Slashdot Mirror
Google Adds Two-Factor Authentication To Gmail
Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."
Why no one time pad with index lookup?
This has been available as an option on the paid Google Apps for domains for several months now, very very nice (phone app/etc.).
If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Isn't this technically "Wish-It-Was Two-Factor"
Reminds me of this:
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
I was excited till I realized it was just going to be another app for your phone. Call me when I can get an actual hardware token.
Your hair look like poop, Bob! - Wanker.
I'm not sure how this will work for those of us using 3rd party mail clients and IMAP or POP3.
People need to figure out what words mean before they use them. This is not really two factor. It a single factor (what-you-know) used twice. If you really want to be two-factor, then, as OverlordQ mentioned, it needs to be hardware so we really have a what-you-have factor. I'm not saying I really need it to have true two-factor. I'm just saying use the right words.
All banking systems I know of which use single use codes depend of the users not to require the codes too often.
One bank issues pre-generated personal code sheets, 50 codes per sheet, which are mailed to the users. They authorise payments or setting changes (though you can certify an secure transfer target). I cant't see how it would be feasible to use sth like that for each email I send (hundreds a day).
Another bank uses tokens, which generate codes in sync with something serverside... Again, using that to log-in to the banking system is a pain, even if I do it once a week or so. I log-in to gmail 10-20 times a day...
Secure is good, annoying is bad. I suppose special authorisation should be demanded only when login conditions are unusual, eg from an unknown location. I wonder it'd prevent me logging from Japan, where I had no phone access...
i've only ever had a problem with my account getting compromised via the browser. it seems that this system is really only set up for browser access. however, isn't it equally important to secure imap/pop3?
While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.
Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.
I access my gmail account via IMAP. I didn't see anything in that article about whether this impacts IMAP/POP or not. It's probably just for web logins, but then again you know what they say about assuming something...
FTA: "Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device"
So what apps? Are they going to roll out their own updated Google App or are they going to support existing apps like those from RSA SecurID or Verisign VIP Access?
If I required that kind of security where a strong password was not enough for messaging I would not be using a hosted platform such as google or SMTP for that matter.
I love seeing stuff like this:
So, if I don't use SMS, and if I refuse to give a phone number to Google ... this is basically useless to me.
I sure as fsck hope to hell that I'm not eventually told I have to use an authentication method I refuse to use -- why does everybody assume I'm willing to give them my mobile number for such things?
Lost at C:>. Found at C.
So, say that my forwarding phone is dead/not around and I have a Google Voice number set up as my cell phone to text/call. How am I supposed to login to check my sms or email so I can get the code so I can log in to check my sms or email?
It's always seemed strange to me that, between my personal e-mail, my online banking, and my level 85 priest, only one has dual-factor auth. Guess which one? Adding e-mail to this makes a whole lot of sense as, with access to my e-mail, you could probably convince Blizzard and possibly convince my bank to reset my authentication details.
Now, it would be nice if they were to make this as full-featured as Blizzard's (they have a key fob, a mobile phone app, and also pretty cool, a feature where if you connect from a sufficiently unusual IP address, they call your phone to verify you) but it's a step in the right direction.
Of course, I can envision this trend going too far, where I have a huge keychain filled with nothing but DFA tokens for everything... but having the choice of either app or token would be nice.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
This is an interesting idea, but there are far too many flaws with it. First off is the obvious privacy issue, your phone number can easily be used to track you, plus your Gmail account, plus Google's information logging makes this a privacy nightmare. And even if you trust Google, there is still the fact that the government/*AA could get ahold of the data and frame you for crimes you didn't commit based on circumstantial evidence. Secondly is the obvious implementation problems, not everyone has a cell phone or has service 24/7.
Taxation is legalized theft, no more, no less.
Install, "Google Authenticator" to allow for two-factor authentication with your Android device.
code via smoke signals, or postman will be an option too, because - I don't have a phone, I have naked DSL. - I don't have a cell phone. There is no cell phone coverage in 10 km radius.
If you are that compulsive about checking your email, you have your phone with you. And your phone will already be checking your email for you.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
So, the idea to beat the Aurora hack is to make your system rely on the user logging in through a system that totalitarian regime easily can control or intercept?
