Goondu how-to: Setting up two-factor authentication for Gmail

September 16th, 2011 | by Aaron Tan

If you’ve been paying your credit card bills online, you should be familiar with the token PIN that’s required to access most Internet banking services in Singapore.

This security mechanism is commonly known as two-factor authentication (2FA), which requires users to enter a token-generated PIN, plus the usual username and password to access online banking sites and corporate networks.

Besides financial institutions, the Singapore government and some large corporations have also issued employees with tokens for an added layer of security.

My Gmail account was hacked last week and it was only then when I realised that Gmail has a little-known 2FA feature known as 2-step verification – at least I didn’t know about it until now.

Once you turn it on, anyone who tries to access your Google account on an unauthenticated device will need to enter a PIN generated by Google Authenticator, a smartphone app for iPhones and Android devices. In other words, your phone becomes your token.

Setting up 2-step verification is easy and Google has a detailed guide here. For those who want a quick run-down on how to do this, follow these steps:

1. Download the Google Authenticator app from the Android Market, iTunes App Store or for BlackBerry devices.
2. Sign in to the 2-step verification settings page on a computer.
3. Select your device (iPhone, Android or BlackBerry), and tap Next to generate a QR code that will be used to link your device with Gmail.
4. Launch the Google Authenticator app and tap on the plus icon to authenticate your Gmail account. Accounts can be added manually by entering your Gmail access credentials, or using a bar code scanner app to scan the QR code generated in Step 3. If you don’t have a scanner app, download one.
5. Click on next on the computer, then enter the verification code on your phone in the Code field and click Verify.
6. If the code is correct, a confirmation message will be displayed. Then, click on Next.
7. Now, you will see a list of backup codes that can be used to access your Google account if your phone gets stolen. Save this list or print it out, then click Next.
8. You will also be asked to add a backup phone number for a backup code to be sent to you if you lose your phone. Complete the set-up by sending a test code to the backup phone.
9. Once you are done, sign in as usual to your Gmail account. Check “Remember verification for this computer for 30 days” if you do not want to keep entering a verification code each time you sign in for the next one month.

Note: If you’re using your Google credentials to log on to third-party websites and apps, you may be prompted to enter an authentication code to access those websites.



  1. getthegoose says:

    Are you sure your Gmail account was hacked into? Are you so important and your emails so classified that there are people wanting to hack into your Gmail? Really?? Or was that a lie by Gmail to dig your mobile number out of you? If I were a hacker, I’d hack into banks or government offices. I wouldn’t waste my time on individual email accounts.

    If indeed a hacking had taken place, the problem in the first place is that you did not properly secure your PC and your Internet access. Nothing to do with Gmail or Google.

    If you HAD been properly securing your PC and your Internet access, and all your other email accounts (Hotmail, Yahoo, etc) were fine and intact, then it is highly unlikely that your Gmail was hacked into. More probably, that was a tactic by Google to get your mobile number off of you.

  2. getthegoose says:

    LOL! Are you SERIOUS? Give Google more of your personal data like your mobile phone number? You must be joking!!!

    Why not write about what can happen if you lose your mobile after setting up (stupid and unnecessary) 2FA? Or if you try to access Gmail on another PDA with this (really dumb) 2FA? Or if you have to change your mobile number or you are using 2 or more mobile numbers?

    There are also international legal issues involved. Your mobile number belongs to your phone company in your country. Who says we can give it out to another company in another country? To do as they wish with it. You think they only need it for 2FA for Gmail? Oh, please!

    Gmail now PREVENTS me from accessing 2 of my Gmails, and that is AFTER I have entered my user ID and password on the same PC (so the same IP address recorded) which I have always used. Gmail tells me there has been “suspicious activity” in my Gmail account and demands that I give my mobile number before they will allow me access to my Gmail inbox, and that is AFTER I login with my user ID and password….but still no access! So WHAT is the user ID and password FOR? I shall give my mobile number to whom I please, that is, I choose, my choice, my decision. I do NOT want to give my mobile number to Google. So why force it out of me in this manner? This is a dishonest and sneaky way of gleaning users’ personal data. Google has already announced it will keep all of their users’ personal data on their servers indefinitely!

    I still can’t access these Gmail accounts and this has been ongoing for the last 4 months. “Suspicious activity” for 4 months straight?? Come on, Google thinks I’m a moron or what? I’ve switched to Thunderbird email client and eventually will delete all of my accounts anywhere in Google or related to Google, such as YouTube, etc.

    And don’t even get me started on the privacy issues and the ‘bugginess’ (which I think is deliberate) in Google+, for not only myself but for all my contacts in ALL my Gmail accounts! I deleted my highly invasive (damned) Google+ after only 1 hour of using it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.