Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Adds Two-Factor Authentication To Gmail

timothy posted more than 3 years ago | from the get-to-the-next-phone-booth dept.

Google 399

Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

cancel ×

399 comments

Sorry! There are no comments related to the filter you selected.

why no one time pad with index lookup (3, Interesting)

FuckingNickName (1362625) | more than 3 years ago | (#35166726)

Why no one time pad with index lookup?

Re:why no one time pad with index lookup (0)

C_amiga_fan (1960858) | more than 3 years ago | (#35167040)

A what?

I think Google's idea sucks. I have a hard enough time remembering my passwords across ~100 different sites. Now I have to remember random number codes too? C'mon!

Re:why no one time pad with index lookup (0)

Anonymous Coward | more than 3 years ago | (#35167116)

Maybe if you only created 1 account per site you would have an easier time with that.

Re:why no one time pad with index lookup (3, Insightful)

Jeremiah Cornelius (137) | more than 3 years ago | (#35167544)

2-Factor.

Now they can be SURE it's YOU , that they are tracking.

The flaw in GOOG and Yahoo and Hotmail? Social networking "features". They get the email address of every contact you have, and spam them from your address in spoofed headers. All without a login credential.

Re:why no one time pad with index lookup (1)

Runaway1956 (1322357) | more than 3 years ago | (#35167484)

Look, buddy. A nice randomly generated password is good. Why not just reuse the damned thing? If it was random once, it's gonna be just as random 150 times, right? Hell, try mine. 123abc456def No one has cracked it yet!!! There's no point in overworking the Gods of Random Numbers, is there?

Re:why no one time pad with index lookup (1)

Alexandra Erenhart (880036) | more than 3 years ago | (#35167516)

Keepass

One more reason to use Google Apps (1)

seifried (12921) | more than 3 years ago | (#35166748)

This has been available as an option on the paid Google Apps for domains for several months now, very very nice (phone app/etc.).

Re:One more reason to use Google Apps (1)

lgw (121541) | more than 3 years ago | (#35167470)

The whole two-factpor via SMS thing always seend bad to me. I don't have free messaging, and don't usually carry a cell phone, so it would be worse than useless, but more importantly, does anyone really think the SMS systems is all that secure?

I guess this does help defend against simple brute-force password guessing, but a modern keylogger or similar trojan defeats it easily. I carry an RSA keyfob for my bank, but I still wouldn't log in from a computer I didn't trust.

As long as there's a non-SMS option I guess it's better than nothing.

Great...what if you're without your phone? (3, Insightful)

cayenne8 (626475) | more than 3 years ago | (#35166760)

So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?

Re:Great...what if you're without your phone? (2)

Script Cat (832717) | more than 3 years ago | (#35166868)

Just memorize the code and type it in when you log on.

Re:Great...what if you're without your phone? (0)

Anonymous Coward | more than 3 years ago | (#35167294)

*woosh*...

Re:Great...what if you're without your phone? (1)

Runaway1956 (1322357) | more than 3 years ago | (#35167510)

Why "woosh"? I mean, I want to check my mail this evening, but I forgot my phone at work this afternoon. I'll call in tomorrow, and memorize the code, so that I can use it now! Errr, wait - I guess I've gotta finish my time machine first?

Re:Great...what if you're without your phone? (1)

h4rr4r (612664) | more than 3 years ago | (#35166960)

Why would you not have your cellular phone with you?
Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

Re:Great...what if you're without your phone? (2)

BradleyUffner (103496) | more than 3 years ago | (#35167022)

Why would you not have your cellular phone with you?
Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

Because I forgot it on the nightstand, or on my desk. I frequently work from home so I don't have it on my person at all times. When I leave for a meeting or to grab lunch I sometimes forget to put it in my pocket.

Re:Great...what if you're without your phone? (1)

Runaway1956 (1322357) | more than 3 years ago | (#35167540)

How about, "I seldom carry the damned cell phone because people can FIND ME!" I pay for the phone for MY convenience, not for everyone else's convenience. If the boss wants to be able to find me, he can pay for the cell phone, then I can forget HIS cellphone at the restaurant!!

