Google Adds Two-Factor Authentication To Gmail

Trailrunner7 writes "Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account. The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users' accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents."

why no one time pad with index lookup

[FuckingNickName]

Why no one time pad with index lookup?

Re:

[Runaway1956]

Look, buddy. A nice randomly generated password is good. Why not just reuse the damned thing? If it was random once, it's gonna be just as random 150 times, right? Hell, try mine. 123abc456def No one has cracked it yet!!! There's no point in overworking the Gods of Random Numbers, is there?

Re:

[2names]

Use an algorithm to derive your passwords. You never have to remember a password, just how you derive it based on the site, content, etc. I haven't used "passwords" in years, I just have an algorithm to derive them that is easy to remember.

Re:

[Alexandra Erenhart]

Keepass

Re:

[Catskul]

I think you misunderstand. First: It's optional. You have to specifically decided to use it. Second: You will not need to remember anything. It is generated by your phone each time you need it. Third, If you decide to use it, but don't want to use it every time, you can have it set to be required every X number of days.

Re:why no one time pad with index lookup

[Jeremiah Cornelius]

2-Factor.

Now they can be SURE it's YOU , that they are tracking.

The flaw in GOOG and Yahoo and Hotmail? Social networking "features". They get the email address of every contact you have, and spam them from your address in spoofed headers. All without a login credential.

Re:

[Jeremiah Cornelius]

Yeah. Pull the other one. It's got bells on it.

You are Google's product and inventory - not their customer. You don't slip off the shelf so easily.

Authenticator

[toastar]

Yeah,

What i really don't get is how my Wow account is more secure then my back account.
http://images.dailytech.com/nimage/8561_product.jpg [dailytech.com]

Re:

[TheThiefMaster]

Because your bank is crap.

I have one of these: Barclays PINsentry Card Reader [barclays.co.uk]

One more reason to use Google Apps

[seifried]

This has been available as an option on the paid Google Apps for domains for several months now, very very nice (phone app/etc.).

Re:

[lgw]

The whole two-factpor via SMS thing always seend bad to me. I don't have free messaging, and don't usually carry a cell phone, so it would be worse than useless, but more importantly, does anyone really think the SMS systems is all that secure?

I guess this does help defend against simple brute-force password guessing, but a modern keylogger or similar trojan defeats it easily. I carry an RSA keyfob for my bank, but I still wouldn't log in from a computer I didn't trust.

As long as there's a non-SMS option

Re:

[Reapman]

There is, apparently (on another site I read) you can even have it call your land line and speak out the code. You can also have it remember that system for 30 days, so your not doing this everytime you log in, but about once a month.

I'm not sure if this is something I'd switch to but... it's a good option I think.

Great...what if you're without your phone?

[cayenne8]

So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

If this becomes mandatory..then if you have the situation listed above and are at a friend's house or library you can't check your email?

Re:

[Script Cat]

Just memorize the code and type it in when you log on.

Re:

[noidentity]

If it worked like that, it wouldn't be two-factor anymore (it would just be a system where your password must be entered in two chunks in two separate fields, no more secure than currently).

Re:

[Runaway1956]

Why "woosh"? I mean, I want to check my mail this evening, but I forgot my phone at work this afternoon. I'll call in tomorrow, and memorize the code, so that I can use it now! Errr, wait - I guess I've gotta finish my time machine first?

Re:

[Catskul]

... the code changes every time you login. Memorizing it will do you no good. That is, in fact, the point. To compromise the second factor, you need to have the phone.

Re:

[h4rr4r]

Why would you not have your cellular phone with you?
Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

Re:

[BradleyUffner]

Why would you not have your cellular phone with you?
Most phones can be charged via USB, how often in your life are you at a location with a computer(to check said email), but not within reach of a usb port?

Because I forgot it on the nightstand, or on my desk. I frequently work from home so I don't have it on my person at all times. When I leave for a meeting or to grab lunch I sometimes forget to put it in my pocket.

