprint) in your possession. If you are a Google user (Gmail, Google Apps, Google+, etc.), then you can use their 2-step verification. In addition to using a password, Google sends you a 6 digit code that works one time. They send you the code via a text message or a phone call. It happens as a next step after successfully entering your password. Google has an excellent description and video on how it works.

Certainly two-factor authentication and Google’s 2-step verification are not perfect protection. But they do provide much greater protection than simply using a password alone on your email account. I strongly encourage you to start using it now.

Some other popular services have versions of two-factor authentication including Facebook, Dropbox, and Yahoo! Mail. Unfortunately, Microsoft’s hosted email (Outlook.com/Hotmail) doesn’t currently support this. I expect, however, that more and more websites and web services will add some form of two-factor authentication in the future. You should welcome this small inconvenience.