When you bump into people at a funeral discussing e-mail security problems, you know it’s a mainstream issue. A woman we were chatting with just spent the better part of two weeks restoring access to her MSN account after she received a variation of the “Mugged in London” scam. The result was someone hijacked her account and she had to work through MSN to restore access.
Just like Facebook’s support for SSL, using two factor security for Google is something everyone needs to implement.
The process is detailed on The Official Google Blog – Advanced sign-in security for your Google account.
The process is called 2-step verification – this allows you to link your account to your mobile phone, a Mobile application (Google Authenticator on the Android), and printable backup codes that you can keep in your wallet. In addition, you can have application-specific passwords to supposed access on your smartphone.
If you’re running Google Apps on your smartphone, I recommend doing this all at once – it will eliminate password prompts and confusion later.
The process also provides a summary of Connected Sites, Apps, and Services that have access to your Google Account. In my case, this includes paulbegley.com access to Blogger, pulsememe.com (Google Reader), google.com (Google Calendar), and tweetdeck (Google Buzz). I had forgotten about setting up Pulse access to my RSS feeds on Google Reader, but it was a good reminder.
You can revoke or renew access at any time using the 2-step verification process.
UPDATE: Note that once you enable advanced sign-in security, you may need to generate a new password for third party applications. I ran into this with Feeddemon, but it was a simple fix:
- In Google, sign in and go to My Account.
- Click on Using 2-step verification
- Go to Application-specific passwords
- In the section “Generate new application-specific password”, enter the name of the application (Feeddemon for my example), and click “Generate Password”
- A unique password will be generated containing four four character, alpha-numeric characters. Paste this into the password prompt for your application, and you will be authenticated.