Re:Great...what if you're without your phone? (4, Informative)

thatskinnyguy (1129515) | more than 3 years ago | (#35167184)

Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.

Re:Great...what if you're without your phone? (3, Informative)

zn0k (1082797) | more than 3 years ago | (#35167354)

They offer a smart phone app for several platforms that doesn't require Internet access. Just like an RSA keyfob doesn't require Internet access.

Re:Great...what if you're without your phone? (3, Insightful)

Beardo the Bearded (321478) | more than 3 years ago | (#35167232)

Why would you not have your cellular phone with you?

Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

Re:Great...what if you're without your phone? (1)

4phun (822581) | more than 3 years ago | (#35167506)

Why would you not have your cellular phone with you?

Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

Google has an Android for you.

Get with their program.

Re:Great...what if you're without your phone? (3)

gstoddart (321705) | more than 3 years ago | (#35167256)

Why would you not have your cellular phone with you?

Because I used my cell phone very little and don't use it for stuff like signing onto gmail?

Not all of us are tethered to a cell phone 24/7, nor do we want to be.

Re:Great...what if you're without your phone? (2, Insightful)

seifried (12921) | more than 3 years ago | (#35167486)

You know just because you carry a cell phone doesn't mean you have to answer it (or even leave it on). You can also send the call to voice mail, or if you don't have voice mail just ignore it/mute it.

Re:Great...what if you're without your phone? (1)

ChunderDownunder (709234) | more than 3 years ago | (#35167284)

except if your connection is 'micro' usb. Many people I know have a metric shitload of mini usb cables but micro usb, not so. Maybe in a couple of years when this newish connection reaches saturation.

Re:Great...what if you're without your phone? (1)

PrimaryConsult (1546585) | more than 3 years ago | (#35167496)

This. Also third party cables do not seem to work as reliably as third party mini usb cables, so whether or not you'll actually be able to charge/power the phone with it on the computer you plug it into is a crapshoot.

Re:Great...what if you're without your phone? (1)

C_amiga_fan (1960858) | more than 3 years ago | (#35167324)

>>>Why would you not have your cellular phone with you?

Often (like in the office).

And even if I carried it with me, it does not accept text messages (unless I pay for them - which I do not). Of course my Chase card gets around this by sending the passcode to my email address.

>>>Most phones can be charged via USB

Since when? Every phone I've ever seen needed a special power adapter.

Re:Great...what if you're without your phone? (1)

rcuhljr (1132713) | more than 3 years ago | (#35167524)

My droid charges via USB. I use blizzards authenticator application for my WoW account for over a year now and haven't had any issues with it. This may not be for everyone, but I can't think of a time I've ever wanted to check my email that I haven't had access to my phone.

Re:Great...what if you're without your phone? (2)

wHartHog(69) (256066) | more than 3 years ago | (#35167370)

Because I don't need a reason not to have my phone with me.

Re:Great...what if you're without your phone? (1)

Runaway1956 (1322357) | more than 3 years ago | (#35167588)

Best answer yet. You must be working hard to become an old asshole like me, LOL

Re:Great...what if you're without your phone? (1)

cayenne8 (626475) | more than 3 years ago | (#35167570)

"Why would you not have your cellular phone with you?"

You're assuming everyone has a cell phone?

For instance, my Mom didn't have a cell phone for year, and only recently got one a month or two ago for carrying for emergencies only. But I do pay for her a computer and connection at her home. So, before this..she'd not be able to log on (if mandatory 2-phase) before she got her phone.

And, even now..it is ONLY for emergencies while out driving..so, no txt plan.

Not everyone has and uses a cell phone...and there are still a ton of people out there with cell phones that still simply do not want to pay the extra, often high fees for a text plan on their cell phones.

Re:Great...what if you're without your phone? (1)

fermion (181285) | more than 3 years ago | (#35167006)

Paypal has this system and I really like it. At first they had a one time pad which they sold for a few dollars. Then they went a system in which they texted a number from a one time pad. For people without phones with them at all time, I suppose this would be an option, i.e. google selling a one time pad.

