Tuesday, July 3, 2012

Google Account Howto - Protect and secure your Google Account (gmail, google+, Google Drive...) with Strong Authentication (turn your phone into a Software Secure Token, use 2 steps authentication)

The Goal:

How much is your Google account precious to you ? Does Google host your mails, contacts, documents of all sorts (thanks to Google Drive), professional or confidential datas ? Do you think only protecting it with a password (even strong) is enough ? You may be wrong !

Google offers you a great and free service which is almost the better way to secure your account access and really improves the security of your Google services and your personal data security.

They call it "2 Steps Authentication", in professional environment you may already know it as "Strong Identification" such as RSA SecureID and others professional solutions.

Off course Google gives you all required explanations here:

My Goal here is to present you and easily help to activate this great Google service in a few simple steps.
It will drastically improve your account Security!

With this service, the only way to connect to your account will be to get your login name, your current password and to steal your Smartphone!


What you need:


  • First of all, a Google account ! ^^
  • A computer
  • A smartphone that will act as the Security device, IOS, Android or RIM (even an Ipad or could do the job you will have to always keep it in the pocket !)
  • Optionally a printer to be able to print your personal code for safety 

Step 1: Connect to your Google Account and activate the 2 Steps authentication


  • Connect to your Google account management interface and sign in:
 (you may also connect to any Google service such as gmail, Google Drive..développement. and access to your account properties) :

  • When connected, click on "Security" (bottom left page) :

















  • In this new page, look a at the middle of the page and click on "Edit" :
  • In the animation page, Click on "Start Setup" (bottom right):
  • Enter your (real) phone number and select Text message for the way to transmit you the activation code and submit:

  • You will receive a text message from Google, Enter the received code:
  • Select if you want or not trust the computer you are connected to for 30 days:
If you are on your personal computer you can activate this to avoid having to systematically submit your verification code using Google Authenticator.

If you are a non private computer, don't activate this this is not a computer you can trust !

  

  • Confirm to activate:


  • In the new page, Sign in (you do not yet need to provide a verification code because not things are not yet over ^^), the following page will open :

  • Answer "Do this later", we will take care of that a small bit later
  • VERY IMPORTANT: Print your backup code in case of loose of your Phone !!!

Print the code provided by Google and keep it always on you (or at home if you prefer), with this code you will be able to connect to your account and deactivate 2 Steps Authentication if you loose your phone and can't get a new code quickly.

Without this code and without your phone or being able to access to a text message Google could send you if required, you will irremediably loose your account access !!!

  • Configure your Phone, click on your smartphone System:


  • You will get this page:


  • Take your Phone and install the Google application "Google Authenticator" :
With Apple's Iphone:



  • Open Google Authenticator:
NB: 
Sorry Screenshots will be in french :)

As i already had a Google account configured, you will see one at the bottom of the screen.
As a consequence, you know now that you can have various Google account configured using 2 Steps authentication !



  • Select the "plus" sign and then select the option "Read bar code":




  • Use your smartphone camera to get the Bar code, Google Authenticator will detect it and automatically add the associated service in the application !
  • Last Step, enter the validation code provided by your phone into your web browser and submit, you're done and 2 steps authentication has been activated


Step 2: Sign out and access to your account using 2 steps authentication

How does it work:

Google Authenticator automaticaly generates a new validation code associated with your account every minute.

When you will sign in in any non trusted computer, you will obligatory have to provide :

- Your login name
- Your account password

And now the Google verification code, it has to be still valid when your enter it in your browser and submit, if not you have to try again using the re-generated code.

 As explained before, you also have the possibility to you allow the computer you are connecting with to be associated as a trust computer.
In other words, if you allow that, there is no validation code required during 30 days and so no 2 steps authentication.

Off course, you should do that only with your own personal computers.
  • Sign in into your account as usual (if not done before, sign out before signing in again)
You will get this new Window on any non trusted computer:

If you want to trust this computer, tick the box.

In any case, enter the code provided by Google Authenticator and Submit "Verify", if your code is valid then you'll be connected.

You have to this every time you connect from a non trusted computer.

Step 3: Configure "Applications codes" for additional access to your account

Any application that was connecting to your account won't work anymore after you activated the 2 steps authentication.

As far an example, your Apple mail Application will be unable to connect to your account until you configure a specific application code to allow it : Iphone, Chrome synchronization...

It will be the case for any application that automatically connects to your Google account and for any Google service associated with your account.

  • Configure a specific Application code for any access needed (you'll do it one time per application that needs an access)
Go back to your account management.

Select "Authorizing applications and sites":

On the new page, Choose a description for your Application and click "Generate Password":


You will get a dedicated password for you application:


And then simply configure your application (in the example your gmail account configuration in your Iphone) and use this password instead of your account password, and you're done !

Repeat this operation for any application that needs access to your account.


Conclusion:

You're done, your Google account access is now much more secured than simply using a standard password mechanism protection.

It happens very often that well known Internet companies are hacked and password databases stolen, if you have the bad idea to use the same password (or even same syntax) it is not really difficult to associate it with your Google account and gain access to it...

With strong Authentication as Google provides, things are much more complicated, hacking your account won't be easy anyway!

As a conclusion, with constant development of Clouds services like Google Drive, a such security mechanism becomes necessary and something you really have to consider if you are interested in protecting your data.