Setting up 2-step verification options on your Google Account

Enabling 2-step verification is to add an extra layer of security to your Google Account for greater protection. However, if this is not set up properly, it may, under certain situations, keep the legitimate owner of the account away from accessing his or her own account.

After noticing multiple threads on this topic in both the Gmail and the Google Accounts help communities, where the users have lost access to their accounts over something trivial or through an oversight, I feel this is a good time to write a blog on how to set up the various 2-step verification options on a Google Account.

This article is also intended to help users who find setting up the different 2-step verification options difficult or complex.

For ease of understanding and navigation, we shall divide this post into the following sections:

Section 1: Setting up 2-step Verification.

We begin by visiting the Google Accounts Security page, either by typing in the https://myaccount.google.com/security URL inside the browser's address bar or by clicking on the link from here (it opens in a new window). Another way would be by first clicking on the circular profile icon in the top-right of the screen, then clicking on the Manage your Google Account button and finally clicking on the Security tab in the left panel of the Google MyAccount home page and scrolling down to the Signing in to Google section.

With 2-step verification turned off, the screen will look as shown below.

Click on anywhere in the section highlighted by the red rectangle to get to the next screen. Some basic information related to 2-step verification will be shared with you.

Almost nothing we see during this process is unimportant, so it is best to read through the information before clicking on the blue Get Started button.

You will be asked to sign in, as is the norm before accessing sensitive account information or performing any action the system deems critical.

The 2-step verification can use both the number and device-based verification and you are shown the available options.

We are going to go through the entire process systematically, so we begin by entering a phone number and the mode of receiving the second verification code via Text Message to proceed. We shall explore the Security Key and Google Prompt options in due course.

At this stage, there are certain details to be kept in mind

It is best to not use a landline number in case you frequently travel and may want the codes to be delivered to your travelled location. (Yes, there are backup options, but it is best to have multiple options).
Never enter a Google Voice or any other similar numbers, temporary numbers offered by websites or a disposable virtual number.

Google will send a text message to the provided number to verify your access to it.

We enter the 6-digit code in the provided field and click on the Next button.

We are almost there! Clicking on the Turn on button will enable 2-step verification on the account.

We now see 2-step verification turned on for the Google account. We are also reminded that

Currently, the default way to receive the second verification code from Google is via Text messages.
If this Google account is signed in to any eligible phone, the Google prompt for 2-step verification, about which we saw a fleeting mention on the starting screen with the Security key, will be added as an option.

We scroll down to find a list of backup options.

Before we proceed, this is a good time to answer a couple of relevant questions.

Why are 2-step verification backup options important?

It is absolutely essential to have multiple backup options to keep the account accessible under different circumstances such as:

The device is misplaced, lost, damaged or stolen.
The device can't access the internet for whatever reason.
The device doesn't have a signal to receive a text message or a voice call.
The device is factory reset.
The device is a new or previously unused device for that Google account.

These also are the common reasons why people tend to get locked out of their accounts and post in the Gmail and Google Accounts Help communities for assistance, but in most of those scenarios, the damage had already been done and there would be very little, if anything, that could be suggested or done to regain access.

I already have my recovery options listed. Do I still need to have 2-step verification backup options?

Yes, you must. That's because, when you enable 2-step verification on your account, you literally instruct the system to verify everyone, including yourself by that process without exception going forward. So, it is also understood that you shall be mindful of the necessary details you need to possess to identify yourself as the owner via the 2-step verification process because the absence of 2-step verification options on your part will not cause the system to downgrade the security level or the verification process to the basic level that can be accomplished by just using the basic recovery options.

In other words, the basic recovery options are not backup options for your default 2-step verification option. Other 2-step verification options are backup options for your default 2-step verification option. So, it will be wrong to assume that when you are unable to verify using the default 2-step verification option, the system will use the basic recovery options to verify you. It will not.

Section 2: Generating the 8-digit offline backup codes.

The questions answered, we go back to generating the 2-step verification backup codes for our Google Account by clicking on the ">" arrow sign in that section and then clicking on the + Get backup codes button.

This will give us a batch of ten (10) 8-digit codes to be used as the second verification when we couldn't access any of the other 2-step verification options.

Please note the phrase safe but accessible. Do not save the files under Google Drive, Photos, Keep etc. for the same account, Do not save the backup codes even on the same device as a loss, theft, or damage to the device can make those codes inaccessible or a factory reset can wipe that batch of codes away.

Now that we have generated the 2-step verification backup codes, it shows up under our available second-step options.

Section 3: Setting up the Google Authenticator App.

We now move on to add Google Authenticator as our backup option. But before that, a few necessary information to prevent mishaps.

The Google Authenticator app doesn't come with any backup or restore features for the accounts added to it. So, to protect against that, it is important to ensure you have other backup options required to sign into them.
The only way to export data from the Google Authenticator app is via the QR scan method explained here - https://support.google.com/accounts/answer/1066447?hl=en.
The Google Authenticator app doesn't offer a web UI to sign into. However, there are other similar TOTP/HOTP apps that do offer a web UI to sign in from, providing you with another way to generate the second verification code.

To set up the Google Authenticator option, we click on the ">" icon in the Google Authenticator app section and follow the prompt.

Once verified, we see the confirmation that the Google Authenticator is added as a 2-step verification option on the account.

One important detail to note here is that the Google Authenticator option is added as the default option. The rationale behind it is that the system has a hierarchy of options based on how secure they are and when a more secure option is added, the system makes it the default option for the 2-step verification process.

Section 4: Setting up Google Prompts.

We now proceed to add the Google account to an eligible device to enable the Google Prompt option for 2-step verification. It is important to remember is that if we add the account to multiple devices, then the prompt will be received on all those devices. So, be mindful of this detail when you plan to access your Google account on someone else's device. Instead of signing in to the account via the Gmail mobile app, sign in using the browser's Private/Incognito/Guest window.

The steps to add an account to an eligible device is out of scope for this blog, so here's the screenshot of how the 2-step verification page looks once the Google account is added to an eligible device.

Since the system deems Google Prompts more secure than the Google Authenticator codes, it automatically elevates it as the default option.

Note: While you can't change the default option, you can use any of the 2-step verification available options to sign in to your Google account depending on your convenience.

Section 5: Setting up your phone as a Security Key.

We now look at adding the Security key as our 2-step verification option by clicking on the ">" icon and following the prompt.

As mentioned, we can either add a physical key or use our phone's built-in key. We shall look at both options, but we start by using our phone's (the same device we added our Google account to receive the prompt) built-in key.

The phone is now added as a Security Key adding more security to the Google Account. Since the Security Key is considered a more secure option, it now becomes the default 2-step verification sign-in option.

There is just one more thing to do and that is to add a physical security key. Physical keys can come in NFC or Bluetooth variants and the steps to add the keys to the account should be similar.

Section 6: Setting up NFC/BlueTooth physical Security Keys.

To start the process of adding the physical security key to the account, we go back to the Security key section and click on the + Add Security key button and follow the prompt.