Also, I am not sure if this is completely new. I notices when i was signing people in Google back in August that google was asking for a phone number, and people were getting texts and calls. I suppose this may have only been for registration.

I an not sure if I really want this to be standard. With paypal it is not an issue, as I only log in occasionally. For sites, like my bank, where I am on all the time it would become annoying. Likewise gmail, which is used in various production setting, might become an impediment to productivity. It might drive people to MS solutions, which generally focus a bit more on ease of use at the expense of security.

Re:Great...what if you're without your phone? (0)

Anonymous Coward | more than 3 years ago | (#35167366)

Frankly, the system is retarded. I have a static IP - allow me to set it so I can only login from this IP and alternatively, require me to verify additional secrets (like passphrase 1, 2, 3, 4, 5) if I want to allow additional IPs to login.

IPv6 should fix the issue with lack of static IP.

There is absolutely no need to verify over some cell (mine can't even receive SMS - they are disabled - as this is Canada and I get charged if I allow SMS). Heck, 99% of the time I don't have a cell... If Google requires me to have SMS, well, they lose my account for certain. Even regular phone-back is not very welcome often - it's annoying.

Re:Great...what if you're without your phone? (1)

cayenne8 (626475) | more than 3 years ago | (#35167478)

"Paypal has this system and I really like it. "

Really? I've never seen this on Paypal.

Just a simple username and password to get in is all I've ever seen or used.

Re:Great...what if you're without your phone? (1)

tagno25 (1518033) | more than 3 years ago | (#35167574)

If you want 2-factor Paypal checkout http://paypal.com/securitykey [paypal.com]

Re:Great...what if you're without your phone? (0)

Anonymous Coward | more than 3 years ago | (#35167044)

If it is optional, it means that if you anticipate being in that situation, you don't engage in the program.

Re:Great...what if you're without your phone? (1)

SanityInAnarchy (655584) | more than 3 years ago | (#35167246)

Mod parent -1 Get Off My Lawn.

Seriously.

What happens if your phone is out of power? The same thing that happens if your laptop battery is out of power.

Or lost? The same thing that happens if your laptop is lost.

Or you just plain don't carry the damned thing everywhere? Honestly, where don't you carry it? I certainly carry my phone a lot more places than I carry my laptop.

And why on earth would this ever be mandatory?

Really, your post has the tone of "OMG how dare they add a feature I don't like!"

Re:Great...what if you're without your phone? (1)

AndrewNeo (979708) | more than 3 years ago | (#35167400)

I think you mean "OMG how dare they add an optional feature I don't like!"

Re:Great...what if you're without your phone? (1)

wjousts (1529427) | more than 3 years ago | (#35167440)

Believe it or not, but some people don't have cell phones.

Re:Great...what if you're without your phone? (1)

cayenne8 (626475) | more than 3 years ago | (#35167508)

"And why on earth would this ever be mandatory?"

The article mentioned it was optional, but mentioned a possibility that it might become mandatory.

And no..not everyone carries a cell phone with them 24/7,.and even those that do, may not pay the extra $$ is costs for SMS text messaging service to be added onto their plan.

Re:Great...what if you're without your phone? (1)

sanchom (1681398) | more than 3 years ago | (#35167258)

It's not mandatory.

Re:Great...what if you're without your phone? (1)

wjousts (1529427) | more than 3 years ago | (#35167420)

Yet

Re:Great...what if you're without your phone? (0)

DerekLyons (302214) | more than 3 years ago | (#35167446)

Yeah, the system only works 99.99% of the time for 99.99% of the users - so it must be useless.

Reaching a bit aren't you? (1)

SmallFurryCreature (593017) | more than 3 years ago | (#35167454)

If you are that compulsive about checking your email, you have your phone with you. And your phone will already be checking your email for you.

Re:Great...what if you're without your phone? (0)

Anonymous Coward | more than 3 years ago | (#35167514)

While setting this up you get a generated list of one-time backup codes. Just put them in your Dropbox or print them out and put that hard-copy in your wallet.

