[Paul B]

A few years ago I managed to get my parents away from using hotmail/skymail/some blueyonder email address and finally using Gmail, which at the time made a lot of sense given their various Google (Android) devices.

My Mum (bless her), phoned me last night to say she'd had a fair bit of cash spent fraudulently on her various online accounts. The passwords she was using were pretty strong and weren't the same between the two various shops used and thus I thought her email address and the 'forgot password' trick was the likely culprit (I think, although she didn't confirm that this password was very poor).

Following this she's a bit wary and thus I've pointed her at 2-step authentication which I thought would be the end of it. However, the initial pass-codes send via text message came from a number which her iFern 6s (bought as a refurb fairly recently [concerning at all?]) instantly recognised as Google. A few more came from this number but now they're coming from another that isn't being recognised as Google. I'm imagining the latter bit is not an issue but I thought it would be worth asking the great minds of UKB what they thought. Is she secure or does this still sound a bit fishy? What else should I be checking?

Thanks in advance.

[standard]

Use Google Authenticator instead of the SMS option.
And print off the 10 recovery backup codes and store in the very safe place, incase the phone get's stolen/broke.

[Paul B]

Use Google Authenticator instead of the SMS option.
And print off the 10 recovery backup codes and store in the very safe place, incase the phone get's stolen/broke.

so that removes any contact via your phone operator and codes come through an app (presumably tied to the phone?)?

Do people have 2-step on as default?

[dontfollowme]

I had to turn mine on but this was a couple of years ago after seeing a post on here about it. The codes do come through an app and are time limited.

[Bubba]

Make sure to backup Authenticator data if you upgrade the phone OS with a full wipe.

I leave 2FA on all the time but mark my phone/PC/etc as trusted otherwise it'd be a total pain.  If you lose one device you can take it off the trusted list from another.

[Paul B]

Make sure to backup Authenticator data if you upgrade the phone OS with a full wipe.

This sounds like it has potential for something stupid to happen.

Trusted devices noted; good idea.

[Paul B]

Make sure to backup Authenticator data if you upgrade the phone OS with a full wipe.

I leave 2FA on all the time but mark my phone/PC/etc as trusted otherwise it'd be a total pain.  If you lose one device you can take it off the trusted list from another.

I've turned this on and I'm not wholly comfortable with what seems like plenty of possibility to f*ck up (and it being Google). One immediate issue is I've marked a tablet as trusted, and it's behaving as it should. However, in the 'trusted devices' list there's nothing!