If you have a Google account – for Gmail, Google Calendar, YouTube – any of the many many Google services – you may already have 2 step authentication, or 2 factor authentication, activated and use the Google Authenticator app for it.

However, you can also use that app to protect your own website.

Why use 2 factor authentication?

When you log into a website you have your username and your password, but if that information fell into the wrong hands, you don’t want someone being able to log into your account(s) online… even worse if the (s) in that comment is true and you use the same password for multiple websites online (tut tut).

By using 2 step authentication, also known as 2 factor authentication or 2FA, the hackers would need to know your password AND get their hands on your phone or device. And yes that’s possible,  but harder for the bad guys.

What is Google Authenticator and how do I use it?

Google Authenticator, and other apps like it such as Authly, acts a bit like the little “calculator” you may have from your bank in the UK. When required, it gives you a pass code you enter in the website. With bank calculators you generally need to insert your debit card and then type your pin into the calculator device (it’s not actually a calculator, but you know what I mean – it looks like like a mini one!) and it shows you a code to enter into the bank website whilst you’re logging in.

With Google Authenticator, once you’re set up with it, you log into your website and your site will ask you to enter a code. You then open the Google Authenticator app on your phone and just enter the code you see there – easy peasy. Unlike with the bank “calculators” you don’t need to type anything in on your phone.

The code shown on the Authenticator app has a little countdown circle next to it showing how long the code works for. After about 20 seconds, the little circle has almost disappeared and the code on your screen goes red meaning if you haven’t entered it into the website and clicked the button on the site to confirm yet, then the code is about to expire and you might want to add a new one. Once the code has expired, a new one will just appear on your screen in the Google Authenticator app.

Google Authenticator

How do I set up Google Authenticator for my website?

We’ve recently done it on a Laravel site and are about to do it on a Code Igniter – if you’ve got a site like that you’ll need to speak to your developer. However if you use WordPress there are a couple of plugins out there such as this one which also works with Authly.

Once it’s set up the first time you log into admin you’ll see a QR code. Simply open the Autheticator app and click on the + icon and select “Scan barcode”. Hold your phone towards the QR code as if you were taking a photo of it and the app will recognise the QR code. The new website will then appear in the list of codes on your app. 

In the screenshot above there are rows of numbers – this represents the fact that that user has lots of different logins set up. If you’ve just got one website set up, you’ll only see one code – or one row – on your screen when you open the app.

If you are managing a few different logins, you can click on the pencil icon in the app and then click on the name of the account (in small letters under the big code) and change the name to something more memorable if required to help you know what it’s for. (Keep it a bit vague of course, for security!)

Why use an app rather than get a text message for 2FA?

2FA – or Multifactor authentication (MFA) – can be done with text messages to send you the code, but text messages generally – especially in the UK – have a cost per use associated. Meanwhile apps like Google Authenticator are completely free to use, you’ll just incur the costs of a developer setting it up for you. There’s also the advantage that the apps have the code immediately ready when you open them – you don’t need to wait for the text message to arrive which occassionally can be delayed.

If you’re not using 2FA on your website yet – even if it’s just for admins rather than all your users – it’s definately worth considering so as to add a further layer of security to your business.