Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Adds Two-Factor Authentication To Gmail

Posted by timothy on from the get-to-the-next-phone-booth dept.

Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

8 of 399 comments (clear)

  1. Direct link to Google's announcement (bypass blog) by Anonymous Coward · · Score: 4, Informative

    http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

  2. Re:IMAP? by ahecht · · Score: 4, Informative

    Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

  3. Re:What apps? by bradgoodman · · Score: 4, Informative
    The section you quoted is just to set it up, I believe.

    There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.

  4. Re:Good idea, bad implementation by LateArthurDent · · Score: 4, Insightful

    While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

    Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

    This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

  5. Re:Great...what if you're without your phone? by thatskinnyguy · · Score: 4, Informative

    Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.

    --
    The game.
  6. Android phones already have support by GooberToo · · Score: 5, Insightful

    Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

  7. Re:Great...what if you're without your phone? by gstoddart · · Score: 4, Insightful

    Or, you know, I don't carry it -- which is what I do now.

    Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

    I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

    --
    Lost at C:>. Found at C.
  8. Re:Great...what if you're without your phone? by bluemonq · · Score: 4, Informative

    Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.