Set Up 2FA on Google (2026)

Your Google account is the master key to your digital life. It controls your Gmail, Google Drive, YouTube, Google Photos, and potentially your Android phone’s full backup. A compromised Google account gives an attacker access to years of email history, password reset links for other services, and personal documents you may have forgotten you stored. Enabling two-factor authentication on Google is one of the highest-impact security steps you can take.

Google has been steadily pushing users toward 2-Step Verification since 2021, and most accounts now require it. But “requiring” 2FA and “configuring it well” are two different things. Many users accepted the default Google Prompts setup without understanding the alternatives. This guide walks through every 2FA option Google offers and helps you choose the right one.

2FA Options Available on Google

Google provides four methods for 2-Step Verification, each with different security and convenience trade-offs:

Google Prompts are the default method for most users. When you sign in on a new device, Google sends a push notification to your phone asking “Are you trying to sign in?” You tap “Yes” or “No.” This is convenient but requires an active internet connection on your phone and keeps you within Google’s ecosystem.

Authenticator app (TOTP) generates time-based one-time passwords using any compatible app. This is the most portable option because it works with any TOTP-compatible app or password manager, not just Google Authenticator. The codes are generated offline and are not tied to any specific vendor.

Security keys are physical hardware devices (like YubiKey or Google Titan) that provide the strongest phishing resistance. The key cryptographically verifies that you are signing into the real Google website, making it immune to sophisticated phishing attacks. For details on how hardware keys compare to TOTP, see our guide on hardware keys vs. TOTP.

Backup codes are a set of one-time-use codes generated by Google that you print or save. They serve as a fallback when your primary 2FA method is unavailable. These are not a primary 2FA method but an essential safety net.

Step-by-Step Setup on the Web

Setting up TOTP-based 2FA on your Google account through a browser is straightforward:

1. Open your browser and go to myaccount.google.com. Sign in if prompted.
2. Click Security in the left navigation sidebar.
3. Scroll down to the section labeled “How you sign in to Google.”
4. Click 2-Step Verification. If 2FA is already enabled with Google Prompts, you will see the current settings. If it is not enabled, click Get started.
5. Google may ask you to re-enter your password to confirm your identity.
6. If you are setting up for the first time, Google may first require you to add a phone number for SMS verification as a baseline. Complete this step to proceed.
7. Once past the initial setup, look for the Authenticator app section and click Set up authenticator (or Add authenticator app if you already have another method enabled).
8. Google displays a QR code on screen. Open your authenticator app or password manager and scan this QR code. If you cannot scan, click “Can’t scan it?” to reveal the secret key as text, which you can enter manually.
9. Your authenticator app will begin generating six-digit codes. Enter the current code in the verification field and click Verify.
10. Google confirms that the authenticator app is now linked to your account.
11. Navigate to the Backup codes section and click Generate or Show codes. Google will display ten single-use codes. Save all of them immediately in your password manager or another secure location. These codes are your emergency access if you lose your authenticator device.

After setup, consider removing SMS as a fallback method if you have both TOTP and backup codes configured. SMS is the weakest link in your 2FA chain due to SIM swapping vulnerabilities.

Step-by-Step Setup on the Mobile App

You can also configure 2FA directly from the Google app or your phone’s settings:

On Android

1. Open Settings on your Android device.
2. Tap Google (or your Google account at the top of Settings).
3. Tap Manage your Google Account.
4. Tap the Security tab.
5. Under “How you sign in to Google,” tap 2-Step Verification.
6. Tap Get started and verify your identity with your password.
7. After any required phone verification, tap Authenticator app and then Set up.
8. Choose your phone type and tap Next.
9. Scan the QR code with your authenticator app, or tap Can’t scan it? for the manual entry key.
10. Enter the six-digit verification code from your authenticator and tap Verify.
11. Go back to the 2-Step Verification settings and generate your backup codes.

On iPhone or iPad

1. Open the Google app or Gmail app.
2. Tap your profile picture in the top right, then tap Google Account (or Manage your Google Account).
3. Tap the Security tab.
4. Under “How you sign in to Google,” tap 2-Step Verification.
5. Follow the same flow: verify your identity, add an authenticator app, scan the QR code, enter the verification code, and save your backup codes.

Why TOTP Is Better Than SMS

Google Prompts and SMS are convenient, but TOTP is the stronger choice for several reasons:

Portability. TOTP works with any compatible authenticator or password manager. You are not locked into Google’s ecosystem. If you switch phones, switch platforms, or want to use a desktop password manager, your TOTP secret travels with you.

