Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Apps Gets Two-Factor Security

Posted by CmdrTaco on from the third-factor-requires-blood-sample dept.

judgecorp writes "Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user's mobile phone. It's good to have this for free, and it backs up Google's assertion that cloud apps are more secure — but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone."

28 of 118 comments (clear)

  1. There's a price. by Anonymous Coward · · Score: 5, Insightful

    For the low low price of your mobile phone number we will give you some extra security!

  2. Re:Cloud apps more secure? by Anonymous Coward · · Score: 2, Insightful

    I'm not sure that necessarily makes your data less secure. An administrator always has access to your data, whether that admin works for your company or another company doesn't necessarily change the likelihood that the admin will abuse their power.

  3. ...because it's 2 factor... by OneMadMuppet · · Score: 3, Informative

    ...which means if someone gets one factor (your phone), they still don't have the other (your password).

    1. Re:...because it's 2 factor... by chill · · Score: 4, Insightful

      Allow me to introduce you to Google's "I lost my password, send me a code to my mobile phone to reset it" feature...

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:...because it's 2 factor... by MBGMorden · · Score: 2, Insightful

      I believe that's via email, which can be tied to your phone, but not necessarily.

      The reality though is that the only completely secure system is one that NO ONE can access. If you want it to be useful, the system HAS to have some way to unlock itself. Saying that a person can access the system if they have all of your credentials isn't really a flaw - it's the way the system has to work.

      Put bluntly, there has to be SOME point when the user steps up and starts becoming responsible for keeping track of their credentials.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
  4. It's Obvious by sjpadbury · · Score: 3, Funny

    Learn to keep track of your damn phone...

    --
    We're all full up on Crazy here...
    1. Re:It's Obvious by eldavojohn · · Score: 2, Insightful

      Learn to keep track of your damn phone...

      And what do I do when I don't have phone service?

      I recently went on vacation to Grand Cayman and didn't have any phone service. What happens then? I had to correctly identify friends from random Facebook pictures in order to log into Facebook the first time (at which point the place I was staying was apparently white listed for me to log into for the rest of the trip).

      Sure, it's probably a small annoyance to pay for better security unless you travel often or have really randomly spotty cell phone service. A trip out to my parent's farm would probably be more than an annoyance as I await the text msg okaying me to log into GMail through my parent's 56k modem. I guess everything comes with a price but I'd probably just turn this off and leave it off instead of regretting it on vacation if I forget to disable it before traveling.

      Also, a few of my company's clients have server rooms in the depths of basements with little to no cell phone reception. Would hate to work there if you try to log into GMail and get asked for this. You'd have to go for a walk to get your authentication code.

      --
      My work here is dung.
  5. Re:Cloud apps more secure? by Pojut · · Score: 2, Insightful

    Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.

    --
    Living With a Nerd
  6. If *anything* gets stolen... by NYMeatball · · Score: 4, Insightful

    It sort of compromises everything - but that doesn't mean it's a bad form of authentication, does it?

    Once your machine, token, credentials, anything have been physically compromised, it's generally accepted that you're hosed (at least for that one factor).

    Seems like a step in the right direction.

    1. Re:If *anything* gets stolen... by Jurily · · Score: 2, Insightful

      Agreed. While it's by no means perfect, it is more secure.

      Most accounts today are not compromised because the attackers specifically target the victim, but because they had the weakest password.

      Also, the act of stealing a physical device makes it a far greater risk and hassle for the attackers.

  7. Mobile security by yakumo.unr · · Score: 4, Interesting

    I'm worried because in all the years I've had a Google mail account I haven't had any issues, yet a month after getting an Android 2.1 phone, despite being really careful about only installing high rated applications with tens of thousands of users and mostly keeping an eye on what they're allowed to access, my gmail account was hacked and used to send out a spam email via a mobile device in canada.

    I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).

    Admittedly Google immediately suspended my account due to suspicious activity (access from Mobile Canada (71.17.214.49), I live in the UK), and a token to my mobile phone was how I unlocked it and changed my password, but I'm still rather wary now despite how much I love my Galaxy S mobile.

    I have bought apps I don't want to lose wiping the phone, and I have no real way to tell what it may have been that leaked my data.

      I have droidsecurity antivirus installed now, but wish google could offer some stronger post-install controls on what an app's allowed to do.

