Google Apps Gets Two-Factor Security 118
judgecorp writes "Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user's mobile phone. It's good to have this for free, and it backs up Google's assertion that cloud apps are more secure — but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone."
Cloud apps more secure? (Score:1, Insightful)
Or you know, a Google (or any other cloud service) employee [slashdot.org] access all your data because they own it then... No, cloud services are not more secure. Especially free ones who's business model is to make money off your private information.
Re: (Score:2, Insightful)
I'm not sure that necessarily makes your data less secure. An administrator always has access to your data, whether that admin works for your company or another company doesn't necessarily change the likelihood that the admin will abuse their power.
Re: (Score:1)
Not really. In the case of Google Apps, the problem of admin abuse becomes Google's. Google, in turn, has a vested interest in ensuring that their paying customers' data stays private. And if you're not one of Google's paying customers, well, I suppose you get what you pay for, eh?
Re: (Score:3, Insightful)
Google, in turn, has a vested interest in ensuring that their paying customers' data stays private.
Google has a vested interest in ensuring that their paying customers' data breaches stay private. That's number one. If they can't ensure number one, then your statement takes priority.
The issue with Google's model is that you rely on Google's policy/process and you cannot directly negotiate/control that. (Not saying that their policy/process isn't acceptable for some people, but that you don't get to dire
Re: (Score:1)
You could say the exact same thing for a sysadmin that you pay yourself, however, which was the whole point of the parent of the post I replied to.
Re: (Score:3)
You could say the exact same thing for a sysadmin that you pay yourself, however, which was the whole point of the parent of the post I replied to.
Which is why I continued my comment beyond that point and discussed direct and indirect control.
The sysadmin reports to me. Part of my job is making sure he is doing the job I'm paying him to do. Keeping the comparison simple, if I'm the company president, my level of control over behavior is 100% You can only say the sysadmin has the same interest if I fail t
Re: (Score:3, Interesting)
If you look at a cloud provider like Google, there are two paying customers: Enterprises and businesses, and advertisers. So, on one hand, the cloud provider needs to protect data for people paying for their apps. On the other hand, they need to cough up data so the advertisers keep paying.
This bifurcation is why I prefer using E-mail providers whose sole revenue stream is customers. This way, advertisers have no vested interested in what data sits on the servers. Hosted Exchange providers come to mind
Re: (Score:2)
Blergh, pardon the grammar goofs. What I intended to state is that it is hard for a company to serve two different types of interests without letting one win out. Does a cloud provider prefer privacy of paid E-mail customers over ad data handed to advertisers?
Perhaps the best of both worlds would be dividing the two interests into separate divisions. Paid E-mail goes to one set of servers where the sole focus is the customer. "Free" [1] E-mail goes to another set where advertisers can get their statisti
Re: (Score:2, Insightful)
The only kind of "private" e-mail that exists is the kind that you encrypt. Once a plaintext e-mail leaves your client, there is no guarantee that some third party won't read it.
Security through obscurity is the same as no security at all.
Re: (Score:2)
This is completely misleading and wrong. The ads system matches content to an ad. At no point is there even a reason for the data to leave Google. If you could sign up for an advertiser account and get data out of Google people would be marching with torches and pitchforks.
There is no conflict between the user serving side and the ads serving side. Especially when you consider that Apps enterprise admins/users can literally turn ads off.
Re: (Score:2)
I didn't state that advertisers had access to E-mail contents, but analytical data relating to E-mail traffic. However, the cloud provider is the place that decides how much or how little anonymizing takes place. For example, does an advertiser get to know that account "X" gets a lot of mail with the "buying a Chevrolet" that are not spam often, or does that person do a lot of dialog about buying Fords?
In any case, if advertisers are paying the bills as opposed to the end user, E-mail account holders are
Re: (Score:3, Insightful)
Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
Re:Cloud apps more secure? (Score:4, Insightful)
Re: (Score:3, Interesting)
I know where the employees who work for me live. I know what car they drive. I know where they like to go to lunch. I have their social security number and a copy of their driver's license.
I also know a guy named Tony. Tony likes to break things. And ever since some pencil-neck computer nerd posted pictures of Tony's girlfriend on-line, Tony really likes to break computer nerds.
With Google, these things are much less transparent.
Re: (Score:2)
With Google, these things are much less transparent.
Oh...so you don't think the results harvested from "Google would like to know your location." are going into a massive database linking every IP address - and, by extension, IPs in the same subnet - to a physical location?
