Forgot your password?
typodupeerror
Google Security Communications Privacy Wireless Networking

Google Adds Two-Factor Authentication To Gmail 399

Posted by timothy
from the get-to-the-next-phone-booth dept.
Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."
This discussion has been archived. No new comments can be posted.

Google Adds Two-Factor Authentication To Gmail

Comments Filter:
  • by FuckingNickName (1362625) on Thursday February 10, 2011 @05:18PM (#35166726) Journal

    Why no one time pad with index lookup?

  • This has been available as an option on the paid Google Apps for domains for several months now, very very nice (phone app/etc.).
    • by lgw (121541)

      The whole two-factpor via SMS thing always seend bad to me. I don't have free messaging, and don't usually carry a cell phone, so it would be worse than useless, but more importantly, does anyone really think the SMS systems is all that secure?

      I guess this does help defend against simple brute-force password guessing, but a modern keylogger or similar trojan defeats it easily. I carry an RSA keyfob for my bank, but I still wouldn't log in from a computer I didn't trust.

      As long as there's a non-SMS option

      • by Reapman (740286)

        There is, apparently (on another site I read) you can even have it call your land line and speak out the code. You can also have it remember that system for 30 days, so your not doing this everytime you log in, but about once a month.

        I'm not sure if this is something I'd switch to but... it's a good option I think.

  • by cayenne8 (626475) on Thursday February 10, 2011 @05:20PM (#35166760) Homepage Journal
    So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

    If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?

    • Just memorize the code and type it in when you log on.
      • If it worked like that, it wouldn't be two-factor anymore (it would just be a system where your password must be entered in two chunks in two separate fields, no more secure than currently).
    • by h4rr4r (612664)

      Why would you not have your cellular phone with you?
      Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

      • Why would you not have your cellular phone with you?
        Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

        Because I forgot it on the nightstand, or on my desk. I frequently work from home so I don't have it on my person at all times. When I leave for a meeting or to grab lunch I sometimes forget to put it in my pocket.

        • How about, "I seldom carry the damned cell phone because people can FIND ME!" I pay for the phone for MY convenience, not for everyone else's convenience. If the boss wants to be able to find me, he can pay for the cell phone, then I can forget HIS cellphone at the restaurant!!
          • by maxume (22995)

            I don't think they are too worried about the segment of their userbase that refuses to carry a cell phone but wants to check their email from random restaurants.

          • by chinakow (83588)
            What are you four? Learn to read the caller ID or here's a thought, don't answer your phone when you don't want to talk. I take youth comment back, old people are the same way, they think just because a phone rings in earshot it must be answered. Anyway, keep your hair on grandpa, and learn how to silence a phone when you don't want to be bothered.
            • by bloosh (649755)
              Or better yet, get a Google Voice account and number, tell everyone that you have a new number and use GV's call routing system to control how people contact you.
      • by thatskinnyguy (1129515) on Thursday February 10, 2011 @05:43PM (#35167184)
        Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.
      • by Beardo the Bearded (321478) on Thursday February 10, 2011 @05:45PM (#35167232)

        Why would you not have your cellular phone with you?

        Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

      • by gstoddart (321705) on Thursday February 10, 2011 @05:47PM (#35167256) Homepage

        Why would you not have your cellular phone with you?

        Because I used my cell phone very little and don't use it for stuff like signing onto gmail?

        Not all of us are tethered to a cell phone 24/7, nor do we want to be.

        • Re: (Score:3, Insightful)

          by seifried (12921)
          You know just because you carry a cell phone doesn't mean you have to answer it (or even leave it on). You can also send the call to voice mail, or if you don't have voice mail just ignore it/mute it.
          • by gstoddart (321705) on Thursday February 10, 2011 @06:11PM (#35167612) Homepage

            Or, you know, I don't carry it -- which is what I do now.

            Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

            I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

            • by ftobin (48814) *

              Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

              Those pesky keys you carry around to get into your house and car are so annoying too! In order to ease your burden, you should consider just leaving your house and care unlocked. It'll be easier on your mind that way.

              I sure as hell don't want a cell-phone to be an integra

        • Shoot, you stole my answer.

          My wife often complains that I don't carry my phone with me all the time or that I have it with me in my car but it's turned off. Sometimes I don't want to be bothered by a phone call - I just want some uninterrupted time to myself. Her response? "What if there's an emergency?" My response: "Call 911, not me".

          Yes, we've played that out many many times now.

          What surprises me is that there's someone who is surprised that a person may actually not have a phone with them. Why
      • except if your connection is 'micro' usb. Many people I know have a metric shitload of mini usb cables but micro usb, not so. Maybe in a couple of years when this newish connection reaches saturation.