Re:

[Runaway1956]

How about, "I seldom carry the damned cell phone because people can FIND ME!" I pay for the phone for MY convenience, not for everyone else's convenience. If the boss wants to be able to find me, he can pay for the cell phone, then I can forget HIS cellphone at the restaurant!!

Re:

[maxume]

I don't think they are too worried about the segment of their userbase that refuses to carry a cell phone but wants to check their email from random restaurants.

Re:

[chinakow]

What are you four? Learn to read the caller ID or here's a thought, don't answer your phone when you don't want to talk. I take youth comment back, old people are the same way, they think just because a phone rings in earshot it must be answered. Anyway, keep your hair on grandpa, and learn how to silence a phone when you don't want to be bothered.

Re:

[bloosh]

Or better yet, get a Google Voice account and number, tell everyone that you have a new number and use GV's call routing system to control how people contact you.

Re:Great...what if you're without your phone?

[thatskinnyguy]

Because some of us travel to countries/continents where cell service is either at a premium or non-existent but internet service is available by satellite. Try getting a signal in the middle of a jungle in Central America. No. I can't hear you now.

Re:Great...what if you're without your phone?

[zn0k]

They offer a smart phone app for several platforms that doesn't require Internet access. Just like an RSA keyfob doesn't require Internet access.

Re:Great...what if you're without your phone?

[Beardo the Bearded]

Why would you not have your cellular phone with you?

Because I do not OWN a cell phone. They're a huge fucking ripoff and until they get to the point where it's a reasonable price with vendors that aren't asshole oligopolies I will not get one.

Re:

[Beardo the Bearded]

Are you even remotely serious?

I just looked up a plan, and they start at $50 a month for 100 minutes and 500MB of data plus the monthly connection fees, stealing from you fees (they call these "9-1-1 fees"), etc.

How is that not an abject ripoff?

Re:

[bluemonq]

1) Get a Virgin Mobile MiFi from Walmart. Buy 1GB for $20 top-up cards (only available at Walmart).
THEN
2a) Buy new or used iOS smartphone off of contract capable of running Talkatone app, which provides VoIP via GMail which has free US phone calls.
3a) Install Talkatone app.
4) Done.
===
2b) Buy any Android or iOS smartphone off of contract capable of later versions of Skype which allow cellular VoIP.
3b) Install Skype with Pay as you Go option.
4) Done.

Re:

[__aaxtnf2500]

Hey there are plenty of Machine looms still in use all over the country. I think you can find one to go smash rather than attempt to convince the people on a technology forum that the ability to wirelessly communicate outside of your home is for fancypants techno-fiends intent on throwing their money away to "the man."

Re:

[brusk]

It also has a frickin torch built in

I sincerely hope you were speaking British there.

Re:Great...what if you're without your phone?

[gstoddart]

Why would you not have your cellular phone with you?

Because I used my cell phone very little and don't use it for stuff like signing onto gmail?

Not all of us are tethered to a cell phone 24/7, nor do we want to be.

Re:

[seifried]

You know just because you carry a cell phone doesn't mean you have to answer it (or even leave it on). You can also send the call to voice mail, or if you don't have voice mail just ignore it/mute it.

Re:Great...what if you're without your phone?

[gstoddart]

Or, you know, I don't carry it -- which is what I do now.

Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

I sure as hell don't want a cell-phone to be an integral part of logging into my webmail.

Re:

[ftobin]

Why is it so hard to understand that many of us simply do not carry our cell phones all of the time, nor do we want to? Are you guys so obsessed with your phone you never put it down and walk away and can't fathom that other people don't?

Those pesky keys you carry around to get into your house and car are so annoying too! In order to ease your burden, you should consider just leaving your house and care unlocked. It'll be easier on your mind that way.

I sure as hell don't want a cell-phone to be an integra

Re:

[Call Me Black Cloud]

Shoot, you stole my answer.

My wife often complains that I don't carry my phone with me all the time or that I have it with me in my car but it's turned off. Sometimes I don't want to be bothered by a phone call - I just want some uninterrupted time to myself. Her response? "What if there's an emergency?" My response: "Call 911, not me".

