Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Apps Gets Two-Factor Security

Posted by CmdrTaco on from the third-factor-requires-blood-sample dept.

judgecorp writes "Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user's mobile phone. It's good to have this for free, and it backs up Google's assertion that cloud apps are more secure — but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone."

7 of 118 comments (clear)

  1. Mobile security by yakumo.unr · · Score: 4, Interesting

    I'm worried because in all the years I've had a Google mail account I haven't had any issues, yet a month after getting an Android 2.1 phone, despite being really careful about only installing high rated applications with tens of thousands of users and mostly keeping an eye on what they're allowed to access, my gmail account was hacked and used to send out a spam email via a mobile device in canada.

    I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).

    Admittedly Google immediately suspended my account due to suspicious activity (access from Mobile Canada (71.17.214.49), I live in the UK), and a token to my mobile phone was how I unlocked it and changed my password, but I'm still rather wary now despite how much I love my Galaxy S mobile.

    I have bought apps I don't want to lose wiping the phone, and I have no real way to tell what it may have been that leaked my data.

      I have droidsecurity antivirus installed now, but wish google could offer some stronger post-install controls on what an app's allowed to do.

    1. Re:Mobile security by Darkness404 · · Score: 2, Interesting

      I agree, really, Google should let -us- decide what an app can do. Want to access the internet, nope, check a box marked deny and that app no longer has access to that. Want to know my location, nope, check a box marked deny and that app no longer can find your location.

      About the only thing is, that might piss off a few developers because ad-blocking becomes rather easy, but I'm sure they will find a way to have it use the internet in a non-annoying way...

      --
      Taxation is legalized theft, no more, no less.
    2. Re:Mobile security by ptbarnett · · Score: 3, Interesting

      I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).

      Did you inadvertently reuse your email password somewhere else?

      My wife had her GMail account compromised by a Nigerian IP address. I'm pretty sure it's because she used her email address and password to create a userID at a site publishing historical immigration records.

      She's not reusing passwords anymore.

    3. Re:Mobile security by z.cliffe.schreuders · · Score: 2, Interesting

      I love to see comments like this, because that is what my research is designed to do. Make it easy for end users (or admin) to specify what an application is supposed to do, and the program is restricted to the behaviour that is needed to do those things. For example, so you can say "this program is a web browser and an email client". Then, if you like, you can give some app-specific details such as "I download stuff to this directory", or "I only want access to these hosts". Then the program cannot do anything beyond what would be expected of those types of programs. In case you are interested, a Linux implementation is available: http://schreuders.org/FBAC-LSM

  2. Re:Silly nerds... by ibsteve2u · · Score: 2, Interesting

    You refer to a time from before the day Google incentivized the stealing of phones by making them [a] key to business espionage.

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  3. Re:Cloud apps more secure? by numbsafari · · Score: 2, Interesting

    I know where the employees who work for me live. I know what car they drive. I know where they like to go to lunch. I have their social security number and a copy of their driver's license.

    I also know a guy named Tony. Tony likes to break things. And ever since some pencil-neck computer nerd posted pictures of Tony's girlfriend on-line, Tony really likes to break computer nerds.

    With Google, these things are much less transparent.

  4. Re:Cloud apps more secure? by mlts · · Score: 2, Interesting

    If you look at a cloud provider like Google, there are two paying customers: Enterprises and businesses, and advertisers. So, on one hand, the cloud provider needs to protect data for people paying for their apps. On the other hand, they need to cough up data so the advertisers keep paying.

    This bifurcation is why I prefer using E-mail providers whose sole revenue stream is customers. This way, advertisers have no vested interested in what data sits on the servers. Hosted Exchange providers come to mind here, same with me.com.