2018 alone has seen billions of accounts hacked across a wide range of applications and services, proving once more that even the biggest Internet players can’s always keep users’ accounts under lock and key.
Hackers are increasingly apt at flying under the radar, making life hard for everyone in their crosshairs. While big companies have regulations like GDPR to fear, end users are finding it increasingly necessary to arm themselves with good password hygiene and best practices.
Some vendors are more diligent than others, security-wise, but most give users plenty of options to deploy additional security layers, like two-factor authentication (2FA), recovery email, or printed security codes. As the biggest aggregator of user-generated data on the web, Google offers a wide range of security layers that users can opt in and out of, depending on their privacy needs, security awareness, or convenience. This guide offers a comprehensive look at these out-of-view options that every user should be aware of, and use to their advantage.
1. Security Checkup
Your first step towards deadbolting your Google account across your entire fleet of devices is to visit the web giant’s Security module at: https://myaccount.google.com/security, then click on Get Started. This takes you to the Security Checkup sub-menu, which offers quick access to key options that help keep your account secure.
Depending on your current settings, your Google Security Checkup pane will look something like the screenshot above. Regardless of your current configuration, these actions should apply to everyone.
2. Manage Your Devices
In this section, Google displays the devices you own that are currently linked to your Google account with admin permissions. The three-dotted button to the right of every listed device lets you remove any gadgets that you no longer use with your account.
If you choose “don’t recognize this device,” Google immediately recommends you change your password, as your credentials might have been compromised. This doesn’t necessarily mean someone hacked Google and stole your password. In fact, hackers typically buy stolen credentials leaked in other (high-profile) breaches, then use techniques like credential stuffing to try to compromise the victim’s entire online presence, whether it be Google, Facebook, Twitter, Instagram, LinkedIn, their bank account, or anything in between.
In the main Security module, Google also lets you find a lost or stolen phone.
3. Recent Security Events
Bought a new phone? Logged in with your Google account on a company-issued laptop? Google will keep track of these “events” in this special section, allowing you to stay on top of your activity across devices, and flag any unrecognized events in case something goes awry. Choosing to generate backup codes (more on that below) will also be registered as an event, as the image above shows.
4. Two-Step Verification
Also known as Two-Factor Authentication (2FA) or Multi-Factor Authentication, this must-have setting should be enabled on every service that offers it, not just your Google account. In fact, two-step verification has become a rule of thumb in recent years. If hackers manage to dupe you with a well-crafted phishing email, this setting becomes a life-saver: without your second-trusted device to receive that one-time passcode, hackers can’t break in. If Two-Step Verification is off, consider turning it on sooner rather than later.
Google offers additional “factors” of authentication if you follow the link included in the prompt. These include setting up a Google Prompt (a ‘yes-or-no’ prompt, rather than a code to enter), voice or text message authentication, and even unique backup codes that you can download or print out to use as authentication tokens anywhere you go.
The 2-Factor Verification module also offers a quick way to instantly revoke trusted status from your devices that skip 2-Step Verification.
5. Authenticator app
Google offers even more convenience via a handy Authenticator app that you can grab on the App Store (iOS) or Google Play Store (Android). Just pick your platform, get the app on your handset, set up your account in the app and scan the QR code that Google provides. It’s not necessarily more convenient than entering your password, since Authenticator involves entering a verification code. But it’s still a useful option. The best thing about it is you can get verification codes for every service that supports TOTP (time-based one-time password). Also, it doesn’t require a network or cellular connection. In case 2FA fails because your reception is bad, Authenticator comes to the rescue!
6.(Physical) Security key
Google advertises its Titan Security Keys as “phishing-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins.” Using such a key may sound like overkill for the average Joe, but this convenient USB dongle completely eliminates the need to punch in one-times codes or passwords. It’s also useful for journalists investigating sensitive matters, activists, business leaders, and political campaign teams.
7. Third-Party Access
In the Security Checkup module, Third Party Access lists external (non-Google) apps and services tied to your Google account. It is advisable to remove any apps and services that you no longer use or want associated with your Google account. To learn more about any of the items, click the “i” button to see what data they collect and how.
In the main Security panel, down below, is a section called “Signing in to other sites,” which lists all the services, including websites, that authenticate you via Google. Keep only the sites and services you use actively. Any site or service you no longer want connected to your Google account should disappear from that list. If one of them gets breached, your password could be compromised.
And in the Saved Passwords module, you can see (and delete) all the login credentials you’ve used with third-party sites and services.
8. Set a recovery phone and / or email
You want at least one other way Google can reach you in case something suspicious happens to your account, or you accidentally get locked out. That’s why you can set a recovery phone, a recovery email, or both. You can do this in the main Security pane. Select your option and follow the on-screen instructions to set them.
9. Refresh your password
Considering the frequency with which data breaches are reported and customer credentials are compromised, it’s a very good idea to give your password a good refresh once in a while.
Google is one of the few services that tells you how old your password is. In the main Security pane, you’ll find a section called “Signing in to Google.” There, you can change your password and 2-step verification settings. You’ll need to use at least eight characters, and it’s a good idea to use both uppercase and lowercase letters, numbers and even special characters (@#$&%).
The “App Passwords” section lets you set passwords you can use to sign in to your Google account from apps on devices that don’t support 2-Step Verification. You’ll only need to enter it once so you don’t need to remember it.
10. Download a copy of your (Google-collected) data for review
Many of us have been using Google most of our lives. Considering how many services it commands and how embedded Google is in everyday life, we can only imagine how much data the tech giant holds on every one of us. While much of this data is collected justifiably, so that we can enjoy reliable services like Maps, it’s still a good idea to review the data and maybe tweak those privacy nobs a bit.
You can export a copy of your data here. Just select or deselect the services you want or don’t want to be included in the archive and click “Next” at the bottom of the page. Google will begin work on your archive which, according to the search giant, can take hours or even days to complete. An email will then be sent to you with a link to download said archive.
That’s about it! Feel free to browse around your account’s security and privacy modules to configure the best settings that work for you. Stay safe out there!