Google Adds Two-Factor Authentication To Gmail

Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

why no one time pad with index lookup

[FuckingNickName]

Why no one time pad with index lookup?

Re:why no one time pad with index lookup

[Jeremiah+Cornelius]

2-Factor.

Now they can be SURE it's YOU , that they are tracking.

The flaw in GOOG and Yahoo and Hotmail? Social networking "features". They get the email address of every contact you have, and spam them from your address in spoofed headers. All without a login credential.

Great...what if you're without your phone?

[cayenne8]

So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?

Re:Great...what if you're without your phone?

[thatskinnyguy]

Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.

Re:Great...what if you're without your phone?

[Beardo+the+Bearded]

Why would you not have your cellular phone with you?

Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

Re:Great...what if you're without your phone?

[gstoddart]

Why would you not have your cellular phone with you?

Because I used my cell phone very little and don't use it for stuff like signing onto gmail?

Not all of us are tethered to a cell phone 24/7, nor do we want to be.

Re:Great...what if you're without your phone?

[zn0k]

They offer a smart phone app for several platforms that doesn't require Internet access. Just like an RSA keyfob doesn't require Internet access.

Re:Great...what if you're without your phone?

[gstoddart]

Or, you know, I don't carry it -- which is what I do now.

Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

Re:Great...what if you're without your phone?

[bluemonq]

Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.

Re:Great...what if you're without your phone?

[__aaxtnf2500]

Hey there are plenty of Machine looms still in use all over the country. I think you can find one to go smash rather than attempt to convince the people on a technology forum that the ability to wirelessly communicate outside of your home is for fancypants techno-fiends intent on throwing their money away to "the man."

Direct link to Google's announcement (bypass blog)

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Good idea, bad implementation

[Lord+Byron+II]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

Re:Good idea, bad implementation

[LateArthurDent]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

Re:IMAP?

[ahecht]

Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

Re:What apps?

[bradgoodman]

The section you quoted is just to set it up, I believe.

There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.

Android phones already have support

[GooberToo]

Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

Authenticator

[toastar]

Yeah,

What i really don't get is how my Wow account is more secure then my back account.
http://images.dailytech.com/nimage/8561_product.jpg