If your online life revolves around Gmail, Chrome, and other Google software and services, your Google account is one of your most precious online resources. That’s especially true if you use the Gmail address associated with that account as your primary email address.
An online criminal who gets hold of those credentials can cause chaos and do catastrophic damage to your online life, which is why it’s important to protect your Google account from being compromised.
Also: Best VPNs • Best security keys
In this post, I list seven steps you can take to help you lock that account down so it’s safe from online attacks. If this sounds familiar, it’s a mirror of the recommendations I published earlier for Microsoft accounts: “How to lock down your Microsoft account and keep it safe from outside attackers.” Although there are similarities between the two companies’ security tools, there are also some important differences.
As with all things security-related, making your online assets safer from outside attack involves trade-offs with convenience. To help with that balancing act between convenience and security, I’ve divided the steps into three groups, based on how tightly you want to lock down your Google account.
(And please note that the steps described in this article are about personal accounts associated with free Gmail addresses. Google’s paid business services, including Google Workspace, are managed by domain administrators. Although some user configuration steps are the same, administrators can set policies that affect security settings. If your Gmail account is provided by your employer, check with them about best practices for securing that account.)
Baseline security
This level is sufficient for most ordinary PC users, especially those who don’t use their Gmail address as a primary factor for signing in to other sites. If you’re helping a friend or relative who’s technically unsophisticated and intimidated by passwords, this is a good option.
At a minimum, you should create a strong password for your Google account. That password should be one that’s not used by any other account.
In addition, you should turn on 2-step verification (Google’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. When that feature is enabled, you have to supply an additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as paying for an online purchase. The additional verification typically consists of a code sent as an SMS text message to a trusted device or a prompt sent to a smartphone.
Also: Better than the best password: How to use 2FA to improve your security
Better security
Those baseline precautions are adequate, but you can tighten security significantly with a couple extra steps.
First, set up your smartphone as an authentication factor, using an app such as Google Authenticator. You can also sign in on a smartphone using your Google account, which automatically enables it to receive prompts for use as a sign-in and verification option. Then remove the option for using SMS text messages to verify your identity.
With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won’t be able to intercept text messages or spoof your phone number.
Also: Microsoft urges users to stop using phone-based multi-factor authentication
Maximum security
For the most extreme security, add at least one physical hardware key along with the Google Authenticator app and, optionally, remove personal email addresses as a backup verification factor. That configuration places significant roadblocks in the way of even the most determined attacker.
This configuration requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it’s by far the most effective way to secure your Google account.
Also: Best security keys in 2020: Hardware-based two-factor authentication
STEP 1: CREATE A NEW, STRONG PASSWORD
First things first: You need a strong, unique password for your Google account. The best way to ensure that you’ve nailed this requirement is to use your password manager’s tools to generate a brand-new password.
(No password manager? Try an online option like the 1Password Strong Password Generator or the LastPass Password Generator Tool.)
Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn’t part of a password breach.
To change your password, go to the Google Account Security page at https://myaccount.google.com/security. Sign in, if necessary, then click Password (under the Signing In To Google heading) and follow the prompts to change your password.
Also: The best password managers for business: 1Password, Keeper, LastPass, and more
Follow the instructions to save the new password using your password manager. Feel free to write it down, if you prefer a physical backup. Just make sure to store the paper in a secure location, such as a locked file drawer or a safe.
STEP 2: TURN ON TWO-STEP VERIFICATION
Don’t leave the Google Account Security page just yet. Instead, scroll up to the Two-Step Verification section and make sure this option is turned on. Use the default option to receive codes via text message on a mobile phone you personally own. (You can set up other, more advanced forms of verification as well, but we’ll get to those later.)
The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. After it’s complete, stay on that page for the next step.
STEP 3: PRINT OUT RECOVERY CODES
Next step is to save a set of recovery codes. Having access to one of these codes will allow you to sign in to your account if you’ve forgotten the password or if you’ve lost your phone. Without this backup, you risk being permanently locked out.
