Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï

I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.

That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?

PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...

Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.

Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys.

Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)

Using computer generated and invoked keys would solve the phishing and guessing attacks.

It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.

The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.

Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.

Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?

Your opinion?

Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications — the content of which does not require, and never has required, a warrant — now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?

Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries — not even of our own creation! — and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.

If a US agency (law enforcement or no) with no warrant makes a request to a US corporation, that US corporation (e.g. AT&T) complies. Because if that corporation (e.g. Qwest) resists, their principals end up on the wrong end of an investigation [washingtonpost.com] of the sort Cardinal Richelieu made famous ("If you give me six lines..."). Because we're not actually a nation of laws.