        • This. Also third party cables do not seem to work as reliably as third party mini usb cables, so whether or not you'll actually be able to charge/power the phone with it on the computer you plug it into is a crapshoot.

      • Because I don't need a reason not to have my phone with me.
      • by cayenne8 (626475)

        "Why would you not have your cellular phone with you?"

        You're assuming everyone has a cell phone?

        For instance, my Mom didn't have a cell phone for year, and only recently got one a month or two ago for carrying for emergencies only. But I do pay for her a computer and connection at her home. So, before this..she'd not be able to log on (if mandatory 2-phase) before she got her phone.

        And, even now..it is ONLY for emergencies while out driving..so, no txt plan.

        Not everyone has and uses a cell phone...and t

    • by fermion (181285)
      Paypal has this system and I really like it. At first they had a one time pad which they sold for a few dollars. Then they went a system in which they texted a number from a one time pad. For people without phones with them at all time, I suppose this would be an option, i.e. google selling a one time pad.

      Also, I am not sure if this is completely new. I notices when i was signing people in Google back in August that google was asking for a phone number, and people were getting texts and calls. I suppo

      • by cayenne8 (626475)

        "Paypal has this system and I really like it. "

        Really? I've never seen this on Paypal.

        Just a simple username and password to get in is all I've ever seen or used.

        • by tagno25 (1518033)

          If you want 2-factor Paypal checkout http://paypal.com/securitykey [paypal.com]

        • by mlts (1038732) *

          I've been using Paypal's security token (an OEM-ed VASCO device), and added the SMS feature as well.

          Two factor authentication is a must these days, although it would be nice if people could standardize on a ZTIC-like appliance that plugged in a USB port and asked the critical questions through its interface.

    • Mod parent -1 Get Off My Lawn.

      Seriously.

      What happens if your phone is out of power? The same thing that happens if your laptop battery is out of power.

      Or lost? The same thing that happens if your laptop is lost.

      Or you just plain don't carry the damned thing everywhere? Honestly, where don't you carry it? I certainly carry my phone a lot more places than I carry my laptop.

      And why on earth would this ever be mandatory?

      Really, your post has the tone of "OMG how dare they add a feature I don't like!"

      • by AndrewNeo (979708)

        I think you mean "OMG how dare they add an optional feature I don't like!"

      • by wjousts (1529427)
        Believe it or not, but some people don't have cell phones.
      • by cayenne8 (626475)

        "And why on earth would this ever be mandatory?"

        The article mentioned it was optional, but mentioned a possibility that it might become mandatory.

        And no..not everyone carries a cell phone with them 24/7,.and even those that do, may not pay the extra $$ is costs for SMS text messaging service to be added onto their plan.

    • If you are that compulsive about checking your email, you have your phone with you. And your phone will already be checking your email for you.

    • So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

      Most of the large handful of people this will affect will consider finding a way to improve their cell phone availability because it means they can't get phone calls either. One or two peeps will genuinely be bitten by it and find themselves unable to get their email for a bit. A sizable group of people who haven't been affected by it and likely won't be will go on Slashdot and bleat on about it like it like it's some big crushing, yet invisible, problem.

    • by bluemonq (812827) on Thursday February 10, 2011 @08:08PM (#35168924)

      Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.

  • by Some guy named Chris (9720) on Thursday February 10, 2011 @05:20PM (#35166768) Journal

    Isn't this technically "Wish-It-Was Two-Factor"

    Reminds me of this:
    http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx [thedailywtf.com]

    • RTFA. I know, the summary makes it look that way, but it actually relies on either sending you a text message with a one-time code, or having you generate it yourself on a portable device. So it's something you know (password) + something you have (your phone, or the data for the app on your phone.)

    • by hedwards (940851)

      Yeah, I know. If you choose answers which are actually secure, then you're screwed if you forget them. But if you can remember them then usually the information can be looked up or is known by friends or family. Why we let banks decide what regulations they're going to have is beyond me.

      Oh, yeah, half the country is more than happy to go along with it if they're told they won't have a job if they don't.

  • I was excited till I realized it was just going to be another app for your phone. Call me when I can get an actual hardware token.

  • by Y-Crate (540566)

    I'm not sure how this will work for those of us using 3rd party mail clients and IMAP or POP3.

    • Re:IMAP? (Score:5, Informative)

      by ahecht (567934) on Thursday February 10, 2011 @05:34PM (#35167020) Homepage

      Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

    • I was thinking the same, I use thunderbird.