I.e., Google's "Tony" knows where you work AND live...and he's got your data.
Re: (Score:2, Insightful)
It appears Google's argument is "it's safer/easier/cheaper to use Google Docs than emailing your file as an attachment, or letting employees put it on laptops and USB keys which they then loose."
If you have information which can only be transmitted between a computer monitor and the user's eyeballs, I don't think Google has any thing to peddle to your corporation, unless they start selling Faraday Cages to guard against Van Eck phreaking.
Re:Cloud apps more secure? (Score:4, Insightful)
Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
Security and Availability go hand in hand. Security isn't just, NO ONE EVER GETS TO LOOK AT MY DATA. Security is also making sure that your data remains undamaged (integrity) and available to the people that you want to see it.
Re: (Score:1)
Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
Security and Availability go hand in hand. Security isn't just, NO ONE EVER GETS TO LOOK AT MY DATA. Security is also making sure that your data remains undamaged (integrity) and available to the people that you want to see it.
Uhhh, me thinks you are confusing privacy with security.
Data privacy is the one about
NO ONE EVER GETS TO LOOK AT MY DATA.
While data security is about
making sure that your data remains undamaged (integrity) and available to the people that you want to see it
Re: (Score:2)
Uhhh, me thinks you are confusing privacy with security.
Data privacy is the one about
While data security is about
For reference: http://en.wikipedia.org/wiki/Information_security [wikipedia.org]
Integrity
Availability
Confidentiality
It isn't that they are all one and the same and in equal measure, it is that they all are aspects of designing a secure system. For a given system, confidentiality (a more comprehensive term than privacy) is an aspect that you evaluate and your requirements are derived from your need.
Privacy, as
Re: (Score:2)
I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
While I acknowledge your penchant for information security, I fail to see how information on a non-networked computer is useful. If we're tearing out our network cards in 2010 (note that the very notion of non-embedded networking hardware is rather old-hat), let's just go back to poking at clay tablets with sticks! All this new-fangled technology is for the birds, right?
TFA is about ensuring that computer security improves to meet new challenges. That is both harder and more noble than throwing the baby out
Re: (Score:2)
There are times when having something non-networked is useful. Offline key signing for example where one takes a USB flash drive full of items to be signed to an offline HSM in a physically secure location where only a few people have access to it.
What I see that might happen as a compromise between completely air-gapping versus complete connectivity are private backbones. Think NIPRNet, except for businesses. I can see banks coming out with a backbone, "BIPRnet" which connects businesses either on their
Re: (Score:2)
Re: (Score:2)
Inside jobs, carelessness, apathy, weak passwords etc account for most of the data loss. Packet snooping on https connections is not the main source of security breaches.
Re: (Score:2)
Or you know, a Google (or any other cloud service) employee access all your data because they own it then... No, cloud services are not more secure. Especially free ones who's business model is to make money off your private information.
Oh shush. Google fans value freedom.
Re: (Score:2)
Two people can keep a secret . . . If one of them is dead.
Yeah, until the ME finally pries the truth from him. :P
There's a price. (Score:5, Insightful)
For the low low price of your mobile phone number we will give you some extra security!
Re: (Score:2)
In fact I wouldn't be surprised if they promised not to use your phone number for anything else... Google does appear to be quite serious about cloud based apps...
...because it's 2 factor... (Score:3, Informative)
Re:...because it's 2 factor... (Score:5, Insightful)
Allow me to introduce you to Google's "I lost my password, send me a code to my mobile phone to reset it" feature...
Re: (Score:3, Insightful)
I believe that's via email, which can be tied to your phone, but not necessarily.
The reality though is that the only completely secure system is one that NO ONE can access. If you want it to be useful, the system HAS to have some way to unlock itself. Saying that a person can access the system if they have all of your credentials isn't really a flaw - it's the way the system has to work.
Put bluntly, there has to be SOME point when the user steps up and starts becoming responsible for keeping track of thei
Re: (Score:2)
Saying that a person can access the system if they have all of your credentials isn't really a flaw - it's the way the system has to work.
Not "has to work" at all. Not even remotely. First example off the top of my head in the first few seconds:
Some other gmail user whom you have sent email in the past (lets say, one year) has to log into gmail and acknowledge that yes indeed you are requesting a new password for yourself. That second factor would have to be via a voice telephone call or in person request or whatever.