Yes, we've played that out many many times now.

What surprises me is that there's someone who is surprised that a person may actually not have a phone with them. Why

Re:

[ChunderDownunder]

except if your connection is 'micro' usb. Many people I know have a metric shitload of mini usb cables but micro usb, not so. Maybe in a couple of years when this newish connection reaches saturation.

Re:

[PrimaryConsult]

This. Also third party cables do not seem to work as reliably as third party mini usb cables, so whether or not you'll actually be able to charge/power the phone with it on the computer you plug it into is a crapshoot.

Re:

[wHartHog(69)]

Because I don't need a reason not to have my phone with me.

Re:

[Runaway1956]

Best answer yet. You must be working hard to become an old asshole like me, LOL

Re:

[cayenne8]

"Why would you not have your cellular phone with you?"

You're assuming everyone has a cell phone?

For instance, my Mom didn't have a cell phone for year, and only recently got one a month or two ago for carrying for emergencies only. But I do pay for her a computer and connection at her home. So, before this..she'd not be able to log on (if mandatory 2-phase) before she got her phone.

And, even now..it is ONLY for emergencies while out driving..so, no txt plan.

Not everyone has and uses a cell phone...and t

Re:

[SnowZero]

There are some hardware options, such as yubikey. Another alternative if you don't mind the extra weight is to find a used android phone -- since the app doesn't require a sim, you only need wifi to get it set up (actually if you wanted to you could use USB and install it directly).

Also, check around to see if there's a Symbian app that implements HOTP (RFC 4226), since that's what Google uses. I imagine that if there isn't one yet, there will be one if this becomes popular.

Good luck, and no you can't hav

Re:

[fermion]

Paypal has this system and I really like it. At first they had a one time pad which they sold for a few dollars. Then they went a system in which they texted a number from a one time pad. For people without phones with them at all time, I suppose this would be an option, i.e. google selling a one time pad.

Also, I am not sure if this is completely new. I notices when i was signing people in Google back in August that google was asking for a phone number, and people were getting texts and calls. I suppo

Re:

[cayenne8]

"Paypal has this system and I really like it. "

Really? I've never seen this on Paypal.

Just a simple username and password to get in is all I've ever seen or used.

Re:

[tagno25]

If you want 2-factor Paypal checkout http://paypal.com/securitykey [paypal.com]

Re:

[mlts]

I've been using Paypal's security token (an OEM-ed VASCO device), and added the SMS feature as well.

Two factor authentication is a must these days, although it would be nice if people could standardize on a ZTIC-like appliance that plugged in a USB port and asked the critical questions through its interface.

Re:

[SanityInAnarchy]

Mod parent -1 Get Off My Lawn.

Seriously.

What happens if your phone is out of power? The same thing that happens if your laptop battery is out of power.

Or lost? The same thing that happens if your laptop is lost.

Or you just plain don't carry the damned thing everywhere? Honestly, where don't you carry it? I certainly carry my phone a lot more places than I carry my laptop.

And why on earth would this ever be mandatory?

Really, your post has the tone of "OMG how dare they add a feature I don't like!"

Re:

[AndrewNeo]

I think you mean "OMG how dare they add an optional feature I don't like!"

Re:

[SnowZero]

If you don't trust the app, inspect the source here and compile it yourself:
http://code.google.com/p/google-authenticator/ [google.com]

If you don't trust the compiler, get a yubikey which implements the same standard.

If you don't trust a 3rd party vendor, implement something for RFC-4226 yourself:
http://tools.ietf.org/html/rfc4226 [ietf.org]

If you still don't trust that, I suggest you get a different email provider :)

Re:

[wjousts]

Believe it or not, but some people don't have cell phones.

Re:

[cayenne8]

"And why on earth would this ever be mandatory?"

The article mentioned it was optional, but mentioned a possibility that it might become mandatory.

