The two-step authentication process, which has been available for Google Apps customers since September 2010, is being slowly rolled out to all Google users. It might seem a bit confusing and intimidating to some users, and definitely time consuming to set up, but it’s worth the hassle because of the robust protection it offers to your entire Google account and all the valuable data it holds.
What is two-step authentication?
Most of the login systems on the web uses ‘one-factor’ authentication where you enter one password and you’re in. But if that password gets compromised, you’re screwed. More secure systems require both a password and a physical card or dongle to login. These are called ‘two-factor’ systems, because they require both your password and another key, and are far more secure because a hacker probably isn’t going to have that physical token.
Google’s system uses your mobile phone as the physical keycard. Once you enable 2-step verification on your Account Settings page (if you don’t see it yet, don’t worry because Google is rolling it out over the next few days), you will be required to provide both your password and a security code that will be sent to you as a text message to your mobile phone, at the time of login. The security code is one time use only, so you don’t have to remember it.
This might seem a hassle every time you login to Google, so you have the option to make the computer remember the verification code for 30 days.
For third-party applications like email clients and mobile devices you have to generate unique application-specific passwords that can be used for only that application. You'll only need to generate the new password for each application once unless you decide to revoke access to that application or device.
All this looks awfully complex, but they serve a useful purpose – and that is to provide enhanced protection to all users.
For detailed instruction on how to setup and use the two-step authentication, visit this help page.