back to article Google brings 2-factor authentication to Gmail

Google will allow users of Gmail and its other free online services to employ a second form of verification when logging in that uses one-time passwords transmitted over mobile or land-line phones. The ability to use two-factor authentication, which will be rolled out over the next few days, is designed to make it considerably …

COMMENTS

This topic is closed for new posts.
  1. Prodigal Rebel

    send a txt message to your cellphone or a phonecall to your landline

    How charitable from Google! And int he meantime they get some extra information on you :)

    1. Anonymous Coward
      Anonymous Coward

      RE: send a txt message to your cellphone or a phonecall to your landline

      And how much do you want to bet that something will muck up and the Deaf will have to rely on SMS authentication only.

      Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google

      1. dave 46

        notice the "2-factor" part of the headline?

        "Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google"

        2-factor means 2 methods of identification - in this case you know the password and have the phone. If you don't know know the password having the phone won't help (but probably make is much easier to get it reset - but that's no different to your bank account).

    2. Intractable Potsherd

      "they get some extra information on you"

      With Google's datamining, if you've ever put your phone number in an e-mail, they've got it already!

    3. Tom Maddox Silver badge
      Joke

      Good point!

      However, I hear that you can prevent Google from getting that information if you just wrap your phone in tin foil. Or maybe it's your head. I can never remember, so I guess you better do both!

      1. BorkedAgain
        Joke

        No.

        It's wrap your phone in tinfoil and your head in clingfilm.

        ***Children! This was a joke! Do not really wrap your phone in tinfoil or you'll block the signal!***

        (seriously, if you do wrap your head in clingfilm 'cos I told you to then don't come crying to me if you die as a result. Have some common sense...)

  2. Anonymous Coward
    Black Helicopters

    another excuse...

    for Google to have your phone number

  3. Anonymous Coward
    Big Brother

    The idea is fine

    Except that there's enough info Google already have about me, without also knowing my mobile number. They asked me for it once for something else, I refused. And will do so again.

    1. Anonymous Coward
      Anonymous Coward

      Weird ...

      The idea is fine .... except it isn't. Make your mind up.

  4. Jay Clericus
    Go

    Great move :)

    Had the notification for mobile number as have several gmail accounts, mostly for in game use, so when someone asks character 1 for their email address, I already have an email address set up without having to give them this one :)

  5. NoneSuch Silver badge
    Unhappy

    Darling...!

    ...can you get off the phone with your mother? I need to send an email...

  6. gurrman
    Alert

    Not enforceable!!

    Major problem is that this can not be forced in google apps.

    Making two factor authentication voluntary in a business environment is next to pointless!

    I still really rate Google Apps, we moved our business to it last year from Lotus Notes and I've never had a project so well received.

    1. Hayden Clark Silver badge
      Happy

      Post-Its and messenger-boys

      .. are preferable to Lotus Notes :-)

    2. Anonymous Coward
      Anonymous Coward

      No wonder

      Lotus Notes is a catastrophe. Even a web based application like google apps feels more interactive. It's like going from blind to seeing.

      1. John H Woods Silver badge

        yes ...

        ... in fact, Lotus Notes has a web-interface that - even though it's not that good - beats the Notes (fat) Client into a cocked hat.

  7. Richard Rae

    @not enforceable

    Yes it is, I've done it have a look in that thing called settings.

    Now, need to find a way to explain how to do this to my old folks....

    1. gurrman
      Alert

      @Richard Rae

      Maybe I wasn't clear before, this is NOT ENFORCEABLE by an administrator in a google apps for business environment.

      Sure as an end user you can switch it on in 'settings'. But as an admin you can't enforce this across your company which is really strange.

  8. Anonymous Coward
    Anonymous Coward

    App please

    Hopefully they'll have some sort of app to generate the keys like other 2-factor systems, otherwise the whole thing is useless when I'm abroad with a local SIM..

    Abroad being also exactly the place where one is most vulnerable, connecting to dodgy wifis and using spyware infested PCs.