Re:Friends (1)

ben_kelley (234423) | more than 3 years ago | (#35167546)

You have friends? Who let you use their computer????

Wish-It-Was Two-Factor (2)

Some guy named Chris (9720) | more than 3 years ago | (#35166768)

Isn't this technically "Wish-It-Was Two-Factor"

Reminds me of this:
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx [thedailywtf.com]

Re:Wish-It-Was Two-Factor (1)

Anonymous Coward | more than 3 years ago | (#35166952)

No, it's two factor: something you know (password) + something you have (cell phone or landline)

Re:Wish-It-Was Two-Factor (1)

SanityInAnarchy (655584) | more than 3 years ago | (#35167270)

RTFA. I know, the summary makes it look that way, but it actually relies on either sending you a text message with a one-time code, or having you generate it yourself on a portable device. So it's something you know (password) + something you have (your phone, or the data for the app on your phone.)

I was excited (1)

OverlordQ (264228) | more than 3 years ago | (#35166802)

I was excited till I realized it was just going to be another app for your phone. Call me when I can get an actual hardware token.

Re:I was excited (0)

Anonymous Coward | more than 3 years ago | (#35166906)

Yeah, that's just what we need: Yet another token.

Re:I was excited (1)

olsmeister (1488789) | more than 3 years ago | (#35166946)

Why would you prefer an additional piece of hardware to carry around? Consider your phone your token.

Re:I was excited (1)

OverlordQ (264228) | more than 3 years ago | (#35166968)

Not all of us need or want a smart phone, and not all of us work in places with great reception.

Re:I was excited (1)

bradgoodman (964302) | more than 3 years ago | (#35167018)

You don't need phone reception for the two-factor app to work, just like a hardware token. Paypal implements something like this too now, as they also allow SMS messages as an alternative.

If you don't like it, you still have the right not to use it.

Re:I was excited (1)

dgatwood (11270) | more than 3 years ago | (#35167456)

Why would you prefer an additional piece of hardware to carry around? Consider your phone your token.

Because when someone steals your phone, they now have the password (in the keychain) and the token.

Re:I was excited (1)

ard (115977) | more than 3 years ago | (#35167010)

You can use YubiKey as hardware token.

http://vimeo.com/4163662 [vimeo.com]

IMAP? (1)

Y-Crate (540566) | more than 3 years ago | (#35166850)

I'm not sure how this will work for those of us using 3rd party mail clients and IMAP or POP3.

Re:IMAP? (4, Informative)

ahecht (567934) | more than 3 years ago | (#35167020)

Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

Re:IMAP? (1)

Dayofswords (1548243) | more than 3 years ago | (#35167038)

I was thinking the same, I use thunderbird.

Re:IMAP? (0)

Anonymous Coward | more than 3 years ago | (#35167088)

For each 3rd-party application accessing your Google account, you set up a separate single-use password for (single-use here means one application, not one login attempt). Presumably these single-use passwords offer limited access to your account, in particular any security settings.

Aikon-

They should send the codes via USPS (-1)

Anonymous Coward | more than 3 years ago | (#35166876)

Will really slow down the spammers.

And make people really think and be more precise when they send emails. Just like the good old days.

Two factor? Not quite (0)

Anonymous Coward | more than 3 years ago | (#35166900)

People need to figure out what words mean before they use them. This is not really two factor. It a single factor (what-you-know) used twice. If you really want to be two-factor, then, as OverlordQ mentioned, it needs to be hardware so we really have a what-you-have factor. I'm not saying I really need it to have true two-factor. I'm just saying use the right words.

Re:Two factor? Not quite (2)

ahecht (567934) | more than 3 years ago | (#35167060)

No, it's really two factor: something you know (password) + something you have (cell phone or landline).

Re:Two factor? Not quite (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#35167204)

Well receiving an SMS on your phone is somewhat like "what you have" since you need your phone to get the text. And if Google supports tokens like RSA SecurID and Verisign VIP Access fobs (or apps on smartphones) then you would be able to get more realistic two factor authentication.