On the Google Account Security page, find the Backup Codes option and click Set Up. That opens a pop-up dialog box like the one shown here, containing 10 codes that you can use when you’re prompted for a second verification factor. Print out that page and file it away in the same locked file cabinet or safe where you put your password.
Note that you can return to this page at any time to see your list of backup codes and print a fresh copy. Codes can only be used one time, and will be indicated as “Already used” if you reprint the list. Generating a new batch of codes renders the old batch invalid.
And now for some more advanced security options.
STEP 4: ADD A RECOVERY EMAIL ADDRESS
Registering a recovery email address is an important security precaution. In the event that Google detects suspicious activity on your account, you’ll receive a notification at this address.
Having a recovery email is also helpful if you forget your password. When two-step verification is enabled, resetting your password requires at least two forms of verification, such as a printed backup code and a code from an email message sent to a registered email account. You’ll need to supply both of those forms of identification or you risk being permanently locked out.
Go back to the Google Account Security page and click Recovery Email (under the Ways We Can Verify It’s You heading). Enter or change the recovery email address. You’ll receive a notification at that address to confirm that it’s available for recovery,
Which address should you use here? A free backup email address, such as a Microsoft Outlook.com account, is acceptable if your security needs are minimal. A better option is a business email address, which is under the control of an administrator and is more difficult to hack into than a personal account.
Also: Best email hosting services in 2020: G Suite, Microsoft 365, and more options
STEP 5: SET UP YOUR SMARTPHONE AS AN AUTHENTICATOR
When you register your smartphone as a trusted device, Google gives you two ways to use it for authentication purposes.
If you use an Android device that’s signed in using your Google account, you can sign in to any Google service by responding to prompts from Google. This option doesn’t require any extra setup.
On an iPhone or iPad, you need to download the Google or Gmail app, sign in with your Google account, and turn on push notifications. (Full instructions are on this Google Support page: “Sign in with Google prompts.”)
In addition, you can use Google Authenticator or another smartphone app that generates Time-based One-time Password Algorithm (TOTP) codes for multi-factor authentication. I highly recommend using one of these apps for any service that supports them. (For more on these options, see “Protect yourself: How to choose the right two-factor authenticator app.”)
To set up Google Authenticator (or another authenticator app) for use with a Google account, go to the Google Account 2-Step Verification page. Under the Authenticator App heading, click Set Up. (If you’re replacing your phone, click Change Phone). Install the app, if necessary, and then follow the prompts to add your account using the bar code that the authenticator app displays.
STEP 6: REMOVE SMS TEXT MESSAGES AS A FORM OF VERIFICATION
By this point, you should have more than enough secure ways to authenticate yourself and verify your identity. That means it’s time to remove the weakest link in the chain: SMS text messages.
What makes SMS text messages so problematic from a security point of view is the reality that an attacker can hijack your mobile account. It happened to my ZDNet colleague Matthew Miller a few years ago, and I wouldn’t wish that nightmare on anyone. (For details and some additional security advice, see “Protect your online identity now: Fight hackers with these 5 security safeguards.”)
Before you change this setting, confirm that you have at least two alternative forms of verification (a secure email address and the Google Authenticator app, for example) and that you’ve saved backup codes for the account. Then, from the Google Account 2-Step Verification page, go to the Voice Or Text Message section. There, you’ll find entries for each of the phone numbers registered as 2FA factors for your account.
Click the pencil icon to the right of a number to open its properties and click Remove Phone to eliminate its entry. Repeat for other numbers you want to remove.
STEP 7: USE A HARDWARE SECURITY KEY FOR AUTHENTICATION
This step is the most advanced of all. It requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.
For an overview of how this type of hardware works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”
To configure a hardware key, go to the Google Account 2-Step Verification page, click Add Security Key, and then follow the prompts.
You’ll need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you’ve got a powerful way to sign in to any service powered by your Google account without having to fuss with passwords.
As I mentioned at the start of this article, most people don’t need this level of advanced protection. But if your Google Drive account includes valuable documents like tax returns and bank statements, you’ll want to lock it down as tightly as possible.