Skip to steps

How to Set Up Two-Factor Authentication

Turn on Google 2-Step Verification with a phone authenticator app in about 15 minutes — install the app, scan the QR, save backup codes, then prove a full sign-in. Read one step at a time and finish each before the next. Start with the 30-second preflight. Codes rejected? See code rejected. Can't scan the QR? Use manual key. Already on but no backups? Use get backup codes. Other sites (Microsoft, GitHub, banks) use the same pattern: Security → 2FA → Authenticator → backup codes.

Tips for reading this guide

  • One step at a time. Read the green caption, the Why line, then the bullets.
  • Move on when the green done line is true — then go to the next step.
  • 2FA / 2-Step means a password plus a second proof (usually a phone code).
  • Authenticator is an app that shows a new 6-digit code about every 30 seconds — it does not need cell signal once set up.
  • Codes rejected, can't scan the QR, or no backup codes? Jump to the matching branch below.
  • Need a helper? Ask someone you trust to sit with you for Steps 6–8 so the QR scan and backup codes are not rushed.
Illustration: phone showing six-digit authenticator code beside a laptop Google security screen with a QR code

Things You'll Need

  • A smartphone you can unlock (iPhone or Android)
  • Your Google email and password that work today
  • Computer or phone browser for myaccount.google.com
  • Official authenticator app: Google Authenticator, Microsoft Authenticator, or Authy (from App Store / Google Play only)
  • Paper + pen, or a password manager, to store backup codes offline
  • Quiet 10–15 minutes — do not rush the backup-codes step

Where are you stuck?

Follow Start here for a first-time setup. If codes fail, the QR will not scan, or you never saved backup codes, jump to the matching branch.

Start hereGoogle Account → authenticator app → backup codes → test login

Before you start

30-second preflight — all five checks must be YES.

Phone unlocks · Google password works · store ready · paper or vault · 15 quiet minutes.

Illustration: checklist with charged phone, Google password, app store, and paper for backup codes

Setup can lock you out of your own account if the phone dies mid-wizard or you skip backup codes — checking first keeps a recovery path.

  1. Phone ready? Battery above ~20%, and you can unlock it yourself.
  2. Password works now? You know the Google password for the email you are protecting — reset it first if you are guessing.
  3. Official store only? You will install from Apple App Store or Google Play — not a random APK link.
  4. Backup storage? Have paper, a printed PDF, or an open password-manager vault ready before Google shows codes.
  5. Time? Block 10–15 minutes without multitasking.

All five checks are YES — you are ready to confirm a normal Google sign-in next.

All YES? Continue to Step 1.

Step 1

Confirm you can sign in with your password alone.

Open Gmail or myaccount.google.com — inbox or account home must load.

Illustration: browser showing Google sign-in success with Gmail inbox visible

If password sign-in already fails, turning on 2FA multiplies the problem — fix password access first.

  1. On a computer or phone browser, go to gmail.com or myaccount.google.com.
  2. Sign in with the Google email you want to protect and your password.
  3. Stop when you see your inbox, or the Google Account home / Security page — not an error screen.

You are signed in and can see inbox or Google Account home without any second-step code yet.

Wrong password loop? Reset the Google password on a device you already trust, then return here.

Step 2

Install an authenticator app from the official store.

App Store / Play → Google Authenticator (or Microsoft / Authy) → Install → Open.

Illustration: phone App Store or Play Store page for Google Authenticator with Install highlighted

A real authenticator makes time-based codes offline; fake store listings can steal logins — stick to the named developer apps.

  1. Open the App Store (iPhone) or Google Play (Android).
  2. Search Google Authenticator, Microsoft Authenticator, or Authy — publisher should match the brand name.
  3. Tap Get / Install, wait until it finishes, then open the app once so it launches cleanly.

The authenticator app icon opens to its home screen (empty list is fine).

Already installed? Open it once and continue — skip the download.