Re:Two factor? Not quite (1)

SanityInAnarchy (655584) | more than 3 years ago | (#35167308)

People really need to RTFA before they make bold claims like this.

It's not "what-you-know" twice. It's what you know (password) and what you have -- either your phone (for it to send a text to) or the data on your phone.

Or, if we take the "data on the phone" to be "something you know", why wouldn't we conclude the same thing about those little RSA devices?

Granted, the what-you-have is somewhat weak in this case, but it's still a significant improvement over "twice what-you-know", which is what banks tend to use -- where they ask for a password, and then they ask for one of your "security questions".

security vs annoyance (0)

Anonymous Coward | more than 3 years ago | (#35166902)

All banking systems I know of which use single use codes depend of the users not to require the codes too often.
One bank issues pre-generated personal code sheets, 50 codes per sheet, which are mailed to the users. They authorise payments or setting changes (though you can certify an secure transfer target). I cant't see how it would be feasible to use sth like that for each email I send (hundreds a day).
Another bank uses tokens, which generate codes in sync with something serverside... Again, using that to log-in to the banking system is a pain, even if I do it once a week or so. I log-in to gmail 10-20 times a day...
Secure is good, annoying is bad. I suppose special authorisation should be demanded only when login conditions are unusual, eg from an unknown location. I wonder it'd prevent me logging from Japan, where I had no phone access...

Re:security vs annoyance (1)

bradgoodman (964302) | more than 3 years ago | (#35167064)

Phone reception is not required for the soft-token app (Google Authenticator) to work on your smartphone

just for browser? (1)

bikefridaywalter (1032312) | more than 3 years ago | (#35166910)

i've only ever had a problem with my account getting compromised via the browser. it seems that this system is really only set up for browser access. however, isn't it equally important to secure imap/pop3?

Good idea, bad implementation (3, Insightful)

Lord Byron II (671689) | more than 3 years ago | (#35166918)

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

Re:Good idea, bad implementation (1)

bradgoodman (964302) | more than 3 years ago | (#35167090)

Again, cell reception not required for smartphone app to work.

Re:Good idea, bad implementation (4, Insightful)

LateArthurDent (1403947) | more than 3 years ago | (#35167160)

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

Re:Good idea, bad implementation (1)

WaffleMonster (969671) | more than 3 years ago | (#35167360)

If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you.

An SMS from google is essentially a giant signal beacon announcing your presence and exact location. An extremely unwise course of action if your advasary is a government.

Re:Good idea, bad implementation (1)

grmoc (57943) | more than 3 years ago | (#35167464)

Then, if you don't want an SMS, you install the application on your phone which requires zero access to the 'net.

Re:Good idea, bad implementation (1)

MattskEE (925706) | more than 3 years ago | (#35167310)

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. And last February, I was in Switzerland, where again, I had no cell service.

Clearly then you are not well-suited to this optional extra feature, or at the very least you should not enable it while travelling abroad or in poorly developed areas. I for one think it's great that I now have the option to make my Gmail account far more secure.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

Does your bank even implement two-factor authentication? Mine doesn't. Of course it can easily and securely be done with RSA key fobs, but those are are fairly expensive and would require much more effort for Google to implement since they would need to snail mail you the key. It hardly makes sense for a free email account. Otherwise a phone call or text is one of the best ways to cheaply implement two-factor authentication.

Re:Good idea, bad implementation (0)

Anonymous Coward | more than 3 years ago | (#35167352)

Even if they don't have the actual passphrase in their email account, ownership of the email account is often taken as a proxy by various institutions as a proof of identity. Think password reset...

Your email account is the gateway to oh so much more.

Of course, you can always choose not to opt in if you don't want this form of additional security. There is always a convenience/security tradeoff.

Re:Good idea, bad implementation (1)

eLore (79935) | more than 3 years ago | (#35167410)

As an opt-in program, this is actually very, very good. (Note that it's not perfect, but more on that in a bit.) What becomes untenable for some companies is managing hard token distribution for their customers. There are some trade-offs, including reception, battery power, etc. The fact that you went to regions not covered by your current provider and did not purchase even a pre-paid burner phone or something to cover the interim is somewhat irrelevant. Had you really *needed* access to your iWidget, you could have arranged to dial back to traditional authentication or taken the hit and acquired some cell coverage from a different provider.