If they have your password and control your phone network, then this system is just a nuisance.
Most phones that can run apps can also be connected to a pc via USB, allowing full access to their internal memory as an USB mass storage device. So: 1) pwn PC 2) get password 3) next time the user connects its phone, get the secret data used by the app to generate the code (it must be written on the phone's memory, right?) 4) ??? 5) profit Looks like one-and-a-half factor authentication, at most.
My first program:
Hell Segmentation fault
Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?
What if you have more than one Gmail account? Frankly, I use some Gmail features to stay hidden (I was going to say anonymous but now that word means kid porn and DoS).
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
You have friends? Who let you use their computer????
My physical key ring is already loaded with authentication tokens made of brass and metal. I've already got one authenticator app on my phone for World of Warcraft: why do I need a new one for every online entity I do business with? Can't we standardize on one?
(Yes, having just one authenticator app means Google can do a man-in-the-middle attack and steal all my WoW gold, but somehow that's not a big concern for me.)
I pay nothing per month, 5 cents per incoming text message, 10 cents outgoing message, and 10 cents per minute of conversation. All that costs me well under $100 a year... and you can get a phone like that for $20 at Wal-Mart, cash, anonymously.
Perhaps we have forgotten that Google and the CIA have partnered up in a joint venture called Recorded Future (http://www.bit-tech.net/news/bits/2010/07/30/google-cia-invest-in-web-monitor/1). So now we should realize that the new motto should be "do only evil". This is only to ensure that when the bag men come they get the right person...
I take it this is for your google account overall? I'm not aware of them being separate.
But, there's still no connection between actual cost and price.
When has there ever been? In Australia, we pay 90 cents a minute with a 35 cent "flagfall" to call from a domestic mobile to another domestic mobile, while a friend working in India gets 20c-a-minute per-second billing with no flagfall to call from India to Australia. We're obviously a captive market, but the international carriers aren't. We don't pay for roaming or incoming calls thanks to the consumer watchdog, but even with three major carriers competition is non-existant.
(sorry for OT rant)
Man who leaps off cliff jumps to conclusion.
I'll put a sign that says "beware of the leopard".
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Now google will know my phone number. Great. What is next? My Social Security Number?
Trouble with all this crap is that IMAP/POP3 don't support it. So you still get the good old single-factor authentication there, and if someone knows your password, they read your email.
This is a great tool to reduce exposure to account compromise, but it fails to secure against Man-in-the-middle attacks.
A good way to prevent MITM is out-of-band verification (ie, call the number and type in the 1-time code you see on the screen... this can't be replayed by a MITM without revealing the tap).
Make sure everyone's vote counts: Verified Voting
Yeah,
What i really don't get is how my Wow account is more secure then my back account.
http://images.dailytech.com/nimage/8561_product.jpg
What does this solve that SSL doesn't? Fake SSL certs signed by a trusted authority who can control your DNS? E.g., China?
It's nice to add an extra factor for reasonable paranoid cases, but in those cases, isn't it reasonable to assume they have full control over your cell network as well?
I'm not understanding what case this really improves.
Or is it just to force security on people who can't or won't use SSL for everything in GMail? Which, you know, you should definitely do.
Common sense. Original poster seems to have none. This option is for paranoids only.
It's in those times that it sucks to be on a dumbphone plan in Canada... I had to deactivate SMS because the bloody telcos actually made me pay for incoming messages!
This is useless to me, unfortunately.
Yo dawg, I heard you like authentication...
Yes, but what about those of us without phone?
Or, those of us who don't want to give GOOG our mobile phone number?
This is just another attempt by GOOG to match every user with a mobile #.
You have a sick, twisted mind. Please subscribe me to your newsletter.
Your smartphone has all of your email. You can reset the password on almost any website you visit just by having access to that email. Someone with access to your phone can reset the password for your online banking, facebook, twitter, etc. and basically take over your online identity.
Few people set a password on their phone and even fewer set it to something besides a 4 digit pin with is either 1111, their birthdate or something equally "rememberable". Adding TWO factor authentication using the phone is really just a gimmick.
