Feeds

back to article Google brings 2-factor authentication to Gmail

Google will allow users of Gmail and its other free online services to employ a second form of verification when logging in that uses one-time passwords transmitted over mobile or land-line phones. The ability to use two-factor authentication, which will be rolled out over the next few days, is designed to make it considerably …

COMMENTS

This topic is closed for new posts.

send a txt message to your cellphone or a phonecall to your landline

How charitable from Google! And int he meantime they get some extra information on you :)

7
8
Anonymous Coward

RE: send a txt message to your cellphone or a phonecall to your landline

And how much do you want to bet that something will muck up and the Deaf will have to rely on SMS authentication only.

Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google

3
3

notice the "2-factor" part of the headline?

"Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google"

2-factor means 2 methods of identification - in this case you know the password and have the phone. If you don't know know the password having the phone won't help (but probably make is much easier to get it reset - but that's no different to your bank account).

3
0
Silver badge

"they get some extra information on you"

With Google's datamining, if you've ever put your phone number in an e-mail, they've got it already!

1
1
Joke

Good point!

However, I hear that you can prevent Google from getting that information if you just wrap your phone in tin foil. Or maybe it's your head. I can never remember, so I guess you better do both!

1
0
Joke

No.

It's wrap your phone in tinfoil and your head in clingfilm.

***Children! This was a joke! Do not really wrap your phone in tinfoil or you'll block the signal!***

(seriously, if you do wrap your head in clingfilm 'cos I told you to then don't come crying to me if you die as a result. Have some common sense...)

0
0
Black Helicopters

another excuse...

for Google to have your phone number

5
5
Big Brother

The idea is fine

Except that there's enough info Google already have about me, without also knowing my mobile number. They asked me for it once for something else, I refused. And will do so again.

5
3
Anonymous Coward

Weird ...

The idea is fine .... except it isn't. Make your mind up.

3
1
Go

Great move :)

Had the notification for mobile number as have several gmail accounts, mostly for in game use, so when someone asks character 1 for their email address, I already have an email address set up without having to give them this one :)

0
1
Silver badge
Unhappy

Darling...!

...can you get off the phone with your mother? I need to send an email...

12
0
Alert

Not enforceable!!

Major problem is that this can not be forced in google apps.

Making two factor authentication voluntary in a business environment is next to pointless!

I still really rate Google Apps, we moved our business to it last year from Lotus Notes and I've never had a project so well received.

1
2
Happy

Post-Its and messenger-boys

.. are preferable to Lotus Notes :-)

4
1
Anonymous Coward

No wonder

Lotus Notes is a catastrophe. Even a web based application like google apps feels more interactive. It's like going from blind to seeing.

1
0
Silver badge

yes ...

... in fact, Lotus Notes has a web-interface that - even though it's not that good - beats the Notes (fat) Client into a cocked hat.

0
0

@not enforceable

Yes it is, I've done it have a look in that thing called settings.

Now, need to find a way to explain how to do this to my old folks....

1
1
Alert

@Richard Rae

Maybe I wasn't clear before, this is NOT ENFORCEABLE by an administrator in a google apps for business environment.

Sure as an end user you can switch it on in 'settings'. But as an admin you can't enforce this across your company which is really strange.

0
0
Anonymous Coward

App please

Hopefully they'll have some sort of app to generate the keys like other 2-factor systems, otherwise the whole thing is useless when I'm abroad with a local SIM..

Abroad being also exactly the place where one is most vulnerable, connecting to dodgy wifis and using spyware infested PCs.

3
0
Anonymous Coward

There's apps already

Replying to myself, there are apps out there already to do this on Android, iOS and Blackberry, so no need to give your phone number to google.

It just gets really complicated because it breaks IMAP, IM, and every client outside the web which then needs special, unique, passwords. Definitely not something to turn on for the parents..

0
0

I doubt...

I don't think it will help the seemingly bigger problem of session hijacking and people just forgetting to log out.

They already have most of this infrastructure already set up since if you *have* given Google your phone numbers, then that becomes a preferred method of delivering a password reset.

0
0
Anonymous Coward

Turn on SSL

Turn on SSL and the seemingly bigger problem of session hijacking goes away. People forgetting to log out .... that's not a technology problem.

2
0
Silver badge

GMail SSL

GMail is all SSL the whole time :-)

0
1
Thumb Down

ah, but...

Only if you want it to be - the option is off by default

1
0

What country?

"The security measure, which goes well beyond what many banks and e-commerce sites offer, was first made available to Google Apps customers in September."

Wait, what? I'm sorry, maybe in your country. Here (Hungary) you actually can't have az online bank service without a mobile phone. Every time you log in or wire money, you get your one-time pad with additional infos (target account number, how much you're going to wire).

Oh, wait, I remember reading about UK banks a couple years back. So they still haven't implemented this security feature? I guess it is easier to say "it is your fault" then actually doing something to prevent it.

3
0
Bronze badge
Grenade

UK banks

Natwest implement a challenge-response handshake whenever a new payee is added to the account, but it's done via a card reader: http://www.natwest.com/personal/online-banking/g1/banking-safely-online/card-reader.ashx I believe Lloyds-TSB make mobile phone calls in the same situation. So, yes, our banks have got their arses.

Now, can I share with you some of my prejudices about Hungarians? :-P

0
0
Alert

Co-operative Bank too

The Co-op Bank also uses a card reader with challenge-response codes every time a new payee is added (or other high-risk request).