This is an example of two-factor authentication for end users, and you're going to see (I sincerely hope anyway) more of it in the future. Is it extremely robust two-factor? No, but it *is* two-factor. (Given the assumption that you and only you can receive the SMS, that is... big assumption, watch your step.)

Your bank only authenticates you to the point where 1.) they're willing to pay back any damages they may incur for giving someone access to your bank account or 2.) they're able to convince a judge that they performed with due diligence (You do trust judges to have full knowledge of the rapidly evolving security and technology landscape, right?) and you in fact were responsible for the wire transfer to (sorry, no soup for you). Strictly speaking, they're saying "Eh, good enough. What could possibly go wrong?" You or I as the consumer of gmail services may have a different threshold, depending on what we're sending and receiving via gmail. Note that your email provider giving access to an authorized person will probably not have the same direct, material impact that giving access to your bank accounts may have... That's where enhanced authentication credentials come to play.

Re:Good idea, bad implementation (0)

Anonymous Coward | more than 3 years ago | (#35167468)

So don't enable it...

So how will this impact IMAP access? (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#35166922)

I access my gmail account via IMAP. I didn't see anything in that article about whether this impacts IMAP/POP or not. It's probably just for web logins, but then again you know what they say about assuming something...

Re:So how will this impact IMAP access? (1)

gQuigs (913879) | more than 3 years ago | (#35167098)

You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.
(from actual google post http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com] )

This might be what you are looking for.

Re:So how will this impact IMAP access? (1)

AikonMGB (1013995) | more than 3 years ago | (#35167100)

For each 3rd-party application accessing your Google account, you set up a separate single-use password for (single-use here means one application, not one login attempt). Presumably these single-use passwords offer limited access to your account, in particular any security settings.

Aikon- (but this time, I am logged in)

What apps? (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#35166970)

FTA: "Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device"

So what apps? Are they going to roll out their own updated Google App or are they going to support existing apps like those from RSA SecurID or Verisign VIP Access?

Re:What apps? (4, Informative)

bradgoodman (964302) | more than 3 years ago | (#35167114)

The section you quoted is just to set it up, I believe.

There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.

Re:What apps? (0)

Anonymous Coward | more than 3 years ago | (#35167314)

Great, so I need the Google app to authenticate against Google services, the RSA SecurID app to authenticate against my company VPN, the Verisign VIP app to authenticate against eBay/Paypal and others, etc. If it keeps going this way it's going to be a HUGE pain in the ass to keep track of what apps I need to authenticate against what services. I'll have an entire page of apps on my iPhone just to authenticate against services....

Re:What apps? (1)

grmoc (57943) | more than 3 years ago | (#35167432)

Well, you can always choose to not do it. You get increased convenience that way, with the expected tradeoff...

Re:What apps? (1)

AndrewNeo (979708) | more than 3 years ago | (#35167466)

At least they're all apps, and you don't have to carry around three or four actual dongles.

What is the point? (1)

WaffleMonster (969671) | more than 3 years ago | (#35167122)

If I required that kind of security where a strong password was not enough for messaging I would not be using a hosted platform such as google or SMTP for that matter.

Love this part ... (1)

gstoddart (321705) | more than 3 years ago | (#35167124)

I love seeing stuff like this:

Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.

So, if I don't use SMS, and if I refuse to give a phone number to Google ... this is basically useless to me.

I sure as fsck hope to hell that I'm not eventually told I have to use an authentication method I refuse to use -- why does everybody assume I'm willing to give them my mobile number for such things?

Re:Love this part ... (0)

Anonymous Coward | more than 3 years ago | (#35167174)

I love seeing stuff like this:

Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.

So, if I don't use SMS, and if I refuse to give a phone number to Google ... this is basically useless to me.

Or you could, you know, use the app.

