@Derek, you need to enable it in your google apps config. If you don't admin your own google apps you'll need to talk to whoever does. It's really easy, it's just a checkbox somewhere.

Oh, additionally, when you use something like gmail bruteforcing isn't really an option, since it will do things like lock you out after a few tries, correct? Which means, while we're being overly silly, your email password could be "lolcats", and as long as you don't use it anywhere else (so hackers can't find it by analysing a stolen user passwords DB) and your email service allows only a few tries before locking the account*, and you don't give it out or post it on comments to a popular blog, you could be fine. *We're ignoring hackers playing the slow game, trying a few passwords every 24hrs so they don't trigger the lockout.

So 2-factor auth is nice and all, and not particularly hard to use. However, can you explain to me why it's better than using a strong password? Let's say: - My password for my email is $p+p9Dv5"L][&Y#Oq>$E (hint: it's not, but it's _like_ that) - Each password I use is different and I store them in a secure password manager (it sounds like in your anecdote the person used the same insecure password everywhere, and hackers got it through some random forum hack or something) - I don't use password hints (one way to disable them would be to put massive random strings) - I don't give out my password over the net, or install malware etc Where is the danger? In terms of insecurity, I think the weakest link is that my email is permanently connected on my phone, so if I lost my phone and someone bypassed my pin they could access all of my email. And 2 factor authentication does nothing to solve that.