And no..not everyone carries a cell phone with them 24/7,.and even those that do, may not pay the extra $$ is costs for SMS text messaging service to be added onto their plan.

Reaching a bit aren't you?

[SmallFurryCreature]

If you are that compulsive about checking your email, you have your phone with you. And your phone will already be checking your email for you.

Re:

[MobileTatsu-NJG]

So..what happens if your phone is out of power, or lost or you just plain don't carry the damned thing EVERYWHERE you go?

Most of the large handful of people this will affect will consider finding a way to improve their cell phone availability because it means they can't get phone calls either. One or two peeps will genuinely be bitten by it and find themselves unable to get their email for a bit. A sizable group of people who haven't been affected by it and likely won't be will go on Slashdot and bleat on about it like it like it's some big crushing, yet invisible, problem.

Re:Great...what if you're without your phone?

[bluemonq]

Do you have access to a landline? Because you can set the account settings to call you via a backup number and have the code read out to you. Or you can print out some backup codes and keep them in your wallet if you choose to do so. Not only that, you have to option to not have to enter a new verification code for 30 days, just your password, so if you brought your laptop along with you, you could have enabled the 30 day grace period. Then, when you go someplace and realize that you do in fact get reception, turn the 30day off. You can even generate a ton of one-time codes for use on public computers! And once you generate the code and copy it down somewhere, you can hide it - and the code can't be retrieved from your account again! And you can revoke them at any time! And if this isn't enough choice for you - you can simply not opt-in. That's right, this is entirely opt-in.

Re:

[wjousts]

Yet

Wish-It-Was Two-Factor

[Some guy named Chris]

Isn't this technically "Wish-It-Was Two-Factor"

Reminds me of this:
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx [thedailywtf.com]

Re:

[SanityInAnarchy]

RTFA. I know, the summary makes it look that way, but it actually relies on either sending you a text message with a one-time code, or having you generate it yourself on a portable device. So it's something you know (password) + something you have (your phone, or the data for the app on your phone.)

Re:

[hedwards]

Yeah, I know. If you choose answers which are actually secure, then you're screwed if you forget them. But if you can remember them then usually the information can be looked up or is known by friends or family. Why we let banks decide what regulations they're going to have is beyond me.

Oh, yeah, half the country is more than happy to go along with it if they're told they won't have a job if they don't.

Direct link to Google's announcement (bypass blog)

[Anonymous Coward]

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com]

I was excited

[OverlordQ]

I was excited till I realized it was just going to be another app for your phone. Call me when I can get an actual hardware token.

Re:

[OverlordQ]

Not all of us need or want a smart phone, and not all of us work in places with great reception.

Re:

[bradgoodman]

You don't need phone reception for the two-factor app to work, just like a hardware token. Paypal implements something like this too now, as they also allow SMS messages as an alternative.

If you don't like it, you still have the right not to use it.

Re:

[dgatwood]

Why would you prefer an additional piece of hardware to carry around? Consider your phone your token.

Because when someone steals your phone, they now have the password (in the keychain) and the token.

Re:

[hedwards]

Which is fine if you don't access email on your phone. If you've got a smart phone and are using email on it, then you're basically where you were previously, with poor security. Sure it's not worse than what you have now, but it's hardly as much of a step forward as it could be.

IMAP?

[Y-Crate]

I'm not sure how this will work for those of us using 3rd party mail clients and IMAP or POP3.

Re:IMAP?

[ahecht]

Read the article. There is a randomly-generated application-specific 16 digit password that is used for things like IMAP and POP3. If someone gets access to that (unlikely, since you would never need to write it down, and Google encrypts IMAP and POP3), they can only access that specific service, and its not going to be the same password you use anywhere else.

Re:

[Dayofswords]

I was thinking the same, I use thunderbird.

Good idea, bad implementation

[Lord Byron II]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

Re:

[bradgoodman]

Again, cell reception not required for smartphone app to work.

Re:Good idea, bad implementation

[LateArthurDent]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. So, for the entire month, I was without a phone. And last February, I was in Switzerland, where again, I had no cell service.