In that two (or more) factor authentication, an attacker would not only have to take over all of your credentials, but also
Re: (Score:2)
Unless you're seriously suggesting that they randomly contact somebody that you may or may not know for approval. Which is far, far more likely to end up in shenanigans than just trusting Google.
Re: (Score:1)
Allow me to introduce you to Google's "I lost my password and my mobile, just log me in anyway" feature...
Re: (Score:2)
As opposed to the "some of the Google engineers have already read your mail. There isn't anything you need to see right now, anyway." Service? :-)
Re: (Score:2)
Re: (Score:2)
Then put a pin or password on your phone and/or install an application that allows you to perform a remote wipe if you lose it.
Fuck Everything, We're Doing 3 Factor (Score:1, Funny)
Would someone tell me how this happened? We were the fucking vanguard of security in this country. The password needing numbers was the password to own. Then the other guy came out with a need for numbers. Were we scared? Hell, no. Because we hit back with a little thing called the case sensitive and symbols. That's needing to remember your capitals and lowercases. For complexity. But you know what happened next? Shut up, I'm telling you what happened—the bastards went to 2 factor. Now we're standing
Re: (Score:2)
Unless you have your phone store your password, but who's users would be stupid enough to do that? As you say, though, even in that worst case scenario they've reduced the problem down to attackers who have both the phone and the password. I fail to see any way that increasing security is a bad thing, even if there's still a hole (there's always a hole).
Re: (Score:2)
Indeed making it no more or less secure than other two-factor systems that require some USB token or so.
As a matter of fact today when I came back from lunch I found such a USB token, in this case to access an e-banking web site. Someone from the neighbouring office dropped it while opening their gate or so, it was in the middle of the corridor. Not smart. I just rang their door bell and returned it to them.
I happen to know which bank it belongs to (I have a similar token), it wouldn't have given me acces
It's Obvious (Score:3, Funny)
Learn to keep track of your damn phone...
Re: (Score:3, Insightful)
Learn to keep track of your damn phone...
And what do I do when I don't have phone service?
I recently went on vacation to Grand Cayman and didn't have any phone service. What happens then? I had to correctly identify friends from random Facebook pictures in order to log into Facebook the first time (at which point the place I was staying was apparently white listed for me to log into for the rest of the trip).
Sure, it's probably a small annoyance to pay for better security unless you travel often or have really randomly spotty cell phon
Re: (Score:2)
Schneier and Target (Score:2)
That's a great example of why some argue that the "secret questions" approach to "enhanced security" is actually less secure than just a password.
Bruce Schneier has written about this [schneier.com], twice [schneier.com]. Yet Target.com insists on having credit card holders set five (!) secret questions.
Re: (Score:2)
Re: (Score:2)
Apparently that is a very secure way to validate the user. The face recognition part, not necessarily the Facebook part.
Re: (Score:2)
Apparently that is a very secure way to validate the user. The face recognition part, not necessarily the Facebook part.
Unless you are friends / schoolmates / coworkers with people in show business.
Re: (Score:2)
You'd have to go for a walk to get your authentication code.
Only to get timed out by the time you return of course.
Inconvenience (Score:2)
Does this mean that a misplaced phone will present a serious impediment to being able to access your work on Google Apps?
Re: (Score:2)
Yes, exactly. Same as misplacing a SecurID token (or anything similar) locks you out of using whatever service the token is tied to. The horror.
If *anything* gets stolen... (Score:4, Insightful)
It sort of compromises everything - but that doesn't mean it's a bad form of authentication, does it?
Once your machine, token, credentials, anything have been physically compromised, it's generally accepted that you're hosed (at least for that one factor).
Seems like a step in the right direction.
Re: (Score:3, Insightful)
Agreed. While it's by no means perfect, it is more secure.
Most accounts today are not compromised because the attackers specifically target the victim, but because they had the weakest password.
Also, the act of stealing a physical device makes it a far greater risk and hassle for the attackers.
Re: (Score:2)
With 2 factor authentication that is only true if you've got both authentication mechanisms saved on the device.
This is why, with 2 factor authentication you need to have the password and token separate (of course people tend to put the laptop and token into the same bag all the time but I digress, that's a physical security problem). With my bank (I think this is the same for all Australian banks now) when I transfer money to an account that isn't mine via internet ban
Whoa... REAL Two-Factor Security on the Web?! (Score:1, Informative)
You mean it's not just Wish-it-was-Two-Factor [thedailywtf.com]? Google never ceases to amaze me. Now, how long must we wait before online banks finally get their security model right?
