Google will allow users of Gmail and its other free online services to employ a second form of verification when logging in that uses one-time passwords transmitted over mobile or land-line phones. The ability to use two-factor authentication, which will be rolled out over the next few days, is designed to make it considerably …
send a txt message to your cellphone or a phonecall to your landline
How charitable from Google! And int he meantime they get some extra information on you :)
RE: send a txt message to your cellphone or a phonecall to your landline
And how much do you want to bet that something will muck up and the Deaf will have to rely on SMS authentication only.
Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google
notice the "2-factor" part of the headline?
"Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google"
2-factor means 2 methods of identification - in this case you know the password and have the phone. If you don't know know the password having the phone won't help (but probably make is much easier to get it reset - but that's no different to your bank account).
"they get some extra information on you"
With Google's datamining, if you've ever put your phone number in an e-mail, they've got it already!
However, I hear that you can prevent Google from getting that information if you just wrap your phone in tin foil. Or maybe it's your head. I can never remember, so I guess you better do both!
It's wrap your phone in tinfoil and your head in clingfilm.
***Children! This was a joke! Do not really wrap your phone in tinfoil or you'll block the signal!***
(seriously, if you do wrap your head in clingfilm 'cos I told you to then don't come crying to me if you die as a result. Have some common sense...)
for Google to have your phone number
The idea is fine
Except that there's enough info Google already have about me, without also knowing my mobile number. They asked me for it once for something else, I refused. And will do so again.
The idea is fine .... except it isn't. Make your mind up.
Great move :)
Had the notification for mobile number as have several gmail accounts, mostly for in game use, so when someone asks character 1 for their email address, I already have an email address set up without having to give them this one :)
...can you get off the phone with your mother? I need to send an email...
Major problem is that this can not be forced in google apps.
Making two factor authentication voluntary in a business environment is next to pointless!
I still really rate Google Apps, we moved our business to it last year from Lotus Notes and I've never had a project so well received.
Post-Its and messenger-boys
.. are preferable to Lotus Notes :-)
Lotus Notes is a catastrophe. Even a web based application like google apps feels more interactive. It's like going from blind to seeing.
... in fact, Lotus Notes has a web-interface that - even though it's not that good - beats the Notes (fat) Client into a cocked hat.
Yes it is, I've done it have a look in that thing called settings.
Now, need to find a way to explain how to do this to my old folks....
Maybe I wasn't clear before, this is NOT ENFORCEABLE by an administrator in a google apps for business environment.
Sure as an end user you can switch it on in 'settings'. But as an admin you can't enforce this across your company which is really strange.
Hopefully they'll have some sort of app to generate the keys like other 2-factor systems, otherwise the whole thing is useless when I'm abroad with a local SIM..
Abroad being also exactly the place where one is most vulnerable, connecting to dodgy wifis and using spyware infested PCs.
There's apps already
Replying to myself, there are apps out there already to do this on Android, iOS and Blackberry, so no need to give your phone number to google.
It just gets really complicated because it breaks IMAP, IM, and every client outside the web which then needs special, unique, passwords. Definitely not something to turn on for the parents..
I don't think it will help the seemingly bigger problem of session hijacking and people just forgetting to log out.
They already have most of this infrastructure already set up since if you *have* given Google your phone numbers, then that becomes a preferred method of delivering a password reset.
Turn on SSL
Turn on SSL and the seemingly bigger problem of session hijacking goes away. People forgetting to log out .... that's not a technology problem.
GMail is all SSL the whole time :-)
Only if you want it to be - the option is off by default
"The security measure, which goes well beyond what many banks and e-commerce sites offer, was first made available to Google Apps customers in September."
Wait, what? I'm sorry, maybe in your country. Here (Hungary) you actually can't have az online bank service without a mobile phone. Every time you log in or wire money, you get your one-time pad with additional infos (target account number, how much you're going to wire).
Oh, wait, I remember reading about UK banks a couple years back. So they still haven't implemented this security feature? I guess it is easier to say "it is your fault" then actually doing something to prevent it.
Natwest implement a challenge-response handshake whenever a new payee is added to the account, but it's done via a card reader: http://www.natwest.com/personal/online-banking/g1/banking-safely-online/card-reader.ashx I believe Lloyds-TSB make mobile phone calls in the same situation. So, yes, our banks have got their arses.
Now, can I share with you some of my prejudices about Hungarians? :-P
Co-operative Bank too
The Co-op Bank also uses a card reader with challenge-response codes every time a new payee is added (or other high-risk request).
Halifax still uses it's "wish it was two-factor" by asking you for a regular password, then asking you to provide certain characters from another password. Phtooey!