Furthermore, if my bank can authenticate me without requiring an SMS, then certainly my email provider can do the same.

This isn't meant for the average joe. It's meant for people with sensitive e-mails. If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you. If your e-mail is basically your friends sending you stupid chain e-mails, then it's not. After all, I do have my cell phone with me all the time, and I don't ever want the inconvenience of two-factor authentication precisely because I carry my cell phone with me all the time: I never go to the gmail web page, I use imap and check my mail with my phone's client (or rather, my phone's client tells me when I have mail).

Re:

[grmoc]

Then, if you don't want an SMS, you install the application on your phone which requires zero access to the 'net.

Re:

[MattskEE]

While I have to applaud Google for trying to keep their users' accounts safe, I have to say that this idea is really untenable. Not everyone has a cellphone, not everyone with a phone carries it all of the time, and you might not always have reception. Just this last summer, I had a month-long internship in Nebraska. The town I stayed at had zero reception on Sprint's network and the nearest cell tower was over an hour away. And last February, I was in Switzerland, where again, I had no cell service.

Clearly

Re:

[140Mandak262Jamuna]

What part of "optional" you don't get? If it is not going work for you, don't use it. As time goes by Google and others will develop other means of delivering the second authentication token. If convenience is more important to you than security by all means use a less secure but more convenient authentication procedure.

I see myself creating a secure email that uses two factor, and a non secure one without it. And I will store more sensitive data/email on the secure account. BTW android phones are attache

Re:

[hedwards]

Yes, but I think the better question is: "Why does my bank not take security seriously?" I think that's really the question. I think it's rather fantastic that people haven't come to the conclusion that banks really and truly don't care about security, or at least that's the conclusion I've come to given the embarrassing measures they put into place for "security." They add inconvenience but little if anything in terms of security.

So how will this impact IMAP access?

[Iphtashu Fitz]

I access my gmail account via IMAP. I didn't see anything in that article about whether this impacts IMAP/POP or not. It's probably just for web logins, but then again you know what they say about assuming something...

Re:

[gQuigs]

You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.
(from actual google post http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com])

This might be what you are looking for.

Re:

[AikonMGB]

For each 3rd-party application accessing your Google account, you set up a separate single-use password for (single-use here means one application, not one login attempt). Presumably these single-use passwords offer limited access to your account, in particular any security settings.

Aikon- (but this time, I am logged in)

What apps?

[Iphtashu Fitz]

FTA: "Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device"

So what apps? Are they going to roll out their own updated Google App or are they going to support existing apps like those from RSA SecurID or Verisign VIP Access?

Re:What apps?

[bradgoodman]

The section you quoted is just to set it up, I believe.

There is a "Google Authenticator" application that you install on your phone. It has been out for several months. It requires no cell reception.

Re:

[grmoc]

Well, you can always choose to not do it. You get increased convenience that way, with the expected tradeoff...

Re:

[AndrewNeo]

At least they're all apps, and you don't have to carry around three or four actual dongles.

Love this part ...

[gstoddart]

I love seeing stuff like this:

Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.

So, if I don't use SMS, and if I refuse to give a phone number to Google ... this is basically useless to me.

I sure as fsck hope to hell that I'm not eventually told I have to use an authentication method I refuse to use -- why does everybody assume I'm willing to give them my mobile number for such things?

Re:

[gstoddart]

Or you could, you know, use the app.

What, on my non-smart phone which doesn't have apps?

Just because you want to have one, doesn't mean that I do.

If this comes down to SMS, a phone call, or an app ... none of these are viable options for a large number of people.

Does seem to make sense...

[lazlo]

It's always seemed strange to me that, between my personal e-mail, my online banking, and my level 85 priest, only one has dual-factor auth. Guess which one? Adding e-mail to this makes a whole lot of sense as, with access to my e-mail, you could probably convince Blizzard and possibly convince my bank to reset my authentication details.