    1. Anonymous Coward
      Anonymous Coward

      There's apps already

      Replying to myself, there are apps out there already to do this on Android, iOS and Blackberry, so no need to give your phone number to google.

      It just gets really complicated because it breaks IMAP, IM, and every client outside the web which then needs special, unique, passwords. Definitely not something to turn on for the parents..

  9. Peter H. Coffin

    I doubt...

    I don't think it will help the seemingly bigger problem of session hijacking and people just forgetting to log out.

    They already have most of this infrastructure already set up since if you *have* given Google your phone numbers, then that becomes a preferred method of delivering a password reset.

    1. Anonymous Coward
      Anonymous Coward

      Turn on SSL

      Turn on SSL and the seemingly bigger problem of session hijacking goes away. People forgetting to log out .... that's not a technology problem.

      1. Cliff

        GMail SSL

        GMail is all SSL the whole time :-)

        1. madferret
          Thumb Down

          ah, but...

          Only if you want it to be - the option is off by default

  10. Nagy, Balázs András

    What country?

    "The security measure, which goes well beyond what many banks and e-commerce sites offer, was first made available to Google Apps customers in September."

    Wait, what? I'm sorry, maybe in your country. Here (Hungary) you actually can't have az online bank service without a mobile phone. Every time you log in or wire money, you get your one-time pad with additional infos (target account number, how much you're going to wire).

    Oh, wait, I remember reading about UK banks a couple years back. So they still haven't implemented this security feature? I guess it is easier to say "it is your fault" then actually doing something to prevent it.

    1. peter 5 Silver badge
      Grenade

      UK banks

      Natwest implement a challenge-response handshake whenever a new payee is added to the account, but it's done via a card reader: http://www.natwest.com/personal/online-banking/g1/banking-safely-online/card-reader.ashx I believe Lloyds-TSB make mobile phone calls in the same situation. So, yes, our banks have got their arses.

      Now, can I share with you some of my prejudices about Hungarians? :-P

      1. Joe 3
        Alert

        Co-operative Bank too

        The Co-op Bank also uses a card reader with challenge-response codes every time a new payee is added (or other high-risk request).

        Halifax still uses it's "wish it was two-factor" by asking you for a regular password, then asking you to provide certain characters from another password. Phtooey!

    2. Anonymous Coward
      Thumb Down

      At about 4 times more expensive

      the mobile phone plan here in Canada than in Eastern Europe, I wouldn't like a bank to force me to own a mobile phone just to send me that info. When I told my brother who lives there how much I pay each month for a basic service he almost choked laughing.

  11. Anonymous Coward
    Anonymous Coward

    The title is required, and must contain letters and/or digits.

    My bank does this. I have a card reader at home that authenticates against my debit card and gives me a one time code to log in. Also, if I'm trying to send money online I have to use the same device to authenticate the transfer. This is on a business account.

    On my personal account if I'm sending money to someone for the first time I get a phone call from the bank asking me to authorise the transfer.

    Obviously more can be done, but at least the banks are starting to improve security.

  12. ffoulkes
    WTF?

    SMS authentication

    I just had to reactivate my Gmail account via SMS after it had been accessed from a Chinese IP range (which seems to be amazingly common - do a Google search). Now, this is the second time this has happened, and both times I was using 12-character randomly-generated passes, so what gives? How are they cracking them? Are they brute-forcing the passes (seems unlikely) or is the suggestion that's floating around that there's some fundamental security flaw in Google's authentication system true??

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Or...

      Maybe you have a keylogging virus on your machine. Occam's razor.

      1. ffoulkes

        Keylogging?

        If a keylogger had been in operation I'm sure whoever-it-is would have picked a juicier plum than a Gmail account!

        Do a quick Google search - this illegal-access-from-Chinese-IPs thang seems amazingly widespread.

    3. Anonymous Coward
      Happy

      Hmm

      What's more likely ... Google's Gmail's been hacked, or you've been hacked?

      Hmmm....

