Google Apps Gets Two-Factor Security 118
judgecorp writes "Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user's mobile phone. It's good to have this for free, and it backs up Google's assertion that cloud apps are more secure — but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone."
Cloud apps more secure? (Score:1, Insightful)
Or you know, a Google (or any other cloud service) employee [slashdot.org] access all your data because they own it then... No, cloud services are not more secure. Especially free ones who's business model is to make money off your private information.
There's a price. (Score:5, Insightful)
For the low low price of your mobile phone number we will give you some extra security!
Re:Cloud apps more secure? (Score:2, Insightful)
I'm not sure that necessarily makes your data less secure. An administrator always has access to your data, whether that admin works for your company or another company doesn't necessarily change the likelihood that the admin will abuse their power.
Re:Cloud apps more secure? (Score:3, Insightful)
Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
Re:...because it's 2 factor... (Score:5, Insightful)
Allow me to introduce you to Google's "I lost my password, send me a code to my mobile phone to reset it" feature...
If *anything* gets stolen... (Score:4, Insightful)
It sort of compromises everything - but that doesn't mean it's a bad form of authentication, does it?
Once your machine, token, credentials, anything have been physically compromised, it's generally accepted that you're hosed (at least for that one factor).
Seems like a step in the right direction.
Re:...because it's 2 factor... (Score:3, Insightful)
I believe that's via email, which can be tied to your phone, but not necessarily.
The reality though is that the only completely secure system is one that NO ONE can access. If you want it to be useful, the system HAS to have some way to unlock itself. Saying that a person can access the system if they have all of your credentials isn't really a flaw - it's the way the system has to work.
Put bluntly, there has to be SOME point when the user steps up and starts becoming responsible for keeping track of their credentials.
Re:Cloud apps more secure? (Score:4, Insightful)
Silly nerds... (Score:4, Insightful)
but it doesn't answer how it helps if an intruder is getting into Apps through a lost or stolen phone
When you lose your phone, the vast, vast, vast, vast majority of the time they just want to wipe your iPhone and sell it to the local pawn shop. They don't care about your data, your songs, your apps, etc. they simply see that shiny, new hardware = money. Same thing with laptops, they don't care about the data on it, they want to wipe "that funny looking OS" off of it and put a pirated copy of XP on there and sell it on eBay.
The idea that stolen gadgets are going to be used for something beyond simple hardware really overestimates either your value of data or the intelligence of thieves.
Re:It's Obvious (Score:3, Insightful)
Learn to keep track of your damn phone...
And what do I do when I don't have phone service?
I recently went on vacation to Grand Cayman and didn't have any phone service. What happens then? I had to correctly identify friends from random Facebook pictures in order to log into Facebook the first time (at which point the place I was staying was apparently white listed for me to log into for the rest of the trip).
Sure, it's probably a small annoyance to pay for better security unless you travel often or have really randomly spotty cell phone service. A trip out to my parent's farm would probably be more than an annoyance as I await the text msg okaying me to log into GMail through my parent's 56k modem. I guess everything comes with a price but I'd probably just turn this off and leave it off instead of regretting it on vacation if I forget to disable it before traveling.
Also, a few of my company's clients have server rooms in the depths of basements with little to no cell phone reception. Would hate to work there if you try to log into GMail and get asked for this. You'd have to go for a walk to get your authentication code.
How many factors are secure? (Score:5, Insightful)
but it doesn't answer how it helps if ...
Judgecorp should wait until after second coffee to post.
What happens when an attacker has both factors in a two-factor situation is that security is breached. The same applies for any number of factors.
The objective is to improve security, nothing can guarantee it. No "answer" is needed.
(.....)
Re:Cloud apps more secure? (Score:2, Insightful)
It appears Google's argument is "it's safer/easier/cheaper to use Google Docs than emailing your file as an attachment, or letting employees put it on laptops and USB keys which they then loose."
If you have information which can only be transmitted between a computer monitor and the user's eyeballs, I don't think Google has any thing to peddle to your corporation, unless they start selling Faraday Cages to guard against Van Eck phreaking.
Re:Mobile security (Score:3, Insightful)
The problem is that when you install an application, Android gives you a big long list of things that the app wants to do. Whilst it sounds like a great idea, it gives no context as to why it needs those features and you only have two choices - accept that the application can do everything or don't install it. It's far too easy to sneak something into that list without people realising.
In the future, the OS should prompt the user that an application wants to do something (eg. accessing your address book) at the point it wants to do it and let the use decide whether or not to allow it - with an option to say "Always do this for [blah]" where [blah] could be "accessing contacts". It has the nice side effect of forcing application developers to design an UI which tells customers what they are trying to do so that they don't hit the "Deny" button as soon as the alert appears.
That way, people can run applications, test them and even use them without having to subject all their data to the mercy of the developers.
Re:If *anything* gets stolen... (Score:3, Insightful)
Agreed. While it's by no means perfect, it is more secure.
Most accounts today are not compromised because the attackers specifically target the victim, but because they had the weakest password.
Also, the act of stealing a physical device makes it a far greater risk and hassle for the attackers.
Re:Cloud apps more secure? (Score:4, Insightful)
Agreed. I fail to see how sensitive information being sent over the Internet could be more secure than keeping sensitive information stored on a computer that doesn't even have a network card installed.
Security and Availability go hand in hand. Security isn't just, NO ONE EVER GETS TO LOOK AT MY DATA. Security is also making sure that your data remains undamaged (integrity) and available to the people that you want to see it.
Re:Cloud apps more secure? (Score:3, Insightful)
Google, in turn, has a vested interest in ensuring that their paying customers' data stays private.
Google has a vested interest in ensuring that their paying customers' data breaches stay private. That's number one. If they can't ensure number one, then your statement takes priority.
The issue with Google's model is that you rely on Google's policy/process and you cannot directly negotiate/control that. (Not saying that their policy/process isn't acceptable for some people, but that you don't get to directly influence it)
Re:Mobile security (Score:3, Insightful)
Google won't, and shouldn't, add that. Google doesn't know what an application needs to function, a lot of users will block internet/phone etc access and break the application. Google and the app developer will then get bombarded by complaints and help requests. Android will need to match or beat iOS in user friendliness, options that offer nothing to most users and cause negative user experiences aren't going to help do that.
I would like this functionality, even though I would rarely use it. I just don't think it would benefit Android in general.
Re:Cloud apps more secure? (Score:2, Insightful)
The only kind of "private" e-mail that exists is the kind that you encrypt. Once a plaintext e-mail leaves your client, there is no guarantee that some third party won't read it.
Security through obscurity is the same as no security at all.