Now, it would be nice if they were to make this as full-featured as Blizzard's (they have a key fob, a mobile phone app, and also pretty cool, a feature where if you conne

Interesting idea, bad application

[Darkness404]

This is an interesting idea, but there are far too many flaws with it. First off is the obvious privacy issue, your phone number can easily be used to track you, plus your Gmail account, plus Google's information logging makes this a privacy nightmare. And even if you trust Google, there is still the fact that the government/*AA could get ahold of the data and frame you for crimes you didn't commit based on circumstantial evidence. Secondly is the obvious implementation problems, not everyone has a cell pho

Re:

[bradgoodman]

Cell service is not required. It's a "soft-token" app - just like an RSA Key-fob token.

Re:

[Blue Stone]

So you have to have a smart phone though.

Android phones already have support

[GooberToo]

Install, "Google Authenticator" to allow for two-factor authentication with your Android device.

Re:

[bradgoodman]

"Google Authenticator" available (free) for iOS in the AppStore, too.

Easily pwned

[fph il quozientatore]

Most phones that can run apps can also be connected to a pc via USB, allowing full access to their internal memory as an USB mass storage device. So: 1) pwn PC 2) get password 3) next time the user connects its phone, get the secret data used by the app to generate the code (it must be written on the phone's memory, right?) 4) ??? 5) profit Looks like one-and-a-half factor authentication, at most.

Re:

[blueg3]

Both Android phones and iPhones have two sections of storage: one "internal" and one "external". The internal storage is not available as a USB mass storage device, only the external.

I don't know the details of the iPhone's system. On Android, nearly all applications and their data are stored on the internal storage that is not available over USB. You need to have a rooted phone in order to access data owned by applications on your phone. (The exceptions are apps that have been "installed to SD card", which

Call me crazy

[DNS-and-BIND]

Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?

What if you have more than one Gmail account? Frankly, I use some Gmail features to stay hidden (I was going to say anonymous but now that word means kid porn and DoS).

Re:

[Sancho]

Call me crazy, but do I really want Google knowing my phone number? It seems like nobody is even thinking of this one. What happens when they make this mandatory?

I would probably worry about that when the time comes. All of the griping about this is really quite irritating. There is zero indication that this will ever be mandatory.

Re:

[Locke2005]

I have an Android phone. Google already knows my phone number!

Why does every site need its own auth app?

[goodmanj]

My physical key ring is already loaded with authentication tokens made of brass and metal. I've already got one authenticator app on my phone for World of Warcraft: why do I need a new one for every online entity I do business with? Can't we standardize on one?

(Yes, having just one authenticator app means Google can do a man-in-the-middle attack and steal all my WoW gold, but somehow that's not a big concern for me.)

Re:

[Locke2005]

Why do you need a separate physical authentication token for each physical lock you need to unlock? Why couldn't they all use the same key? Can't we standardize on one?

Hint: because compromising that single key would compromise every lock you own instead of just a single lock.

Re:

[ahecht]

No, it's really two factor: something you know (password) + something you have (cell phone or landline).

Re:

[Iphtashu Fitz]

Well receiving an SMS on your phone is somewhat like "what you have" since you need your phone to get the text. And if Google supports tokens like RSA SecurID and Verisign VIP Access fobs (or apps on smartphones) then you would be able to get more realistic two factor authentication.

Re:

[SanityInAnarchy]

People really need to RTFA before they make bold claims like this.

It's not "what-you-know" twice. It's what you know (password) and what you have -- either your phone (for it to send a text to) or the data on your phone.

Or, if we take the "data on the phone" to be "something you know", why wouldn't we conclude the same thing about those little RSA devices?

Granted, the what-you-have is somewhat weak in this case, but it's still a significant improvement over "twice what-you-know", which is what banks tend to

Re:

[bradgoodman]

Phone reception is not required for the soft-token app (Google Authenticator) to work on your smartphone

Re:

[grmoc]

In that case you install the application on your phone instead. The app requires no net access at all-- it just generates a code.