  13. corrodedmonkee

    hmm

    Android based Google Authenticator please.

    None of this waiting for SMS and Voice Call rubbish. Lets face it, a landline isn't tenable... what's the point of web based email that can only be used from home, and SMS can have very long latency between send and receive, which most don't realise!

    1. Random Glitch

      Android authenticator

      @corrodedmonkee

      The step by step guide for setting it up points you to the app

      https://market.android.com/details?id=com.google.android.apps.authenticator

      Or search for Google Authenticator on the marketplace.

    2. Andy Hards
      Happy

      It can have but notoften

      More often than not my texts are instant, well faster than it takes for me to find a stopwatch.

  14. Paul_Murphy

    So what's going to happen to gmail manager?

    I use this to see if anything new has popped (geddit?) into my gmail account, but with this additional step I would need to be answering my phone every ten minutes.

    It's a good idea - but I suspect that I and many others would prefer convenience over security, which is wrong I guess, but hey, I'm only human.

    ttfn

  15. RogerTCB
    Thumb Down

    As pointless as a chocolate teapot

    FWIW, my password is complex & unique to my Google account and having to wait for a one time password to login on the only 2 systems I ever use seems quite pointless.

    Better to enable it only if its not one of your regular machines.

    And I can't see anyone who needs to use it (because they have a weak password) actually enabling it.

  16. Anonymous Coward
    Anonymous Coward

    Is it really ALWAYS 2-factor?

    If you lost you mobile you would need a method of getting in and changing your settings. This method needs to NOT use your lost mobile (so security questions are the norm). Therefore knowing/guessing security answers is still a method of gaining access to somebody's account - regardless of mobile SMS passwords. The weakest link is normally the 'reset if....' or 'i've forgotten my password...' or in this case 'I've lost my mobile...' scenario.

    A good idea though (not that I would trust Google with that information).

  17. Random Glitch
    Alert

    2nd factor coming later

    Attempting to enable this results in a warning sign

    <-- and the message

    "This is an advanced feature. 2-step verification for this account will be available soon."

  18. muttley
    Welcome

    Compliance

    It's a pretty useful option to have IMO, and not desperately painful to implement.

    Just wondering what service google have in the pipeline that requires mandatory 2-factor auth?

  19. thesykes

    I'm not giving Google my details....

    .... they cry.

    Umm... maybe you don't give them your details, but, do you honestly think that not one of the people, who have your phone number stored in their mobiles, doesn't sync their contacts into Google's servers?

  20. Anonymous Coward
    Anonymous Coward

    its easy

    do what I do with my bank (yes in the UK) that uses SMS for 'authenication' just get a really cheap pas as you go phone, sim and give them that number. That way its not a number you use for anything else and know if you get a call on it who gave the number out, simples

  21. Jean-Luc
    Alert

    Hmmm, would like some clarification

    Is it really doing this EVERY time I log into Gmail? I've given Google my mobile # for recovery purposes already, so I don't care.

    But, if every time I log in I need to wait for an SMS (my operator has a "relaxed" attitude towards timeliness of sms transmissions) then that's no good.

    On the other hand, I would love something that does use 2-factor SMS, in the the context of an unusual event that would trigger that extra security layer. Maybe logging in from a never-before-used machine (new IP address/no gmail cookies yet, that kinda thing). Of course, that might be difficult in practice when using my cell phone which will be hopping from wifi to wifi.

  22. edge_e
    FAIL

    I wonder

    How many people will have their gmail password saved on the phone that receives the sms?

    1. Wpgwill

      Title

      Me, but of course I also have it on my iPad & multiple desktops synced via Drop Box & 1Password.

  23. Nick Pettefar

    Spam

    I help run a high-traffic Yahoo! group and regularly get Spam e-mails from members' Yahoo!, Hotmail or AOL accounts but never from Gmail accounts. Either Gmail is much more secure or Gmailers have better passwords or there are far less of them, or...?

This topic is closed for new posts.

Other stories you might like