Re: (Score:2)
Here in Portugal my bank already send an SMS with a verification code for any operation over X euros, being X configurable.
Mobile security (Score:5, Interesting)
I'm worried because in all the years I've had a Google mail account I haven't had any issues, yet a month after getting an Android 2.1 phone, despite being really careful about only installing high rated applications with tens of thousands of users and mostly keeping an eye on what they're allowed to access, my gmail account was hacked and used to send out a spam email via a mobile device in canada.
I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).
Admittedly Google immediately suspended my account due to suspicious activity (access from Mobile Canada (71.17.214.49), I live in the UK), and a token to my mobile phone was how I unlocked it and changed my password, but I'm still rather wary now despite how much I love my Galaxy S mobile.
I have bought apps I don't want to lose wiping the phone, and I have no real way to tell what it may have been that leaked my data.
I have droidsecurity antivirus installed now, but wish google could offer some stronger post-install controls on what an app's allowed to do.
Re: (Score:3, Interesting)
About the only thing is, that might piss off a few developers because ad-blocking becomes rather easy, but I'm sure they will find a way to have it use the internet in a non-annoying way...
Re: (Score:1, Informative)
It does this...you see what privileges it has when you install an app.
Re: (Score:2)
Yes, but you can't pick and choose what privileges you want to give it, can you?
The problem with the pick and choose model it's the pain it must to program the app filled with conditionals, or make it work at all.
Re: (Score:3, Insightful)
Google won't, and shouldn't, add that. Google doesn't know what an application needs to function, a lot of users will block internet/phone etc access and break the application. Google and the app developer will then get bombarded by complaints and help requests. Android will need to match or beat iOS in user friendliness, options that offer nothing to most users and cause negative user experiences aren't going to help do that.
I would like
Re: (Score:2)
Plus, it would allow people without unlimited data plans to use an Android phone without wondering what
Re: (Score:2)
Google won't, and shouldn't, add that. Google doesn't know what an application needs to function, (..)
Yes, google does know... more precisely, your android phone knows. Android apps come with a manifest file that specifies which of over 100 different privileges it requires to function (in fact, at usenix security last year, the chief android security guy was saying that the large number of distinct privileges is a usability pitfall that they are working on improving on). As a user, you are presented with a summary of this list and can then decide whether to install the entire application (and grant it all t
Re: (Score:1)
Google has hesitated to do it that way because it is very hard for developers to write their apps like that.
For the most part, the app has a certain set of requirements - that are clearly stated to the user - and without those requirements being satisfied the app can't run. You can't pick and choose which requirements you want to allow.
The most important requirements are access to personal data. If an app that has no business reading your e-mail lists shows this as a requirement then don't install it. Ho
Re: (Score:2, Interesting)
Re: (Score:3, Insightful)
The problem is that when you install an application, Android gives you a big long list of things that the app wants to do. Whilst it sounds like a great idea, it gives no context as to why it needs those features and you only have two choices - accept that the application can do everything or don't install it. It's far too easy to sneak som
Re: (Score:2)
In the future, the OS should prompt the user that an application wants to do something (eg. accessing your address book) at the point it wants to do it and let the use decide whether or not to allow it - with an option to say "Always do this for [blah]" where [blah] could be "accessing contacts".
Is it just me or doesn't that sound an awful lot like Vista? And we know how popular Vista was...
Re: (Score:2)
Yeah, and popular or not, that was one of the things Vista did right. That was an obvious thing people didn't like, so it was ripe for mockery, but at the end of the day Vista sucked because it screwed up a bunch of other, unrelated, things.
Re: (Score:2)
The problem is that when you install an application, Android gives you a big long list of things that the app wants to do.
This is not a problem. This is a good thing. Google should perhaps group some of the more common lists and call them by friendlier names.
I have proposed a similar thing for ubuntu and other linux distros: https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
In the future, the OS should prompt the user that an application wants to do something (eg. accessing your address book) at the point it wants to do it
This would be annoying, and normal users are likely to still not make the right decisions.
For people who can't be bothered to read and understand the big long list of things that an app wants to do, what Google or whoever should do is to allow 3rd parties to au
Re: (Score:2)
The problem is the Android core has no way to magically know the context for why the app needs access to specific APIs. "Why would this barcode app need access to my contact?" For one you can include contact information in a barcode and it makes it easy to add contacts.
