Welcome to the 4th and final installment of this series on Gmail Two Step Verification. This part will cover “App passwords”. App passwords are an extremely handy function of the Gmail Two Step system. The allow you to create custom, one-time passwords for two-factor accounts, that can be used on certain apps. This option is only available if you have two-factor authentication enabled. It allows you to login on apps that do not accept two factor tokens (the unique, six-digit code). An good example of this is the iPhone’s native mail application. It can only accept a username and password. To link your two-factor protected Gmail account you must create an App password. Another good example that will come into play next week is the Thunderbird mail client.
App passwords also have an ancillary convenience benefit. If you have a long password on your Gmail account (up to 99 characters are allowed), it is difficult to input on your mobile device. App passwords are only 16 characters long and are composed only of letters and numbers. These passwords are easily input on tiny electronic keyboards. If you’re worried that this password will be used elsewhere – don’t. They are only good for one login. Once you’ve used it, it can’t be used elsewhere. To get started, log into your Gmail account. Click your avatar, the click the blue “My Account” button. Navigate to Sign in and Security >> App Passwords.
Click the drop-downs and select the service (Mail, Calendar, Contacts, YouTube, or Other) you desire. On the device drop down select the appropriate device (next week we will use “Custom” for Thunderbird). Next, click “Generate”. Your unique, one-time, 16-character password will appear. At this point you should enter it into the password field of the application you are attempting to access. You will NOT be able to access this password again, so if you close the window prematurely you will have to generate a new app password.
You can generate an unlimited number of app passwords. I recommend that you create the bare minimum, and revoke old ones as soon as they are no longer needed. When you revoke a passcode, the app that was logged into your account will be logged out. To regain access with that app you must generate a new app password.
To revoke an app password, simply click “REVOKE”. This password can no longer be used. You should revoke any unused app passwords. You should also revoke relevant app passwords immediately in the event you lose your device.Revoking Trusted Devices: As I have mentioned earlier in this series, it is possible to designate some computers as “trusted”. This means you will not be required to enter you second authentication factor when logging in from these machines. I only recommend doing so on computers that are full disk encrypted OR that never leave your home. There is a safety (NOT security) benefit to having one trusted device: if you lose your phone or security key you will still have access to your account. You can then turn two step verification off until you recover your device. To revoke trusted devices navigate to the Gmail Two Step Verification page. Scroll to the bottom to “Devices you trust“. Click “REVOKE ALL” and confirm.
I hope you have learned something and (maybe even) enjoyed this series. This started as a single post until I realized the sheer immensity of Gmail Two Step Verification can be overwhelming (to reader and writer alike!). As always, if there is something you’d like to see covered, don’t hesitate to let me know!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.