How to set up Two-Step Login on Google and other websites
Two-Step Login, which goes by many different names, is a highly-recommended security practice for securing access to websites and applications. Other names for this practice are Two-Factor Authentication (2FA), 2-Step Verification, and Multi-Factor Authentication. We'll use 2FA for the rest of this guide.
The main premise behind 2FA is that after you enter your password (the first step, method, factor, or evidence in proving your identity), you will be prompted to enter a token generated either by an Authenticator app, a hardware security key (like Yubikey), or sent via SMS (text message) to your phone. These days SMS is considered an unsafe method for sending the 2FA token due to the possibility that mailicious actors could intercept your SMS messages and thus gain access to your 2FA protected accounts. Most banks still use SMS as the 2FA token delivery method and hopefully they will upgrade their security practice soon.
Your Secrets password manager has a built-in Authenticator app that you can use with any website that supports Authenticator apps as a 2FA method. Not all websites support Authenticator apps, but if they do, then you should make use of the Authenticator app in your Secrets password manager.
This article will guide you in setting up Secrets as your Authenticator 2FA method for your Google account and Paypal account. After this, you should be able to set up Secrets as your Authenticator app for other websites, such as social media sites, financial sites, etc.
Enabling 2FA on your accounts at Google, Paypal and others will require you to complete a secondary step (entering the 2FA token generated in Secrets) each time you log in, in addition to your primary login method, which is your account password. When setting up 2FA on your various accounts, remember that it is best practice to set up multiple 2FA methods in case you lose access to one of your 2FA methods. You'll see that Google provides multiple 2FA methods that you can set up but Paypal only provides Authenticator app or the use of a Hardware Security Key, which is a more advanced 2FA method that we will cover in a future article.
Guide to setting up 2FA on Google & Paypal:
Table of Contents:
Step 1: Sign in to your Google Account
If you're already signed in to your Google account, like via Gmail, then click on your profile icon on the upper right and select Manage your Google Account. Otherwise, follow this link to directly navigate to your Google account management, where we will set up the 2FA methods.
2FA set up in Secrets is best done via the Bitwarden Browser Extension apps or Desktop apps.
Step 2: Set up 2FA on your Google account
From the Google Account page, select Security on the left sidebar and then select 2-Step Verification under "How you sign in to Google".
From the page that pops up, select Get started.
Google first forces you to set up a phone number for SMS as a default 2FA method. So go ahead and do that. Enter your phone number and then enter the 6-digit passcode that Google sends to your phone.
If it all looks good, select Turn on.
And then you'll be back on the Security page and you can confirm that you have the default 2FA method set up. Next, we will set up Authenticator app as a 2FA method.
At the bottom of the 2FA section, select the button that says Authenticator.
You can also navigate to the Authenticator app settings page by clicking once again on the right arrow at 2-Step Verification and then selecting Authenticator app.
From the Authenticator app page, select Set up authenticator.
The page will initially only show you a QR code that you can scan with your Secrets mobile app but it's easier to do this with the Browser Extension app. Select Can't scan it?.
Now you'll be presented with the secret key that we will save in our Secrets login entry for this Google account. Copy the string of letters and number in Step 2.
Open your Bitwarden Browser Extension App, select the login entry for this Google Account, click on Edit, and then in the input box below Password labeled Authenticator key (TOTP), paste the string of letters and numbers. This is the secret key that Secrets will use to generate unique one-time passcodes (OTP) that will match what your Google account is expecting when it prompts you for the 2FA token.
After clicking Save, you'll see that the Verification code field starts displaying a 6-digit 2FA token (or one-time passcode) that refreshes every 30 seconds. Copy this code and paste it in the Google account pop-up view for setting up your authenticator app and click Verify.
If it all looks good, you'll now see that you have set up Authenticator as a 2FA method for your Google account.
Click the back arrow to come back to the 2-Step Verification page, which should now show you that the more-secure Authenticator app has been selected by Google as your default 2FA method with your phone being a backup 2FA method. We should set up one more backup 2FA method, which is generating and saving 2FA backup codes. Click on Backup codes.
Select Get backup codes.
And now you'll be presented with 10 one-time use 2FA backup codes. These codes can give access to your account if someone knows your password so guard these backup codes just like they were a password. We recommend saving these backup codes in your Secrets login entry for this Google account and logging in to your Secrets account from multiple devices to avoid getting yourself locked out. You could also print these backup codes and put them in a bank safety deposit box.
Back on the 2-Step Verification page you'll see that you have Authenticator app set up as your default 2FA method, then your phone number as your first backup and the 2FA backup codes as a secondary backup. Now this a robust 2FA setup because there are multiple 2FA methods set up on this one account and it is very unlikely that you would be locked out of this account or that a bad actor might gain access to your account.
Let's see what a login flow would look like now that you have 2FA set up on your Google account. Sign out or logout of your Google account and then sign in again.
Enter your Google account password.
Then you will be prompted to enter a verification code from your authenticator app, referring to the login entry in Secrets for this Google account.
In the Bitwarden Browser Extension App, search for your login entry for this Google account and click on the far right clock icon to copy the verification code or OTP to your clipboard. If you're curious why a clock icon is shown for this 2FA token, it's because this token is a Time-based One Time Passcode that refreshes every 30 seconds.
Alternatively, click on the view icon of this login entry and then from the Verification code line, click the copy icon on the far right to copy the verification code to your clipboard. It's ok if the timer reaches zero and expires, you have a few seconds to enter the passcode before you'll need to enter a refreshed one.
On the Google login vew, paste the Verification code and click Next.
That's it! You've set up Secrets as your Authenticator app for your Google account and now your Google account is better secured from bad actors.
Step 3: Set up 2FA on your Paypal account
Along with securing your Google account with 2FA, you should also enable 2FA on your financial accounts and other accounts that are important to you or even just any website that offers it as an option. As an example, here are the steps to set up 2FA on your Paypal account.
Login to your Paypal account, click the settings icon on the upper right, then select Security, and then click on Set up to the right of 2-step verification.
Choose Use an authenticator app.
Below the QR code, copy the secret key string of letters and numbers.
In your Bitwarden Browser Extension App, find your Paypal login entry, click on Edit and in the Authenticator key (TOTP) field, paste the secret key and click Save. Now copy the 6-digit verification code from the Bitwarden app.
And paste it in the Paypal prompt and click Confirm.
If it all looks good, you'll see that 2-step verification is now turned on in your Paypal account. Paypal currently doesn't offer 2FA backup codes as a backup method and only offer setting up a hardware security key as a secondary 2FA method. We'll cover that in a future article.
There you have it! You have now secured your Google account and Paypal account with two-factor authentication.
If you need further help setting up 2FA on websites, please don't hesitate to reach out and contact us.