Step 3

Open Google Account Security → 2-Step Verification.

myaccount.google.com → Security → 2-Step Verification.

Illustration: Google Account Security page with 2-Step Verification row highlighted

2-Step lives under Security — starting from the wrong menu is how people turn on SMS-only by accident or leave the page mid-flow.

  1. In the browser, go to https://myaccount.google.com/security (or Account → Security).
  2. Scroll to How you sign in to Google.
  3. Click or tap 2-Step Verification.

You see the 2-Step Verification page (Off/On status or a Get started button).

Step 4

Start 2-Step Verification and pass Google's re-check.

Get started / Turn on → re-enter password or approve phone prompt.

Illustration: Google Get started button and password or phone prompt challenge

Google re-checks that it is really you before it can attach a second factor that later locks everyone else out.

  1. Tap Get started or Turn on 2-Step Verification.
  2. Re-enter your password, or tap Yes on a Google prompt on a signed-in phone.
  3. Follow prompts until you reach a screen that lists second-step options (phone, authenticator, etc.).

The setup wizard continues past the sign-in challenge — you are choosing or adding a second step.

Stuck on an old recovery phone you no longer have? Finish what you can with authenticator + backup codes, then update recovery options afterward.

Step 5

Choose Authenticator app — not text-message as your only method.

Add authenticator app → Set up authenticator → show QR screen.

Illustration: Google second-step options with Authenticator app selected over Text message

Authenticator codes work without cell service and resist SIM-swap better than SMS-only — treat text as backup, not the sole key.

  1. Look for Authenticator app and choose Set up / Add.
  2. If Google asks for SMS first, finish the minimum, then still add Authenticator.
  3. Stop when you see a QR code and a Can't scan it? link.

A QR code (or "Can't scan it?" secret) is visible on the Google setup screen.

Prefer SMS only for now? You can finish SMS, but return later to add Authenticator — SMS-only is weaker.

Step 6

Add the account in your authenticator — scan the QR.

Authenticator + → Scan QR → label Google + your email → live 6 digits.

Illustration: phone camera scanning a QR code on laptop with authenticator showing new six-digit row

The QR copies a secret key into the app — after that, codes are generated on your phone without Google sending a text.

  1. Open authenticator → tap +Scan a QR code.
  2. Point the camera at the Google QR until a new account row appears.
  3. Name it Google + your email; confirm a live 6-digit code shows.

Authenticator shows a new Google entry with a live 6-digit code.

Camera fails or QR too small? → Can't scan QR.

Step 7

Enter the current 6-digit code into Google before it expires.

Type the digits now (no spaces) → Next / Verify.

Illustration: laptop code field with six digits typed while phone shows matching authenticator code

Google checks that the secret landed correctly — a matching code proves the app and account are paired before backup codes appear.

  1. Watch the progress ring or timer in the authenticator — if fewer than ~5 seconds remain, wait for the next code.
  2. Type the six digits into Google's box — numbers only, no spaces.
  3. Click Next / Verify immediately.

Google accepts the code and the wizard advances (no red "wrong code" error).

Code rejected? → Code rejected.

Step 8

Save every backup code offline.

Show / Download / Print codes → store offline — each code is one-time.

Illustration: Google backup codes list beside printed paper and password manager vault icon

Backup codes are your spare keys when the phone is lost, wiped, or stolen — email drafts alone are easy to lose or phish.

  1. Open Backup codesShow / Download / Print.
  2. Store all codes in a password manager or print them for a safe place at home.
  3. Do not keep them only as a screenshot on the same phone that can be lost.

You have a complete offline copy of the backup-code set (printout or vault), not just a glance at the screen.

Already had 2FA on with no codes saved? → No backup codes.

Step 9

Add a backup phone number if Google offers it.

Add recovery / backup phone → verify SMS → or skip if codes are saved.

Illustration: Google add phone number screen with SMS verification field

A second recovery path helps if authenticator and paper codes are both unavailable — still keep authenticator as primary day-to-day.