At about 4 times more expensive
the mobile phone plan here in Canada than in Eastern Europe, I wouldn't like a bank to force me to own a mobile phone just to send me that info. When I told my brother who lives there how much I pay each month for a basic service he almost choked laughing.
The title is required, and must contain letters and/or digits.
My bank does this. I have a card reader at home that authenticates against my debit card and gives me a one time code to log in. Also, if I'm trying to send money online I have to use the same device to authenticate the transfer. This is on a business account.
On my personal account if I'm sending money to someone for the first time I get a phone call from the bank asking me to authorise the transfer.
Obviously more can be done, but at least the banks are starting to improve security.
I just had to reactivate my Gmail account via SMS after it had been accessed from a Chinese IP range (which seems to be amazingly common - do a Google search). Now, this is the second time this has happened, and both times I was using 12-character randomly-generated passes, so what gives? How are they cracking them? Are they brute-forcing the passes (seems unlikely) or is the suggestion that's floating around that there's some fundamental security flaw in Google's authentication system true??
Do you have...
...a key logging virus?
Maybe you have a keylogging virus on your machine. Occam's razor.
What's more likely ... Google's Gmail's been hacked, or you've been hacked?
If a keylogger had been in operation I'm sure whoever-it-is would have picked a juicier plum than a Gmail account!
Do a quick Google search - this illegal-access-from-Chinese-IPs thang seems amazingly widespread.
Android based Google Authenticator please.
None of this waiting for SMS and Voice Call rubbish. Lets face it, a landline isn't tenable... what's the point of web based email that can only be used from home, and SMS can have very long latency between send and receive, which most don't realise!
The step by step guide for setting it up points you to the app
Or search for Google Authenticator on the marketplace.
It can have but notoften
More often than not my texts are instant, well faster than it takes for me to find a stopwatch.
So what's going to happen to gmail manager?
I use this to see if anything new has popped (geddit?) into my gmail account, but with this additional step I would need to be answering my phone every ten minutes.
It's a good idea - but I suspect that I and many others would prefer convenience over security, which is wrong I guess, but hey, I'm only human.
As pointless as a chocolate teapot
FWIW, my password is complex & unique to my Google account and having to wait for a one time password to login on the only 2 systems I ever use seems quite pointless.
Better to enable it only if its not one of your regular machines.
And I can't see anyone who needs to use it (because they have a weak password) actually enabling it.
Is it really ALWAYS 2-factor?
If you lost you mobile you would need a method of getting in and changing your settings. This method needs to NOT use your lost mobile (so security questions are the norm). Therefore knowing/guessing security answers is still a method of gaining access to somebody's account - regardless of mobile SMS passwords. The weakest link is normally the 'reset if....' or 'i've forgotten my password...' or in this case 'I've lost my mobile...' scenario.
A good idea though (not that I would trust Google with that information).
2nd factor coming later
Attempting to enable this results in a warning sign
<-- and the message
"This is an advanced feature. 2-step verification for this account will be available soon."
It's a pretty useful option to have IMO, and not desperately painful to implement.
Just wondering what service google have in the pipeline that requires mandatory 2-factor auth?
I'm not giving Google my details....
.... they cry.
Umm... maybe you don't give them your details, but, do you honestly think that not one of the people, who have your phone number stored in their mobiles, doesn't sync their contacts into Google's servers?
do what I do with my bank (yes in the UK) that uses SMS for 'authenication' just get a really cheap pas as you go phone, sim and give them that number. That way its not a number you use for anything else and know if you get a call on it who gave the number out, simples
Hmmm, would like some clarification
Is it really doing this EVERY time I log into Gmail? I've given Google my mobile # for recovery purposes already, so I don't care.
But, if every time I log in I need to wait for an SMS (my operator has a "relaxed" attitude towards timeliness of sms transmissions) then that's no good.
On the other hand, I would love something that does use 2-factor SMS, in the the context of an unusual event that would trigger that extra security layer. Maybe logging in from a never-before-used machine (new IP address/no gmail cookies yet, that kinda thing). Of course, that might be difficult in practice when using my cell phone which will be hopping from wifi to wifi.
How many people will have their gmail password saved on the phone that receives the sms?
Me, but of course I also have it on my iPad & multiple desktops synced via Drop Box & 1Password.
I help run a high-traffic Yahoo! group and regularly get Spam e-mails from members' Yahoo!, Hotmail or AOL accounts but never from Gmail accounts. Either Gmail is much more secure or Gmailers have better passwords or there are far less of them, or...?