Aren't ya a bit late on reporting this?
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
LINK
I see this development as a sort of confidence trick, where Google is trying to get people to put more of their eggs into fewer baskets (that Google controls, of course).
Two-factor authentication schemes offer strong security against unauthorized account access by miscreants, no doubt about it, but never forget that Google is God on Google. It sees all. It knows all. Many people will make the mistake of thinking that the enhanced security protects their data from everyone, including the government. Thatâ(TM)s not true at all. This does nothing to protect your information from Google itself and the national security interests it willingly serves.
So, if you use Google services, I would say to use this, but just keep in mind that Google has access to everything that you do on there, and that, if they turn over your data to any outside organization, there would be no indication of it, two factor login or not.
"Flyin' in just a sweet place,
Never been known to fail..."
Google Authenticator is open-source and is based on an open protocol, so if you have some other computing device that you trust to be worm-free, you can save the seed on the device and get subsequent keys using a shell script or whatnot. Or if you have some recommendation for another platform it should be ported to, perhaps you can lobby for or support an additional port.
I'm sorry, but this is not nearly enough security if you are dealing with someone like the Chinese government. In this system, if you use the SMS option, they just hack the cell phone carriers SMS logs and voila the code is theirs too. Chances are they have root access to Google's servers anyways, so this is mostly fluff to make them look good and think they care about security and privacy.
I only give out my Google Voice number. It can route incoming calls, using it's address book, to ring on combinations of phone numbers I have responsibility for: home phone, my cell, wife cell, direct to voice mail, etc. These parameters can be set globally and also for specific address book entries.
When I switched cellphone providers, I didn't bother to transfer the old number; I just updated google voice. Now the new phone number rings, the old phone number is deleted, and nobody in my address book even notices, or needs to.
Have a busy hair salon? Just have GV ring all the stylist's cellphones with the caller's ID, and the stylist who knows the name can pick up. The front desk landline can also pick up directly. If nobody picks up, the call goes to digital voicemail with immediate (dubious) transcription to SMS or email.
When customers call, they get right through. If bill collectors or mom calls, they can hear a 'number out of service' tone that blocks robocallers.
Web accessible logs with numbers, names and call history. All this virtual functionality with no IP telephony snake oil. A free service like this has tremendous value for anyone. If google or the CIA or the new world order want to listen to calls, have at it. It works well 98% of the time. It's FREE.
How will vendors of office IP phone systems compete in such a market? See: CISCO earnings...!
Ask Me About... The 80's!
Well not me, but my niece is a 11 year old kid, can and does use gmail but does not own a phone. Also my mom, who is a stay at home housewife just keeps her cell switched off, but again uses her email regularly.
Btw, as long as this is an optional if you are worried about security and not mandatory, iId say it was a good thing.
Also really: "Won't someone think of the children? (the ones without cell-phones)"
Back when they announced it for the paid Google Apps versions, I was enthusiastic.
Now, everyone except me has it. And it's not even a technical issue, merely an incentive to buy stuff from them.
> The flaw in GOOG and Yahoo and Hotmail? Social networking "features". They get the email address of every contact you have, and spam them from your address in spoofed headers. All without a login credential.
Google is far from perfect and we should stay wary. But the above is undeniably false, at least for Google.
ITYM Facebook.
2 Things to remember, your bank pin and gmail pin: problems solved :)
That's kinda 'Well, yeah, but what are you going to do about it?" The only way to protect against *that* is to get it together and install something like gpg encrypt everything maintain a public/private key; Sensible, but not something even I do - though maintaining a copy of Truecrypt on your laptop is easy enough.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Risk management - not risk elimination.
Everything is in the percentages - but you need to know the real rules of the game, and true odds.
"Flyin' in just a sweet place,
Never been known to fail..."
Also - it's not meant to protect at that level. Use SSL/HTTPS to avoid MITM attacks.
Unless you've pre-exchanged your keys from an absolutely secure connection with the website in question, when you exchange the keys, the MITM will copy those and replay everything.
Make sure everyone's vote counts: Verified Voting
I can respect that!
In capitalist USA corporations control the government.