  • by Lord Byron II (671689) on Thursday February 10, 2011 @05:29PM (#35166918)

    While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

    Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

    • Again, cell reception not required for smartphone app to work.
    • by LateArthurDent (1403947) on Thursday February 10, 2011 @05:41PM (#35167160)

      While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

      Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

      This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

    • by MattskEE (925706)

      While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. And last February, I was in Switzerland, where again, I had no cell service.

      Clearly

    • What part of "optional" you don't get? If it is not going work for you, don't use it. As time goes by Google and others will develop other means of delivering the second authentication token. If convenience is more important to you than security by all means use a less secure but more convenient authentication procedure.

      I see myself creating a secure email that uses two factor, and a non secure one without it. And I will store more sensitive data/email on the secure account. BTW android phones are attache

    • by hedwards (940851)

      Yes, but I think the better question is: "Why does my bank not take security seriously?" I think that's really the question. I think it's rather fantastic that people haven't come to the conclusion that banks really and truly don't care about security, or at least that's the conclusion I've come to given the embarrassing measures they put into place for "security." They add inconvenience but little if anything in terms of security.

  • I access my gmail account via IMAP. I didn't see anything in that article about whether this impacts IMAP/POP or not. It's probably just for web logins, but then again you know what they say about assuming something...

    • by gQuigs (913879)

      You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.
      (from actual google post http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com])

      This might be what you are looking for.

    • by AikonMGB (1013995)

      For each 3rd-party application accessing your Google account, you set up a separate single-use password for (single-use here means one application, not one login attempt). Presumably these single-use passwords offer limited access to your account, in particular any security settings.

      Aikon- (but this time, I am logged in)

  • FTA: "Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device"

    So what apps? Are they going to roll out their own updated Google App or are they going to support existing apps like those from RSA SecurID or Verisign VIP Access?

  • I love seeing stuff like this:

    Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.

    So, if I don't use SMS, and if I refuse to give a phone number to Google ... this is basically useless to me.

    I sure as fsck hope to hell that I'm not eventually told I have to use an authentication method I refuse to use -- why does everybody assume I'm willing to give them my mobile number for such things?

  • It's always seemed strange to me that, between my personal e-mail, my online banking, and my level 85 priest, only one has dual-factor auth. Guess which one? Adding e-mail to this makes a whole lot of sense as, with access to my e-mail, you could probably convince Blizzard and possibly convince my bank to reset my authentication details.

    Now, it would be nice if they were to make this as full-featured as Blizzard's (they have a key fob, a mobile phone app, and also pretty cool, a feature where if you conne

  • This is an interesting idea, but there are far too many flaws with it. First off is the obvious privacy issue, your phone number can easily be used to track you, plus your Gmail account, plus Google's information logging makes this a privacy nightmare. And even if you trust Google, there is still the fact that the government/*AA could get ahold of the data and frame you for crimes you didn't commit based on circumstantial evidence. Secondly is the obvious implementation problems, not everyone has a cell pho
  • by GooberToo (74388) on Thursday February 10, 2011 @05:45PM (#35167230)

    Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

  • Most phones that can run apps can also be connected to a pc via USB, allowing full access to their internal memory as an USB mass storage device. So: 1) pwn PC 2) get password 3) next time the user connects its phone, get the secret data used by the app to generate the code (it must be written on the phone's memory, right?) 4) ??? 5) profit Looks like one-and-a-half factor authentication, at most.
    • by blueg3 (192743)

      Both Android phones and iPhones have two sections of storage: one "internal" and one "external". The internal storage is not available as a USB mass storage device, only the external.

      I don't know the details of the iPhone's system. On Android, nearly all applications and their data are stored on the internal storage that is not available over USB. You need to have a rooted phone in order to access data owned by applications on your phone. (The exceptions are apps that have been "installed to SD card", which

  • Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?

    What if you have more than one Gmail account? Frankly, I use some Gmail features to stay hidden (I was going to say anonymous but now that word means kid porn and DoS).

    • by Sancho (17056) *

      Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?

      I would probably worry about that when the time comes. All of the griping about this is really quite irritating. There is zero indication that this will ever be mandatory.

    • by Locke2005 (849178)
      I have an Android phone. Google already knows my phone number!
  • My physical key ring is already loaded with authentication tokens made of brass and metal. I've already got one authenticator app on my phone for World of Warcraft: why do I need a new one for every online entity I do business with? Can't we standardize on one?

    (Yes, having just one authenticator app means Google can do a man-in-the-middle attack and steal all my WoW gold, but somehow that's not a big concern for me.)

    • by Locke2005 (849178)
      Why do you need a separate physical authentication token for each physical lock you need to unlock? Why couldn't they all use the same key? Can't we standardize on one?

      Hint: because compromising that single key would compromise every lock you own instead of just a single lock.

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Working...