Gmail has more than one billion users, and there's a very good chance that you're among them. With Google Photos, Google Drive, Google Docs and a myriad of other productivity services, Google's popularity and reach are nearly unparalleled, particularly if you also use the company's Android operating system on your mobile device.
With all that information tied to your Google account, are you really going to rely on just a single password to protect it?
Thankfully, you don't have to. Google offers two-factor authentication (2FA), also known as two-step verification, which is available in a lot of configurations and is trivially easy to set up.
As of 2018, only about 10 percent of Google users used 2FA, which is too bad, as it's a nearly foolproof system to keep your data safe from all but the most dedicated attackers.
MORE: Best Password Managers
Two-factor authentication is much less inconvenient than you might think. You need to use it only once on each device and web browser you use. After that, the device or browser will be "trusted" as yours, and you will need only your Google password to sign in.
Detractors often claim that even the few extra seconds to input an extra code is too much of a hassle, and since their passwords are strong, why should it matter?
But two words should give you pause: data breach. Big companies don't always play nicely with your username, password or phone number, and if you don't set up 2FA on your Google account, some cybercriminal could come into possession of your Google password if you've used it for another account. (You should really use unique passwords for each account, and a password manager to keep them straight.)
If you think wresting control of a Gmail account from a cybercriminal sounds like a pain, imagine doing so when he or she can lock you out of your own e-mail.
Here's how to activate Google 2FA and foil would-be cybercriminals in their tracks.
How to set up Google 2FA
First things first: Visit the Google 2-Step Verification website and have your smartphone/tablet handy. Click "Get Started" in the upper-right corner and follow the prompts. You'll have to verify your password at least once along the way.
After inputting your password, you'll be presented with three choices for 2FA: Google Prompts, a physical key or a text message/phone call.
To select Google Prompts, click "Try It Now." To select one of the two other options, click (hang onto your hats here) "Use a Different Option."
No matter which method you choose, Google will encourage you to add a backup option after that, so you'll probably have to go through a few different procedures.
Google Prompts is the newest option. It gives you an approval screen on your phone whenever you try to sign into your Google account on a new device.
Click "Try It Now," and then tap "yes" or "no" on the screen that pops up. Obviously, you should tap "yes" if it's you, and "no" if you believe it's someone else.
Android phones should be able to use Google Prompts automatically if they already have the latest version of Google Play installed. (This may not work on "Google-free" Android devices such as Amazon Fire tablets.)
Apple iPhones and iPads will need either the Google app or the Gmail app. You may need to go into Settings to allow either app to receive push notifications.
A physical security key is a device that you need to either plug into your computer's USB port, or which has a button that you tap in the proximity of your smartphone. (Some security keys can do both.) The security key then communicates an encrypted handshake to Google's servers that the servers need before allowing you to log in.
Physical keys may be a little arcane for everyday users, but for government officials, journalists and big business mavens, it's a much smarter idea than relying on a losable, hackable smartphone or tablet. (Google makes its own keys, but you can get devices from other manufacturers or even make one yourself.)
To set up your security key, simply click "Add Security Key" on the Google 2FA page and follow the instructions.
Text messages and phone calls
Google will transmit a one-time six-digit code to you, either via a text message sent to your mobile phone, or via a phone call that reads out the code.
This is the least secure of the three options. It's not that difficult for an attacker to gain access to an old phone number, to intercept a text message in transit, to add call forwarding to your existing number, or even to steal your existing number by duping your wireless carrier.
But using one-time codes communicated over phone lines is still a far sight better than no 2FA at all, and you could use a flip phone or a land line if smartphones aren't your scene.
To set up texted or called code, select that option, and Google will get that code to you. Type it into the web browser, and you're good to go.
Backup verification methods
After you've set up one form of two-factor authentication, Google will want you to set up a backup.
You can choose any of the three above options that you haven't already selected. But Google offers a couple of other methods that you can use when your smartphone can't receive calls or texts or can't connect to the internet (such as when traveling abroad).
Google Authenticator app
The Google Authenticator app, available for both Android and iOS, generates a temporary six-digit code that you can type into the 2FA screen in place of a texted code.
Many other online services, including Facebook, Amazon and Dropbox, allow you to set up Google Authenticator (or similar apps from other services) as your primary 2FA method. It's more secure than a phoned or texted code.
Google also lets you generate a set of about a dozen backup codes that you can download to your computer or print out for later use.