  1. If Google shows Add a phone number / backup phone, enter a number you control.
  2. Enter the SMS code Google sends to verify it.
  3. If you have no spare number, skip — but only after Step 8 backup codes are truly stored.

A verified backup number is listed, or you consciously skipped with backup codes already saved.

Step 10

Confirm 2-Step Verification shows On.

Security → 2-Step Verification — status must read On / Turned on.

Illustration: Google Security page showing 2-Step Verification status On

A finished wizard does not always mean the switch stuck — a quick status check catches a canceled or incomplete setup.

  1. Return to myaccount.google.com/security.
  2. Open 2-Step Verification again.
  3. Confirm the status says On (or Turned on), and Authenticator is listed under your second steps.

2-Step Verification status clearly shows On, with authenticator listed.

Step 11

Sign out and sign back in with a fresh authenticator code.

Sign out or Incognito → password → fresh 6-digit code → inbox opens.

Illustration: sign-in prompt for 2-Step code with phone authenticator open beside it

A deliberate test login proves the loop works while you still have the phone and backup codes in hand — not after you lock yourself out later.

  1. Sign out of Google, or open an Incognito / Private window.
  2. Sign in with email and password until Google asks for a second step.
  3. Open the authenticator, wait for a fresh code if needed, type it in, and finish sign-in.

You reached inbox or Account home using password + authenticator code (no backup code needed).

Code fails on login? → Code rejected. Phone unavailable? → No backup codes.

Code rejectedWrong code / invalid — fix time sync and account row

Step 1

Use a fresh code — digits only, no spaces.

Wait for a new code if timer is low — type six digits only.

Illustration: authenticator timer near end then new six-digit code with typed field

Codes expire about every 30 seconds; half-typed codes and clipboard leftovers are the most common "invalid" mistakes.

  1. If the authenticator timer is nearly empty, wait until the number changes.
  2. Type the new six digits with no spaces or dashes.
  3. Submit once — do not spam Submit with the same dying code.

You submitted one fresh six-digit code cleanly once.

Step 2

Turn on automatic date and time on the phone.

Settings → Date & time → Set automatically ON → wait 30 sec → new code.

Illustration: phone Date and Time settings with Set automatically turned on

Authenticator codes are time-based — a phone clock set by hand (common after travel) drifts and every code fails.

  1. Open SettingsDate & time (or General → Date & Time).
  2. Turn Set automatically ON; wait about 30 seconds on Wi‑Fi or cell data.
  3. Open authenticator, take the next code, and try Google again.

Automatic time is ON and a new code was tried after the wait.

Step 3

Confirm you are reading the Google row for this email.

Match the authenticator label to this Google email — not another account.

Illustration: authenticator list with two Google rows and the matching email highlighted

Multiple Google entries produce different codes — the wrong row looks valid but always fails.

  1. In the authenticator list, find the entry labeled with this Google email.
  2. If two look alike, open each label and compare to the email on the Google sign-in screen.
  3. Use that row's code only.

You entered a code from the authenticator row that matches this Google email.

Still fails after auto-time + two fresh codes from the right row? Mid-setup: cancel and restart Step 5. Already On: try a backup code, then Google Account recovery — do not burn every backup code in a panic loop.

Can't scan QRManual setup key instead of camera

Step 1

Reveal Google's "Can't scan it?" secret key.

Can't scan it? → show long secret key on Google's page.

Illustration: Google setup screen with Can't scan it link opening a long secret key

The secret key is the same data as the QR — typing it pairs the app when the camera path fails.

  1. On the Google authenticator setup page, click Can't scan it? (wording may vary slightly).
  2. A long secret key (letters and numbers) appears.
  3. Keep that tab open — you will type or paste the key into the phone next.

The secret key text is visible on Google's page.

Step 2

Add the account with Enter a setup key / Manual entry.