No network dependency. TOTP codes are generated entirely offline using a shared secret and the current time. You do not need cellular service, Wi-Fi, or an internet connection. SMS requires cellular service, and Google Prompts require internet on your phone.

Resistance to interception. SMS messages can be intercepted through SIM swapping, SS7 network exploits, or social engineering of carrier support staff. TOTP secrets are stored locally in your authenticator and never transmitted over the network during code generation.

No phone number required. TOTP does not depend on a phone number, which means changing carriers or phone numbers does not affect your 2FA.

Google’s decision to make Prompts the default is understandable from a usability perspective – tapping “Yes” is easier than typing a six-digit code. But for users who want maximum control and portability, TOTP with a third-party authenticator or password manager is the better choice.

Saving Your Recovery Codes

Google generates ten backup codes, each usable exactly once. These codes are your emergency access when your primary 2FA method is unavailable – a lost phone, a broken authenticator, or a factory reset without transferring your secrets first.

Where to store recovery codes:

• In your password manager, in the notes field of your Google account entry. This is the most practical option for most people.
• In an encrypted document stored separately from your primary device.
• Printed on paper and kept in a secure physical location (a safe, a locked drawer).

What not to do with recovery codes:

• Do not store them in Google Drive or Gmail. If you cannot access your Google account, you cannot access Drive or Gmail either.
• Do not take a screenshot and leave it in your camera roll unencrypted.
• Do not skip saving them entirely. This is the most common mistake, and it leads to permanent account lockout.

After you use a backup code, it is consumed and cannot be reused. When you have used several codes, generate a new set. The old unused codes are invalidated when you generate new ones. For a deeper discussion of recovery code management, see our recovery codes guide.

Using a Password Manager for TOTP

One of the most effective ways to manage your Google 2FA – and 2FA for every other account – is to store your TOTP secrets directly in your password manager. Instead of maintaining a separate authenticator app, your password manager holds both your password and your TOTP secret for each account, generating the six-digit code right alongside your login credentials.

This approach has several advantages. Your TOTP secrets are automatically backed up as part of your regular password database backup. You never face the “lost phone, lost codes” scenario because your secrets are in your encrypted vault, not stranded on a single device. And the convenience factor means you will actually enable 2FA on more accounts, because the friction of switching between apps disappears.

PanicVault, a KeePass-compatible password manager for iPhone, iPad, and Mac, handles this seamlessly. When you scan a QR code during Google’s 2FA setup, PanicVault stores the TOTP secret in the standard KeePass OTP field within your encrypted .kdbx database. The code appears automatically in the entry, updating every thirty seconds. Because PanicVault uses the open KeePass format, your TOTP secrets are never locked into a proprietary ecosystem – you can access the same database from KeePassXC on desktop or KeePassDX on Android.

For more on this approach, see our article on using a password manager as your authenticator and our guide to moving existing codes into a password manager.

Google Advanced Protection Program

For users with elevated security needs – journalists, activists, political campaign staff, executives – Google offers the Advanced Protection Program (APP). This program restricts your Google account to hardware security keys only (no TOTP, no SMS, no Prompts) and adds additional protections:

• Only Chrome and Firefox can access your Google account data through third-party apps
• Google performs additional verification before account recovery, making social engineering attacks much harder
• Gmail scans attachments more aggressively for malware

The Advanced Protection Program is free but requires two hardware security keys (one primary, one backup). If your threat model includes targeted attacks, APP is worth the investment. For most users, properly configured TOTP with backup codes provides strong protection.

Verifying Your Setup

After enabling 2FA, test it immediately:

1. Sign out of your Google account completely.
2. Sign back in with your password.
3. When prompted for your second factor, use your authenticator app to generate a code.
4. Verify the code works and you can access your account normally.
5. Test one backup code to confirm they work (remember, each code is single-use, so you will consume one).

Do not skip this verification step. Discovering a misconfigured authenticator during a future login attempt – especially on someone else’s computer or after losing your phone – is significantly worse than spending two minutes testing now.

Related Articles

• What Is Two-Factor Authentication? – Understand the fundamentals of 2FA and why it matters.
• TOTP vs. SMS: Which 2FA Method Is Safer? – A detailed comparison of the two most common second-factor methods.
• The Best Authenticator Apps in 2026 – Compare standalone authenticator apps and password managers with TOTP support.
• How to Back Up Your TOTP Codes – Strategies for ensuring you never lose access to your 2FA secrets.
• How to Set Up 2FA on Every Major Service – Guides for enabling 2FA across all your accounts.