Gmail Two Step Verification Pt. 3

In the third part of my series covering Gmail Two Step Verification I will talk about an advanced topic: the Security Key option.  The security key is a physical device that plugs into your computer’s USB port.  By far the most common and popular iteration of this concept is the Yubikey.  There are three current versions of this device: the Yubikey 4, the Yubikey Neo, and the Yubikey Nano†.  All of these devices have slightly different capabilities, but their core function is the same.  They serve as a strong second authentication factor.

To enable this option, you first need a U2F (Universal Second Factor)-capable device like a Yubikey.  Log into your Gmail account.  Click your avatar, then the blue “My Account” button.  Navigate to Sign-in and Security, and Two Step Verification.  Now scroll to and click “SET UP ADDITIONAL SECOND STEP“.

Gmail Two Step Verification

The next screen will give you some information about registering your Security Key.  Click “NEXT”.  Gmail Two Step Verification

You will be required to enter your password.  Enter it and click “Sign in”.  Ensure that your security key is NOT inserted at this point.Gmail Two Step Verification

On the next screen you will be prompted to register your security key.  This will require that you insert the security key.  When instructed, touch the top of it.  This will prompt it to transmit the unique code to Google.Gmail Two Step Verification

When the code is received and accepted you will see the screen below.  Be aware that this automatically makes the security key the default “second step”.  Gmail Two Step Verification

To login with the Security Key, enter your username and password.  You will be presented with the screen shown below.  It will prompt you to insert your security key.  You must then physically touch the ring on top of the key.  This will transmit the unique code and verify your identity.  Gmail Two Step VerificationThe security key option is one of the most secure ways to use Gmail Two Step Verification.  Your security key will also work on a number of other services.  Dropbox, LastPass, Password Safe, and WordPress all support the Yubikey as a second authentication factor.  It can also be used to unlock your full disk encrypted computer – just don’t lose it!

Yubico recently sent me samples of the Yubikey 4 and Nano models.  Look for a full review soon.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Email Threat Models

In a continuation of my suite on threat modeling, this post will address email threat modeling specifically.  Selecting an email provider (or set of email providers) can be difficult if privacy and security are your chief concerns.  Gmail is abyssmal when it comes to privacy, but even paid providers struggle to match its security.  Selecting an email provider for sensitive communications should be done based on your threat model(s), and you may end up maintaining several accounts for different purposes.  It is my hope that these threat models will provide some clarity into what threat(s) each email provider defends you against.  I also hope this helps you choose a setup that you are comfortable with. Continue reading “Email Threat Models”

Gmail Two Step Verification Pt. 2

In Part I of this mini-series on Gmail Two Step Verification, we covered enabling two-factor with SMS messages.  In today’s post we will delve into some additional options.  These options offer some additional convenience and flexibility, as well as increased security.

Backup Codes:  Backup codes are unique, 10-digit codes that can be used to gain access to your account if you lose your phone.  This is a safety feature, and a fairly good one.  After enabling two step verification you should generate these!  To do so navigate back to your sign-in options (My Account >> Sign-in and security >> Two Step Verification). Scroll down to Backup Options.   You have the option to choose a backup phone or create backup codes.  If you wish to use a backup phone, ensure it belongs to a trusted party like your spouse.  Otherwise, click “Backup codes”.

Gmail Two Step VerificationA pop-up will appear displaying your backup codes.  You can print them, save them to a .txt file, or copy and paste them.  I prefer to copy and paste them into the “Notes” section of my password manager entry.  Regardless of where you choose to store them, they should be stored securely.  An attacker can use these codes to gain access to your account.