Authenticator + → Enter key → paste secret → Time based → Add.

Illustration: authenticator manual entry fields for account name and secret key time-based

Manual entry avoids camera glare, cracked lenses, and browser zoom issues that block QR scans.

  1. In the authenticator, tap +Enter a setup key / Manual entry.
  2. Name: Google + email. Key: paste the secret (watch O vs 0). Type: Time based.
  3. Tap Add/Save — then return to main-path Step 7 to confirm the code with Google.

A new row appears with a live 6-digit code — return to main-path Step 7 to confirm it with Google.

Mistyped twice? On Google, cancel and re-open authenticator setup for a fresh key, then enter once slowly.

No backup codesGenerate and store codes while you can still sign in

Step 1

Sign in while you still have the phone.

Sign in with password + authenticator before the phone is gone.

Illustration: successful Google sign-in with authenticator code while phone is in hand

Backup codes can only be viewed when you are already inside the account — wait until after a phone wipe and you may need full account recovery.

  1. Open myaccount.google.com on a browser.
  2. Sign in with password and a working authenticator code.
  3. Do this before factory-resetting or selling the phone.

You are inside Google Account while signed in.

Cannot sign in at all? Use previously trusted devices, recovery email, or Google Account recovery — stop burning guesses.

Step 2

Show or generate new backup codes and store them offline.

Security → 2-Step → Backup codes → Show / Get new → store offline.

Illustration: Google backup codes list beside printed paper and password manager vault icon

New codes replace old ones — saving the current set offline is the recovery plan when authenticator entries disappear.

  1. Go to Security2-Step VerificationBackup codes.
  2. Tap Show codes or Get new codes if needed (getting new invalidates the previous set).
  3. Download, print, or copy into a password-manager vault; put paper somewhere safe.

You have a complete offline copy of the current backup-code set.

Each backup code works once. After using one at login, cross it off the printed list.

When to get help

  • Ask a trusted person to sit with you for the QR scan and backup-code save (Steps 6–8).
  • If you cannot sign in and have no backup codes, use Google Account recovery — do not keep guessing codes in a loop.
  • For a work or school Google account, contact your IT admin — org rules may block personal authenticator apps.

When This Doesn't Work

  1. Old mail app or desktop client stops after 2FA. Some IMAP/SMTP apps need an App Password from Google Account → Security → App passwords (where offered). Prefer modern apps that support normal Google sign-in.
  2. Work or school Google account. Your admin may force a company method (security key, prompt only). Follow your org's instructions — this personal Google path may be locked.
  3. New phone wiped the authenticator. Use a backup code to get in, then reopen authenticator setup and remove the old method after the new phone is paired.

Warnings

  • Do not finish setup without saving backup codes — a lost phone with no codes is a common lockout.
  • Never share authenticator screenshots, secret keys, or backup codes in chat or email.
  • Install authenticator apps only from the official App Store or Google Play — lookalike names are a known scam pattern.
  • Do not set your phone clock manually if you rely on authenticator codes; keep automatic date and time on.

Tips

  • After Google works, add authenticator 2FA on email, banking, and password-manager accounts the same way — always save that site's backup codes too.
  • If your authenticator offers cloud backup or account transfer, turn it on before you switch phones.
  • Print backup codes and store them with important papers — digital-only copies vanish when the laptop dies.

FAQ

Is an authenticator app better than text messages?

Yes for most people. Authenticator codes work without cell signal once set up and are harder to steal with a SIM swap. Keep SMS as a backup if you want, but do not rely on SMS alone.

Do I need internet on the phone to get codes?

Not after setup. Time-based authenticator codes are generated on the device. You only need internet on the device that is signing in to Google.

What if I lose my phone?

Sign in with a backup code from your printout or password manager, then remove the old authenticator and set up the new phone. If you have no backup codes, use Google Account recovery.

Comments

Questions, corrections, and what worked for you. Comments are reviewed before they appear.