    1. Re:Mobile security by Darkness404 · · Score: 2, Interesting

      I agree, really, Google should let -us- decide what an app can do. Want to access the internet, nope, check a box marked deny and that app no longer has access to that. Want to know my location, nope, check a box marked deny and that app no longer can find your location.

      About the only thing is, that might piss off a few developers because ad-blocking becomes rather easy, but I'm sure they will find a way to have it use the internet in a non-annoying way...

      --
      Taxation is legalized theft, no more, no less.
    2. Re:Mobile security by Mr_Silver · · Score: 2, Insightful

      I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).

      The problem is that when you install an application, Android gives you a big long list of things that the app wants to do. Whilst it sounds like a great idea, it gives no context as to why it needs those features and you only have two choices - accept that the application can do everything or don't install it. It's far too easy to sneak something into that list without people realising.

      In the future, the OS should prompt the user that an application wants to do something (eg. accessing your address book) at the point it wants to do it and let the use decide whether or not to allow it - with an option to say "Always do this for [blah]" where [blah] could be "accessing contacts". It has the nice side effect of forcing application developers to design an UI which tells customers what they are trying to do so that they don't hit the "Deny" button as soon as the alert appears.

      That way, people can run applications, test them and even use them without having to subject all their data to the mercy of the developers.

      --
      Avantslash - View Slashdot cleanly on your mobile phone.
    3. Re:Mobile security by ptbarnett · · Score: 3, Interesting

      I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).

      Did you inadvertently reuse your email password somewhere else?

      My wife had her GMail account compromised by a Nigerian IP address. I'm pretty sure it's because she used her email address and password to create a userID at a site publishing historical immigration records.

      She's not reusing passwords anymore.

    4. Re:Mobile security by N1AK · · Score: 2, Insightful

      I agree, really, Google should let -us- decide what an app can do.

      Google won't, and shouldn't, add that. Google doesn't know what an application needs to function, a lot of users will block internet/phone etc access and break the application. Google and the app developer will then get bombarded by complaints and help requests. Android will need to match or beat iOS in user friendliness, options that offer nothing to most users and cause negative user experiences aren't going to help do that.

      I would like this functionality, even though I would rarely use it. I just don't think it would benefit Android in general.

    5. Re:Mobile security by z.cliffe.schreuders · · Score: 2, Interesting

      I love to see comments like this, because that is what my research is designed to do. Make it easy for end users (or admin) to specify what an application is supposed to do, and the program is restricted to the behaviour that is needed to do those things. For example, so you can say "this program is a web browser and an email client". Then, if you like, you can give some app-specific details such as "I download stuff to this directory", or "I only want access to these hosts". Then the program cannot do anything beyond what would be expected of those types of programs. In case you are interested, a Linux implementation is available: http://schreuders.org/FBAC-LSM

    6. Re:Mobile security by IamTheRealMike · · Score: 2, Informative

      Hey,

      I work on the Gmail team. What happened to you is not related to your use or purchase of an Android phone. In fact, the spammer that logged in to your account wasn't using a mobile phone at all. The reason the session shows up as from a mobile device in your recent activity console is that some popular spammer tools identify themselves to our servers as a mobile phone so that it is allowed to use the mobile HTML UI - presumably as it's easier for them to reverse engineer. But it's actually just a program running on a regular computer.

      Passwords can be stolen through a variety of means. I suggest you read this post in the Gmail support forum for more information on how it might have happened. The top three ways are phishing, keylogger viruses and re-using your Gmail password at other websites that then get hacked (this is very common).

      In other words, you shouldn't need the Android anti-virus product and can uninstall it if you want. I have never heard of somebody being infected with an Android virus - just make sure to read the list of requested permissions and you should be OK.

      Hope that helps and sorry to hear about your experience, but happy to hear we managed to block it!

  8. Re:Cloud apps more secure? by ibsteve2u · · Score: 3, Insightful

    The most interesting inference to me is that some third-party vendor who is serving up cloud apps has employees who are inherently more trustworthy than the ones you handpicked are.