Re:Love this part ... (1)

olsmeister (1488789) | more than 3 years ago | (#35167306)

Or maybe they'll come out with a carrier pigeon option, and if you don't have an aviary they also might have smoke signal or semaphore alternatives.

Re:Love this part ... (1)

gstoddart (321705) | more than 3 years ago | (#35167330)

Or you could, you know, use the app.

What, on my non-smart phone which doesn't have apps?

Just because you want to have one, doesn't mean that I do.

If this comes down to SMS, a phone call, or an app ... none of these are viable options for a large number of people.

Re:Love this part ... (0)

Anonymous Coward | more than 3 years ago | (#35167396)

If you don't want to receive by text, just install the app.

Google Voice (1)

radicalpi (1407259) | more than 3 years ago | (#35167132)

So, say that my forwarding phone is dead/not around and I have a Google Voice number set up as my cell phone to text/call. How am I supposed to login to check my sms or email so I can get the code so I can log in to check my sms or email?

Re:Google Voice (1)

grmoc (57943) | more than 3 years ago | (#35167418)

In that case you install the application on your phone instead. The app requires no net access at all-- it just generates a code.

Does seem to make sense... (1)

lazlo (15906) | more than 3 years ago | (#35167198)

It's always seemed strange to me that, between my personal e-mail, my online banking, and my level 85 priest, only one has dual-factor auth. Guess which one? Adding e-mail to this makes a whole lot of sense as, with access to my e-mail, you could probably convince Blizzard and possibly convince my bank to reset my authentication details.

Now, it would be nice if they were to make this as full-featured as Blizzard's (they have a key fob, a mobile phone app, and also pretty cool, a feature where if you connect from a sufficiently unusual IP address, they call your phone to verify you) but it's a step in the right direction.

Of course, I can envision this trend going too far, where I have a huge keychain filled with nothing but DFA tokens for everything... but having the choice of either app or token would be nice.

Interesting idea, bad application (1)

Darkness404 (1287218) | more than 3 years ago | (#35167200)

This is an interesting idea, but there are far too many flaws with it. First off is the obvious privacy issue, your phone number can easily be used to track you, plus your Gmail account, plus Google's information logging makes this a privacy nightmare. And even if you trust Google, there is still the fact that the government/*AA could get ahold of the data and frame you for crimes you didn't commit based on circumstantial evidence. Secondly is the obvious implementation problems, not everyone has a cell phone or has service 24/7.

Re:Interesting idea, bad application (2)

bradgoodman (964302) | more than 3 years ago | (#35167346)

Cell service is not required. It's a "soft-token" app - just like an RSA Key-fob token.

Android phones already have support (5, Insightful)

GooberToo (74388) | more than 3 years ago | (#35167230)

Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

Re:Android phones already have support (2, Informative)

bradgoodman (964302) | more than 3 years ago | (#35167322)

"Google Authenticator" available (free) for iOS in the AppStore, too.

If it ever will be mandatory, I hope (1)

Blackout for Hungary (1970198) | more than 3 years ago | (#35167382)

code via smoke signals, or postman will be an option too, because - I don't have a phone, I have naked DSL. - I don't have a cell phone. There is no cell phone coverage in 10 km radius.

Why bring up Aurora? (0)

Anonymous Coward | more than 3 years ago | (#35167462)

So, the idea to beat the Aurora hack is to make your system rely on the user logging in through a system that totalitarian regime easily can control or intercept?

If they have your password and control your phone network, then this system is just a nuisance.

Easily pwned (1)

fph il quozientatore (971015) | more than 3 years ago | (#35167494)

Most phones that can run apps can also be connected to a pc via USB, allowing full access to their internal memory as an USB mass storage device. So: 1) pwn PC 2) get password 3) next time the user connects its phone, get the secret data used by the app to generate the code (it must be written on the phone's memory, right?) 4) ??? 5) profit Looks like one-and-a-half factor authentication, at most.

Call me crazy (1)

DNS-and-BIND (461968) | more than 3 years ago | (#35167526)

Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?

What if you have more than one Gmail account? Frankly, I use some Gmail features to stay hidden (I was going to say anonymous but now that word means kid porn and DoS).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?