How to Use Google Authenticator for Two-Step Verification

What are Two-Factor Authentication and Two-Step Verification?

The security of most online accounts depends on your password. If your password gets leaked or hacked, you're in trouble. With Two-Step Verification, also known as Two-Factor Authentication, you use one additional piece of information to log into your accounts: A one-time use, 6-digit code or token. This means that even if your password is hacked your account will remain protected; the hacker would need access to your login token as well.

Read on to learn about how to set up Two-Factor Authentication, and why you should use a dedicated app for this, as opposed to Text Message or SMS-based login codes.

What is Google Authenticator?

Google Authenticator is a free app available on Google Play and Apple App stores that enhances the security of your online accounts. Using Google Authenticator you can generate one-time login codes on your phone that can be used as a second "factor" or second step of your normal login process.

Typically, when you log into a website or app, you will use a username and password. With Google Authenticator securing your online accounts, you’ll also enter a random 6-digit code each time you want to log in.

These 6-digit random codes are known as Time-Based One-Time Passwords (TOTP). Using TOTP for Two-Factor Authentication (2FA) provides better security than SMS-based one-time codes, because each one is generated offline and is only valid for 30 seconds. After the 30 seconds are up, a new 6-digit TOTP code is provided for you to use.

What is wrong with using SMS to receive one-time login codes?

You may already be familiar with SMS-based (text message) authentication, especially for banking apps and websites: When you log in from a new place, your bank may send you a text message and ask you to verify that you are who you say you are. Effectively, you are proving ownership or control of a phone number when you do this. This approach to security is called ‘SMS-based Two-Factor Authentication’.

The problem, or risk, with this approach is that you may lose access to your phone number, or your phone number may be hacked or 'ported away’ from you. This is called a SIM-swapping attack.

The use of Time-Based One-Time Passwords (TOTP) is preferable for increased security as these are not connected in any way with your phone number. Wherever possible, we recommend you use TOTP instead of SMS to protect your most important accounts.

• At Bitcoin Reserve, we require you to set up Two-Factor Authentication using Time-Based One-Time Passwords, for example with Google Authenticator.
• Bitcoin Reserve does not offer the option of setting up SMS-based Two-Factor Authentication. This is intentional, as we want to help you avoid the risk of becoming a victim of a SIM-swapping attack.

How do I set up Google Authenticator?

Download and install Google Authenticator from your respective app store:

• Google Play: Google Authenticator

• Apple App Store: Google Authenticator

Enable Two-Factor Authentication for Bitcoin Reserve

• After verifying your email address, log in with your email and password
• Next, click ‘Enable Two-Factor Authentication’

• Click ‘Next’

• On your phone, open Google Authenticator
• Click ‘Get Started’ and ‘Scan QR Code’; or click the ‘+’ button and ‘Scan QR Code’
• Point your phone at the screen to scan the QR code displayed on the Bitcoin Reserve website
• NOTE: If you are logging into Bitcoin Reserve from the same mobile phone, instead click ‘Click to Copy TOTP Key’ and choose ‘Enter a setup key’ in Google Authenticator instead of scanning the QR code. (Paste in the TOTP Key. Example format: L3TXYZ123XYZ123XYZ123XYZ123XYMIB)

• After you have scanned the QR code, you should see a new account listed which includes your email address and the name of the website or account, e.g. Bitcoin Reserve (<youremail@example.com>)

• Under the Account Name + Email, you’ll see a 6-digit TOTP code. Enter this into the form field on the Bitcoin Reserve website (labeled ‘6 digit code’) and click ‘Next’.

NOTE: The pie-shaped countdown timer to the right of the TOTP code indicates how much time is remaining before the code will be refreshed. This occurs once every 30 seconds. If you don’t finish entering in the TOTP code prior to its expiration, simply wait and enter the next one that appears in Google Authenticator.

You have now successfully enabled Two-Factor Authentication for your Bitcoin Reserve Account! You will need to open Google Authenticator to get a new TOTP code each time you log in.

TIP: Many email accounts and other online services offer TOTP-based Two-Factor Authentication options. These options will generally be listed under Account or Security-related settings, depending on the site. Google Authenticator can be used for any of these services, if TOTP is an option.