The real problem is that the API access controls are not fine grained enough. The barcode reader app should only have WRITE access to your contacts, not READ.
Users (like me) do NOT want to be continuously prompted for stupid "ARE YOU SURE!
Re:Mobile security (Score:4, Interesting)
I've never had an email account hacked before, so I'm pretty convinced that some phone app has leaked my account details (as it's the gmail account tethered to my phone).
Did you inadvertently reuse your email password somewhere else?
My wife had her GMail account compromised by a Nigerian IP address. I'm pretty sure it's because she used her email address and password to create a userID at a site publishing historical immigration records.
She's not reusing passwords anymore.
Re: (Score:2)
Did you inadvertently reuse your email password somewhere else?
nope. I'm careful to use letters numbers and extra chars too.
Re: (Score:2)
A suggestion for your wife (and just about everyone) - using a single good password salted with the name of the website's initials will help her remember passwords while greatly increasing security.
For example, if my core secure password was '^hU@8c#}]2', my password for this site would be '/^hU@8c#}]2.' while my password for Bank of America would be 'B^hU@8c#}]2oA'. This is enough to keep simple password theft from a website with weak security leading to widespread compromise without having to memorize do
Re: (Score:1)
Re: (Score:2)
I was sure that there would be no repurchasing necessary, it's just a hassle to make a list of what to get again, and the time it takes to reinstall them all. Especially frustrating when having no idea which app was the culprit.
It's not like you can install one app then sit around and wait a few months to see if anything untoward happens before installing the next one to test.
Re: (Score:2)
Your phone is too smart to be secure. Buy a $10 Alcatel.
That would require an Android pod touch (Score:2)
Your phone is too smart to be secure. Buy a $10 Alcatel.
If I buy a dumb phone, then on what device will I run apps? Google hasn't officially opened the Market to Android devices other than phones.
Re: (Score:3, Informative)
Hey,
I work on the Gmail team. What happened to you is not related to your use or purchase of an Android phone. In fact, the spammer that logged in to your account wasn't using a mobile phone at all. The reason the session shows up as from a mobile device in your recent activity console is that some popular spammer tools identify themselves to our servers as a mobile phone so that it is allowed to use the mobile HTML UI - presumably as it's easier for them to reverse engineer. But it's actually just a progra
Re: (Score:2)
I'm well aware that correlation != causation, but...
I use win7 systems with UAC on full, firefox with noscript and adblock, and Microsoft Security Essentials. I install only software I require from trusted sources, tracking it back to the source page.
I keep a general eye on Task Scheduler, and on currently running things with Sysinternals Process Explorer, and AutoRuns to make sure I'm not running anything I don't wish to.
If I really want to check out something new and unproven it goes in a VM and gets scan
Re: (Score:2)
Correlation != Causation.
The only way for an app to get your gmail credentials out of your phone directly is if it asked for your gmail password.
Silly nerds... (Score:4, Insightful)
but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone
When you lose your phone, the vast, vast, vast, vast majority of the time they just want to wipe your iPhone and sell it to the local pawn shop. They don't care about your data, your songs, your apps, etc. they simply see that shiny, new hardware = money. Same thing with laptops, they don't care about the data on it, they want to wipe "that funny looking OS" off of it and put a pirated copy of XP on there and sell it on eBay.
The idea that stolen gadgets are going to be used for something beyond simple hardware really overestimates either your value of data or the intelligence of thieves.
Re: (Score:3, Interesting)
Re: (Score:2)
Google is late to that party: Blackberry and iPhone had full Exchange support before Android.
Anyway, Exchange allows admins to do a remote wipe, does it not?
Re: (Score:2)
The entire theory of "the cloud" is that you surrender the manipulation - and often the storage - of your data and in turn rely upon trust and trust alone to guarantee the security of your data. The reality of the usefulness of "trust" as
Are you suggesting (Score:1)
Re: (Score:2)
Yeah, if you are a celebrity, people are going to look through your cell phone. But I'm not a celebrity, I don't think you are and neither is most of
Re: (Score:2)
How did my phone magically become an iPhone?
Re: (Score:2)
A wizard did it. You dare underestimate the power of Jobs?
Re: (Score:1)
Nope...
