Slashdot Mirror
Google Apps Gets Two-Factor Security
judgecorp writes "Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user's mobile phone. It's good to have this for free, and it backs up Google's assertion that cloud apps are more secure — but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone."
Or you know, a Google (or any other cloud service) employee access all your data because they own it then... No, cloud services are not more secure. Especially free ones who's business model is to make money off your private information.
For the low low price of your mobile phone number we will give you some extra security!
Allow me to introduce you to Google's "I lost my password, send me a code to my mobile phone to reset it" feature...
Learning HOW to think is more important than learning WHAT to think.
It sort of compromises everything - but that doesn't mean it's a bad form of authentication, does it?
Once your machine, token, credentials, anything have been physically compromised, it's generally accepted that you're hosed (at least for that one factor).
Seems like a step in the right direction.
I believe that's via email, which can be tied to your phone, but not necessarily.
The reality though is that the only completely secure system is one that NO ONE can access. If you want it to be useful, the system HAS to have some way to unlock itself. Saying that a person can access the system if they have all of your credentials isn't really a flaw - it's the way the system has to work.
Put bluntly, there has to be SOME point when the user steps up and starts becoming responsible for keeping track of their credentials.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone
When you lose your phone, the vast, vast, vast, vast majority of the time they just want to wipe your iPhone and sell it to the local pawn shop. They don't care about your data, your songs, your apps, etc. they simply see that shiny, new hardware = money. Same thing with laptops, they don't care about the data on it, they want to wipe "that funny looking OS" off of it and put a pirated copy of XP on there and sell it on eBay.
The idea that stolen gadgets are going to be used for something beyond simple hardware really overestimates either your value of data or the intelligence of thieves.
Taxation is legalized theft, no more, no less.
Learn to keep track of your damn phone...
And what do I do when I don't have phone service?
I recently went on vacation to Grand Cayman and didn't have any phone service. What happens then? I had to correctly identify friends from random Facebook pictures in order to log into Facebook the first time (at which point the place I was staying was apparently white listed for me to log into for the rest of the trip).
Sure, it's probably a small annoyance to pay for better security unless you travel often or have really randomly spotty cell phone service. A trip out to my parent's farm would probably be more than an annoyance as I await the text msg okaying me to log into GMail through my parent's 56k modem. I guess everything comes with a price but I'd probably just turn this off and leave it off instead of regretting it on vacation if I forget to disable it before traveling.
Also, a few of my company's clients have server rooms in the depths of basements with little to no cell phone reception. Would hate to work there if you try to log into GMail and get asked for this. You'd have to go for a walk to get your authentication code.
My work here is dung.
but it doesn't answer how it helps if ...
Judgecorp should wait until after second coffee to post.
What happens when an attacker has both factors in a two-factor situation is that security is breached. The same applies for any number of factors.
The objective is to improve security, nothing can guarantee it. No "answer" is needed.
(.....)
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
The problem is that when you install an application, Android gives you a big long list of things that the app wants to do. Whilst it sounds like a great idea, it gives no context as to why it needs those features and you only have two choices - accept that the application can do everything or don't install it. It's far too easy to sneak something into that list without people realising.
In the future, the OS should prompt the user that an application wants to do something (eg. accessing your address book) at the point it wants to do it and let the use decide whether or not to allow it - with an option to say "Always do this for [blah]" where [blah] could be "accessing contacts". It has the nice side effect of forcing application developers to design an UI which tells customers what they are trying to do so that they don't hit the "Deny" button as soon as the alert appears.
That way, people can run applications, test them and even use them without having to subject all their data to the mercy of the developers.
Avantslash - View Slashdot cleanly on your mobile phone.
Google won't, and shouldn't, add that. Google doesn't know what an application needs to function, a lot of users will block internet/phone etc access and break the application. Google and the app developer will then get bombarded by complaints and help requests. Android will need to match or beat iOS in user friendliness, options that offer nothing to most users and cause negative user experiences aren't going to help do that.
I would like this functionality, even though I would rarely use it. I just don't think it would benefit Android in general.