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  9. Silly nerds... by Darkness404 · · Score: 3, Insightful

    but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone

    When you lose your phone, the vast, vast, vast, vast majority of the time they just want to wipe your iPhone and sell it to the local pawn shop. They don't care about your data, your songs, your apps, etc. they simply see that shiny, new hardware = money. Same thing with laptops, they don't care about the data on it, they want to wipe "that funny looking OS" off of it and put a pirated copy of XP on there and sell it on eBay.

    The idea that stolen gadgets are going to be used for something beyond simple hardware really overestimates either your value of data or the intelligence of thieves.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Silly nerds... by ibsteve2u · · Score: 2, Interesting

      You refer to a time from before the day Google incentivized the stealing of phones by making them [a] key to business espionage.

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  10. How many factors are secure? by thethibs · · Score: 4, Insightful

    but it doesn't answer how it helps if ...

    Judgecorp should wait until after second coffee to post.

    What happens when an attacker has both factors in a two-factor situation is that security is breached. The same applies for any number of factors.

    The objective is to improve security, nothing can guarantee it. No "answer" is needed.

    (.....)

    --
    I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
  11. Re:Cloud apps more secure? by Anonymous Coward · · Score: 2, Insightful

    It appears Google's argument is "it's safer/easier/cheaper to use Google Docs than emailing your file as an attachment, or letting employees put it on laptops and USB keys which they then loose."

    If you have information which can only be transmitted between a computer monitor and the user's eyeballs, I don't think Google has any thing to peddle to your corporation, unless they start selling Faraday Cages to guard against Van Eck phreaking.

  12. Re:Cloud apps more secure? by numbsafari · · Score: 2, Interesting

    I know where the employees who work for me live. I know what car they drive. I know where they like to go to lunch. I have their social security number and a copy of their driver's license.

    I also know a guy named Tony. Tony likes to break things. And ever since some pencil-neck computer nerd posted pictures of Tony's girlfriend on-line, Tony really likes to break computer nerds.

    With Google, these things are much less transparent.

  13. Re:Cloud apps more secure? by IndustrialComplex · · Score: 3, Insightful

    Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.

    Security and Availability go hand in hand. Security isn't just, NO ONE EVER GETS TO LOOK AT MY DATA. Security is also making sure that your data remains undamaged (integrity) and available to the people that you want to see it.

    --
    Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  14. Re:Cloud apps more secure? by IndustrialComplex · · Score: 2, Insightful

    Google, in turn, has a vested interest in ensuring that their paying customers' data stays private.

    Google has a vested interest in ensuring that their paying customers' data breaches stay private. That's number one. If they can't ensure number one, then your statement takes priority.

    The issue with Google's model is that you rely on Google's policy/process and you cannot directly negotiate/control that. (Not saying that their policy/process isn't acceptable for some people, but that you don't get to directly influence it)

    --
    Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  15. Re:Cloud apps more secure? by mlts · · Score: 2, Interesting

    If you look at a cloud provider like Google, there are two paying customers: Enterprises and businesses, and advertisers. So, on one hand, the cloud provider needs to protect data for people paying for their apps. On the other hand, they need to cough up data so the advertisers keep paying.

    This bifurcation is why I prefer using E-mail providers whose sole revenue stream is customers. This way, advertisers have no vested interested in what data sits on the servers. Hosted Exchange providers come to mind here, same with me.com.

  16. Re:Cloud apps more secure? by IndustrialComplex · · Score: 2

    You could say the exact same thing for a sysadmin that you pay yourself, however, which was the whole point of the parent of the post I replied to.

    Which is why I continued my comment beyond that point and discussed direct and indirect control.

    The sysadmin reports to me. Part of my job is making sure he is doing the job I'm paying him to do. Keeping the comparison simple, if I'm the company president, my level of control over behavior is 100% You can only say the sysadmin has the same interest if I fail to effectively manage the person I hired.

    Google's sysadmins report to them. I am but one of thousands of equivalent contracts to them. Therefore the level of control I have over their internal process and behavior is immediately reduced by a factor of several thousand. Everything I would want to do or change is subject to lag, both in time, and in effect.

    --
    Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  17. Re:Cloud apps more secure? by morgan_greywolf · · Score: 2, Insightful

    The only kind of "private" e-mail that exists is the kind that you encrypt. Once a plaintext e-mail leaves your client, there is no guarantee that some third party won't read it.

    Security through obscurity is the same as no security at all.

    --
    My blog