Halifax still uses it's "wish it was two-factor" by asking you for a regular password, then asking you to provide certain characters from another password. Phtooey!

0
0
Thumb Down

At about 4 times more expensive

the mobile phone plan here in Canada than in Eastern Europe, I wouldn't like a bank to force me to own a mobile phone just to send me that info. When I told my brother who lives there how much I pay each month for a basic service he almost choked laughing.

0
0
Anonymous Coward

The title is required, and must contain letters and/or digits.

My bank does this. I have a card reader at home that authenticates against my debit card and gives me a one time code to log in. Also, if I'm trying to send money online I have to use the same device to authenticate the transfer. This is on a business account.

On my personal account if I'm sending money to someone for the first time I get a phone call from the bank asking me to authorise the transfer.

Obviously more can be done, but at least the banks are starting to improve security.

0
0
WTF?

SMS authentication

I just had to reactivate my Gmail account via SMS after it had been accessed from a Chinese IP range (which seems to be amazingly common - do a Google search). Now, this is the second time this has happened, and both times I was using 12-character randomly-generated passes, so what gives? How are they cracking them? Are they brute-forcing the passes (seems unlikely) or is the suggestion that's floating around that there's some fundamental security flaw in Google's authentication system true??

1
0
Bronze badge

Do you have...

...a key logging virus?

1
0
Anonymous Coward

Or...

Maybe you have a keylogging virus on your machine. Occam's razor.

0
0
Happy

Hmm

What's more likely ... Google's Gmail's been hacked, or you've been hacked?

Hmmm....

0
0

Keylogging?

If a keylogger had been in operation I'm sure whoever-it-is would have picked a juicier plum than a Gmail account!

Do a quick Google search - this illegal-access-from-Chinese-IPs thang seems amazingly widespread.

0
0

hmm

Android based Google Authenticator please.

None of this waiting for SMS and Voice Call rubbish. Lets face it, a landline isn't tenable... what's the point of web based email that can only be used from home, and SMS can have very long latency between send and receive, which most don't realise!

1
0

Android authenticator

@corrodedmonkee

The step by step guide for setting it up points you to the app

https://market.android.com/details?id=com.google.android.apps.authenticator

Or search for Google Authenticator on the marketplace.

1
0
Happy

It can have but notoften

More often than not my texts are instant, well faster than it takes for me to find a stopwatch.

0
0

So what's going to happen to gmail manager?

I use this to see if anything new has popped (geddit?) into my gmail account, but with this additional step I would need to be answering my phone every ten minutes.

It's a good idea - but I suspect that I and many others would prefer convenience over security, which is wrong I guess, but hey, I'm only human.

ttfn

0
0
Thumb Down

As pointless as a chocolate teapot

FWIW, my password is complex & unique to my Google account and having to wait for a one time password to login on the only 2 systems I ever use seems quite pointless.

Better to enable it only if its not one of your regular machines.

And I can't see anyone who needs to use it (because they have a weak password) actually enabling it.

0
1
Anonymous Coward

Is it really ALWAYS 2-factor?

If you lost you mobile you would need a method of getting in and changing your settings. This method needs to NOT use your lost mobile (so security questions are the norm). Therefore knowing/guessing security answers is still a method of gaining access to somebody's account - regardless of mobile SMS passwords. The weakest link is normally the 'reset if....' or 'i've forgotten my password...' or in this case 'I've lost my mobile...' scenario.

A good idea though (not that I would trust Google with that information).

0
0
Alert

2nd factor coming later

Attempting to enable this results in a warning sign

<-- and the message

"This is an advanced feature. 2-step verification for this account will be available soon."

0
0
Welcome

Compliance

It's a pretty useful option to have IMO, and not desperately painful to implement.

Just wondering what service google have in the pipeline that requires mandatory 2-factor auth?

1
0

I'm not giving Google my details....

.... they cry.

Umm... maybe you don't give them your details, but, do you honestly think that not one of the people, who have your phone number stored in their mobiles, doesn't sync their contacts into Google's servers?

3
0
Anonymous Coward

its easy

do what I do with my bank (yes in the UK) that uses SMS for 'authenication' just get a really cheap pas as you go phone, sim and give them that number. That way its not a number you use for anything else and know if you get a call on it who gave the number out, simples

0
0
Bronze badge
Alert

Hmmm, would like some clarification

Is it really doing this EVERY time I log into Gmail? I've given Google my mobile # for recovery purposes already, so I don't care.

But, if every time I log in I need to wait for an SMS (my operator has a "relaxed" attitude towards timeliness of sms transmissions) then that's no good.

On the other hand, I would love something that does use 2-factor SMS, in the the context of an unusual event that would trigger that extra security layer. Maybe logging in from a never-before-used machine (new IP address/no gmail cookies yet, that kinda thing). Of course, that might be difficult in practice when using my cell phone which will be hopping from wifi to wifi.

1
0
FAIL

I wonder

How many people will have their gmail password saved on the phone that receives the sms?

0
0

Title

Me, but of course I also have it on my iPad & multiple desktops synced via Drop Box & 1Password.

0
0

Spam

I help run a high-traffic Yahoo! group and regularly get Spam e-mails from members' Yahoo!, Hotmail or AOL accounts but never from Gmail accounts. Either Gmail is much more secure or Gmailers have better passwords or there are far less of them, or...?

0
0
This topic is closed for new posts.