Two-factor authentication (2FA) is a simple and efficient way to effectively double your security on any given online account. Google has offered 2FA for a while now, but the process has always been a bit cumbersome: try to sign in, get a text message on your phone and enter a code. But Google has now updated the 2FA process so that it involves just one tap of a button, which means there's really no reason to hold off any longer if you don't already have it.
Credit: Paul Wagenseil/Tom's Guide
Google detailed its new 2FA mechanism in an Apps Updates blog post earlier this week. The process is absurdly simple: Visit the My Account page on Google, and click on "Signing in to Google." From there, select "2-step verification" and enter your password.
If you already have two-factor authentication set up with your phone, just add "Google prompt" as an alternate method. If not, go through the whole process from scratch; an unusually slow typist could complete it in about 30 seconds. (However, Google Prompt will not work if you have a Security Key — i.e., a USB device such as a Yubico key — enabled as a 2FA method.)
Under Google's traditional 2FA program, users would try to sign into a Google account from a new device, receive a verification code via text message and enter said code on their computers. The new process is much more streamlined. When you try to log in on a new device, a prompt screen will appear on your phone, asking whether you want to allow access.
In other words, if you're trying to log into your Google account from a new machine, click "yes" and you’re done. If the message comes out of the blue, click "no" and change your password ASAP, as someone may be trying to gain unauthorized access to your account.
That's it. The whole process is really that simple, and you can wave goodbye to tedious code-typing.
The Tom's Guide staff racked our brains to determine whether this could be less secure than the traditional texting verification, and couldn't find anything that immediately stands out to us. It's a little less foolproof than a verification code, since a user could accidentally click "Yes," but even that's a bit of a reach.
Even a flaw in the new 2FA doesn't do much to compromise its security. While the Google Prompt setup process implies that you should have a lock screen enabled on your phone to make Google Prompt work, we found in our tests that the 2FA will come through even with a lock disabled. This is a security risk, but only because having an unlocked screen in and of itself is a risk. A phone thief would be able to access your texts just as easily as a prompt screen.
Our only quibble is that Google doesn't let you rank 2FA methods according to your preferences. If you enable Google Prompt, it will be the primary method, and the Google Authenticator app and the text-message notification will come afterward, in that order.
If you don't use 2FA yet, it's generally a good idea to set it up, whether you want to use it or not. A stolen Google password could get so much worse if a cybercriminal beats you to the Google Account page, sets up 2FA by him or herself, and locks you out of your account.