When you lose your phone (nowadays), the vast majority of thieves want to look at your pictures and videos to see if you have some interesting (aka pr0n) stuff there.
Some people are so stupid as to even use the phone (some of them actually buy a new chip!).
Believe me, I know the nature of these kind of thieves. During my high school I was friend with some of them.
Re: (Score:2)
Because no thief would check your email or look for credit card details. OK, the moron that knocked over your house whilst you were at the pub wouldn't, he'd just sell it to a pawnbroker (or put it in the free classifieds) but pawnbroker is generally smart enough to check for any obvious money making data. If you've left your CC details anywhe
How many factors are secure? (Score:5, Insightful)
but it doesn't answer how it helps if ...
Judgecorp should wait until after second coffee to post.
What happens when an attacker has both factors in a two-factor situation is that security is breached. The same applies for any number of factors.
The objective is to improve security, nothing can guarantee it. No "answer" is needed.
(.....)
Re: (Score:2)
What happens when an attacker has both factors in a two-factor situation is that security is breached. The same applies for any number of factors.
The objective is to improve security, nothing can guarantee it. No "answer" is needed.
(.....)
Most (grown) people are unfamiliar with passwords and all its implications. They re use passwords, they never change their passwords and they make us extremely simple passwords. But most people are aware of the value of the cell phone and they will notice it if they lose it. So to that extent it will help. Of course the validation code from Google should not identify the google account in the text message. Else, anyone who finds your lost cell phone could potentially hijack your account.
Re: (Score:2)
Go for 3 factor?
-Something you know. (password)
-Something you have (phone)
-Something you are (voice print)
and make them more secure:
-Password contain 20 chars
-A one time pad that generates new password every 10 minutes.
-Retinal laser scan combined with fingerprint scan.
By the way, loosing you phone does not loose your account, you will need to loose the password or some other secret as well. And even then you will have to need to trust the maintainers of the server.
Re: (Score:1)
By the way, loosing you phone does not loose your account, you will need to loose the password or some other secret as well. And even then you will have to need to trust the maintainers of the server.
There's a joke about setting your phone free, liberating your account and relaxing your password around there.
Other than that I like your idea of your 3 factor password, but ONLY if it could be used to login in to ALL internet services.
Actually that is something achievable with open source. If setup a "trusted server" server to which you can connect (using your 3 factor) and then that server automatically logs in/redirects you to all the services you use. That might be doable using VNC or the like... I only
Re: (Score:2)
What happens when an attacker has both factors in a two-factor situation is that security is breached.
Fuck everything, we're going to 5 factor security.
Good Idea (Score:1)
Two factor authentication is the way to go. Sending a code to your phone is a great idea as cell phones / smart phones are very much a commonplace item in a user's inventory. Relying upon passwords alone is incredibly risky and should be augmented by a second form. This comes generally down to a physical special-use hardware token or we can use or better yet, use a cell phone and send the code to it instead. I know that this feature is available to World of Warcraft users (via the iPod / iPhone apps) and ma
Re: (Score:2)
It's only a problem for Apple employees (Score:2)
...and they don't use Google apps, right?
For the rest of us, though... (Score:2)
it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone.
Nor does it handle lost luggage, traffic jams, or slow-pouring ketchup. Yes, we all bow to your cleverness at identifying situations that it doesn't address, but in the 99.9999% of other situations, it's a nice bonus.
Nor does it help... (Score:2)
but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone.
Nor does it help if your employees are disclosing your secrets at gunpoint while simultaneously receiving the oral attentions of Halle Berry.
But what it does do is what it says on the tin: prevents people getting in to your apps by guessing a user's password is "swordfish" (or "joshua" or "kronos" or "peekaboo" or the cat's birthday) or otherwise fishing or sniffing it.
1 + 1 = ? (Score:2)
I don't think judgecorp can count. The idea of the 2 step authentication is that there are two steps. This means that just having your password is not enough. It also means that just having your mobile phone is not enough either.
This means that if somebody steals your phone, they still can't get in as they don't have your password.
Phillip.
*two*-factor (Score:2)
but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone
That would be what the first factor is for. Unless you also store your passwords on your phone in which case you've just intentionally reduced yourself back to one-factor security and well.. don't do that.
Two-factor security isn't 100% perfect. Its always possible for someone who knows your password to also steal your phone. But the chance is significantly reduced compared to the individual chances of your phone being stolen or your password being keylogged/otherwise compromised. Three-factor security w