Google Adds Two-Factor Authentication To Gmail

Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

why no one time pad with index lookup

[FuckingNickName]

Why no one time pad with index lookup?

Re:why no one time pad with index lookup

[Jeremiah+Cornelius]

2-Factor.

Now they can be SURE it's YOU , that they are tracking.

The flaw in GOOG and Yahoo and Hotmail? Social networking "features". They get the email address of every contact you have, and spam them from your address in spoofed headers. All without a login credential.

Re:why no one time pad with index lookup

[Jeremiah+Cornelius]

Yeah. Pull the other one. It's got bells on it.

You are Google's product and inventory - not their customer. You don't slip off the shelf so easily.

Great...what if you're without your phone?

[cayenne8]

So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?

Re:Great...what if you're without your phone?

[Script+Cat]

Just memorize the code and type it in when you log on.

Re:Great...what if you're without your phone?

[BradleyUffner]

Why would you not have your cellular phone with you?
Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

Because I forgot it on the nightstand, or on my desk. I frequently work from home so I don't have it on my person at all times. When I leave for a meeting or to grab lunch I sometimes forget to put it in my pocket.

Re:Great...what if you're without your phone?

[thatskinnyguy]

Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.

Re:Great...what if you're without your phone?

[Beardo+the+Bearded]

Why would you not have your cellular phone with you?

Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

Re:Great...what if you're without your phone?

[gstoddart]

Why would you not have your cellular phone with you?

Because I used my cell phone very little and don't use it for stuff like signing onto gmail?

Not all of us are tethered to a cell phone 24/7, nor do we want to be.

Re:Great...what if you're without your phone?

[zn0k]

They offer a smart phone app for several platforms that doesn't require Internet access. Just like an RSA keyfob doesn't require Internet access.

Re:Great...what if you're without your phone?

[wHartHog(69)]

Because I don't need a reason not to have my phone with me.

Re:Great...what if you're without your phone?

[seifried]

You know just because you carry a cell phone doesn't mean you have to answer it (or even leave it on). You can also send the call to voice mail, or if you don't have voice mail just ignore it/mute it.

Re:Great...what if you're without your phone?

[gstoddart]

Or, you know, I don't carry it -- which is what I do now.

Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

Re:Great...what if you're without your phone?

[noidentity]

If it worked like that, it wouldn't be two-factor anymore (it would just be a system where your password must be entered in two chunks in two separate fields, no more secure than currently).

Re:Great...what if you're without your phone?

[Catskul]

... the code changes every time you login. Memorizing it will do you no good. That is, in fact, the point. To compromise the second factor, you need to have the phone.

Re:Great...what if you're without your phone?

[maxume]

I don't think they are too worried about the segment of their userbase that refuses to carry a cell phone but wants to check their email from random restaurants.

Re:Great...what if you're without your phone?

[chinakow]

What are you four? Learn to read the caller ID or here's a thought, don't answer your phone when you don't want to talk. I take youth comment back, old people are the same way, they think just because a phone rings in earshot it must be answered. Anyway, keep your hair on grandpa, and learn how to silence a phone when you don't want to be bothered.

Re:Great...what if you're without your phone?

[bluemonq]

1) Get a Virgin Mobile MiFi from Walmart. Buy 1GB for $20 top-up cards (only available at Walmart).
THEN
2a) Buy new or used iOS smartphone off of contract capable of running Talkatone app, which provides VoIP via GMail which has free US phone calls.
3a) Install Talkatone app.
4) Done.
===
2b) Buy any Android or iOS smartphone off of contract capable of later versions of Skype which allow cellular VoIP.
3b) Install Skype with Pay as you Go option.
4) Done.

Re:Great...what if you're without your phone?

[bluemonq]

Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.

Re:Great...what if you're without your phone?

[__aaxtnf2500]

Hey there are plenty of Machine looms still in use all over the country. I think you can find one to go smash rather than attempt to convince the people on a technology forum that the ability to wirelessly communicate outside of your home is for fancypants techno-fiends intent on throwing their money away to "the man."

Re:Great...what if you're without your phone?

[ftobin]

Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

Those pesky keys you carry around to get into your house and car are so annoying too! In order to ease your burden, you should consider just leaving your house and care unlocked. It'll be easier on your mind that way.

I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

It's all about ease of use.

Re:Great...what if you're without your phone?

[brusk]

It also has a frickin torch built in

I sincerely hope you were speaking British there.

Re:Great...what if you're without your phone?

[Call+Me+Black+Cloud]

Shoot, you stole my answer.

My wife often complains that I don't carry my phone with me all the time or that I have it with me in my car but it's turned off. Sometimes I don't want to be bothered by a phone call - I just want some uninterrupted time to myself. Her response? "What if there's an emergency?" My response: "Call 911, not me".

Yes, we've played that out many many times now.

What surprises me is that there's someone who is surprised that a person may actually not have a phone with them. Why would someone want to be connected every single moment of every single day?

Re:Great...what if you're without your phone?

[SnowZero]

If you don't trust the app, inspect the source here and compile it yourself:
    http://code.google.com/p/google-authenticator/

If you don't trust the compiler, get a yubikey which implements the same standard.

If you don't trust a 3rd party vendor, implement something for RFC-4226 yourself:
    http://tools.ietf.org/html/rfc4226

If you still don't trust that, I suggest you get a different email provider :)

Re:Great...what if you're without your phone?

[SnowZero]

There are some hardware options, such as yubikey. Another alternative if you don't mind the extra weight is to find a used android phone -- since the app doesn't require a sim, you only need wifi to get it set up (actually if you wanted to you could use USB and install it directly).

Also, check around to see if there's a Symbian app that implements HOTP (RFC 4226), since that's what Google uses. I imagine that if there isn't one yet, there will be one if this becomes popular.

Good luck, and no you can't have my Nexus S :)

Re:Great...what if you're without your phone?

[bloosh]

Or better yet, get a Google Voice account and number, tell everyone that you have a new number and use GV's call routing system to control how people contact you.

Wish-It-Was Two-Factor

[Some+guy+named+Chris]

Isn't this technically "Wish-It-Was Two-Factor"

Reminds me of this:
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx

Direct link to Google's announcement (bypass blog)

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Good idea, bad implementation

[Lord+Byron+II]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

Re:Good idea, bad implementation

[LateArthurDent]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

Re:IMAP?

[ahecht]

Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

Re:Two factor? Not quite

[ahecht]

No, it's really two factor: something you know (password) + something you have (cell phone or landline).

Re:What apps?

[bradgoodman]

The section you quoted is just to set it up, I believe.

There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.

Android phones already have support

[GooberToo]

Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

Re:Android phones already have support

[bradgoodman]

"Google Authenticator" available (free) for iOS in the AppStore, too.

Re:Interesting idea, bad application

[bradgoodman]

Cell service is not required. It's a "soft-token" app - just like an RSA Key-fob token.

Authenticator

[toastar]

Yeah,

What i really don't get is how my Wow account is more secure then my back account.
http://images.dailytech.com/nimage/8561_product.jpg

Re:Authenticator

[TheThiefMaster]

Because your bank is crap.

I have one of these: Barclays PINsentry Card Reader

What if you don't have a phone?

[Hyperhaplo]

Yes, but what about those of us without phone?

Or, those of us who don't want to give GOOG our mobile phone number?

This is just another attempt by GOOG to match every user with a mobile #.