Gmail Two Step Verification

Authenticator App:  The next option we will look at is using an authenticator app rather than receiving SMS messages.  Text messages work great, but may be less secure.  If your phone account is hacked, the attacker can forward your messages (including your two-factor codes) to his phone.  Also, if you are in an area with no reception or overseas, you will be unable to log into your account.  Before you begin you need to install a two-factor authenticator app on your device that utilizes the TOTP (Time-based, One-Time Password) protocol.  I recommend using Google Authenticator (Android, iOS) or Authy (Android, iOS).  You are now ready to begin.  To enable this feature login to your account.  Navigate to My Account >> Sign-in and security >> Two Step Verification.  Just below your second factor (your phone) will be an option to “SET UP ADDITIONAL SECOND STEP“.  Click this option and select “Authenticator app“.

Gmail Two Step VerificationThe next screen will ask you what kind of phone you have (Android or iPhone).  Select the appropriate radio button and click “Next“.

Gmail Two Step Verification

The next screen will display a QR code that you must scan with your authenticator app.

Gmail Two Step Verification

At this point, open the app on your mobile device.  For this example I used Google Authenticator but the process is similar for Authy.  Tap “Begin Setup“.  On the next screen tap “Scan Barcode“.  It will request access to your camera; allow this.  The app will scan the QR code which will add the account.  Your phone’s screen should now display your second authentication factor.

Gmail Two Step Verification

Back in your browser, you will now be prompted to enter the code you app generated.  This is to make sure everything was setup correctly.  Enter the code and click “Verify“.

Gmail Two Step Verification

Gmail Two Step verification should now be setup with the app as your default second factor.

Gmail Two Step VerificationPart III of the Gmail Two Step Verification series will cover the Security Key option.  It will also discuss revoking trusted machines.  Stay with me!

Gmail Two Step Verification Pt. 1

I am a strong proponent of two-factor authentication.  It greatly reduces the chance of an attacker getting into your account.  I have recommended it here on the blog, and in my books.  Only recently did I realized I have not posted explicit instructions for how to set it up.  Since Gmail is one of the most popular email providers today, I will begin with it.  Using Gmail also has an additional benefit: it has almost every two-factor option possible.  Learning on Gmail is a good way to learn how to set two-factor authentication generally.  If you do not have a Gmail account, this would be a good reason to set one up – it is an excellent learning tool.  This post will be a step-by-step tutorial for setting up Gmail Two Step Verification, and will be the first of four parts.  This part will cover the basic setup.  Part 2 will discuss some intermediate topics like backup codes and using Authenticator.  Part 3 will discuss using the “Security Key” and revoking trusted machines.  Part 4 will cover “App Passwords”.

To begin using Gmail Two Step Verification, login to your Gmail account.  Next, click your avatar in the upper-right corner of the interface and click the blue “My Account” button.

Gmail Two Step VerificationThis will take you to a screen showing you privacy and security options for your Gmail account.  Click “Sign-in and Security“.

Gmail Two Step VerificationOn the following screen, click “2-step Verification“.

Gmail Two Step VerificationThe next screen will provide you some light information about Gmail Two Step Verification.  To continue the setup process click the blue “Get Started” button.

Gmail Two Step VerificationGmail Two Step Verification requires that you provide a phone number.  This will be used to send your verification codes.  Enter you phone number on the next screen. Select text (SMS) message or voice calls.  I recommend text messages unless you have a good reason for wanting voice verification.

Gmail Two Step VerificationYou will be sent a text message at the number you provided.  The message will contain a unique, six-digit code.  On the next screen you will be prompted to enter this code.

Gmail Two Step VerificationIf you entered the code correctly, it should have worked.  On the next screen you will find out if it did (it probably did).  You will also have the option to “TURN ON“.

Gmail Two Step VerificationAfter clicking “TURN ON”, Gmail Two Step Verification is enabled.  When you log into your Gmail account you will be prompted to enter your username and password.  Before being allowed into your inbox, you will also have to enter the one-time code that will be texted to you. Note the red box indicating “Don’t ask again on this computer”.  You should uncheck this box on any computers you do not trust.

Gmail Two Step Verification

Stay tuned for Part II of this mini-series, where we will get into some more advanced features of Gmail Two Step Verification!