I turned on 2 factor authentication about 6 months back. I had received 2 alerts upon logging into my Google Apps account that my account had been accessed from a geographically unrelated IP ( Texas I live in Wisconsin). Upon turning on 2 factor auth no more alerts. Now these alerted may have been cause by one of my mobile devices, Ai didn’t want to take the chance.
Its also a good item to check your forwarding rules to make sure your account wasn’t t breached before these controls were put in place. A attacker could be siliently forwarding your messages to another account.
@~ Sure, but gmail to gmail would be [encrypted from gmail user to google] (google does whatever the fuck they want) [encrypted from google to other gmail user]
<< However, can you explain to me why it’s better than using a strong password? >>
It’s not necessarily better or not better, or more secure or less secure; it’s a different approach. I usually hesitate to compare approaches because like religious arguments no one wins. I use your same approach - long, unique, hopefully impossible-to-break passwords stored in a password manager which in turn is protected by a good password. But the vast majority of users either won’t have the savvy to set this up or more likely don’t even know it’s an option.
<< Where is the danger? >>
The danger is in human behavior. That’s the weak link in all these scenarios.
@Jeremy Young: Correct on several counts, but I’ll point out that sending an email to yourself is never sent anywhere, and never touches the internet. It’s already at its destination when it’s penned.
That said, I agree with you. I never write my passwords down or email them to myself. They are long and complex, but they are also memorable, usually nonsense phrases with mixed case and numbers. (my email password is 20 characters right now, and when I change it on my birthday (a habit I’m getting myself into) I’ll probably make it significantly longer.)
@Lucky: If you’re truly paranoid, yes you should absolutely do this. That’s assuming you can afford an SSL certificate to be able to access your email over https of course. It also assumes you have the know how to set all of that up.
For the rest of us? I trust Google with my cell phone number long before I’d trust most other sites. They have some privacy issues with their social site, but they’re not completely mental. For people who don’t know how to set up their own servers and don’t want to hire someone else to do it, I think Jeff’s advice is quite sound.
I do agree on some of your other points, especially about GPS. I turn my GPS on my phone on when I want navigation directions, and promptly turn it off while I’m done. Happily Android shows me an indicator when the GPS is being accessed, which tells me that Facebook is accessing my location even though I’ve asked it not to. There’s a complete lack of trust there. I don’t really have anything to hide, but I still don’t want my physical location in the hands of a potential hacker; that’s extraordinarily dangerous.
I’m shocked by the number of acquaintances that have had their e-mail compromised in the last couple of years. However, none of the victims were computer savvy people.
I think the audience that most needs two-factor authentication is the least likely to use it, and encouraging friends and family to use strong passwords would be a better, and more readily accepted, first step. A little education regarding safe computing would also go further and be less burdensome.
I’ve always wondered how these exploits are happening on such a mass scale. Weak passwords? Brute force attacks? Keystroke logging malware? Phishing? The similarity of the hacks I’ve seen leads me to believe they’re all using the same automated tools to do them. Why isn’t this being covered more by the tech press? Understanding the attack vector would help us better defend against these hijackings.
Sadly, what can I do if I simply don’t own a cell phone? I don’t need one in my day-to-day, so it’s an extravagance that I don’t bother with. My land line is much cheaper.
You’re right, of course. Email is the key password, and I tend to change that one on a regular basis and use strong passwords and pass phrases.
This is all very well in principle, but are you aware of the Gmail’s support for international cellphone networks(Hint:It’s abysmal). It renders a large populace with no way to use 2 factor authentication, even if they wanted to!
@~ - thanks for the clarification of my comment. That’s exactly what I meant @Axlotl – once the email is out in the wild, anyone can get hold of it in an unencrypted format unless you go to lengths to encrypt its contents.
@Nicholas Flynt - Your point is valid about sending emails to yourself
I like this a lot. I don’t have to bother logging in to GMAIL on another computer (I need the lastpass lookup-sheet to get my gmail password though).
The TXT service to the Netherlands is most of the times OK (within seconds) sometimes it takes time to get the TXT from the UK to the Netherlands, I’ve used the ‘call’ function once when the TXT took more than 10 minutes. Superb solution.
On a related note, if you are ever sending anything remotely sensitive through email (to a work colleague, etc), I highly recommend OneTimeSecret.com. It makes it trivially easy to give someone else an expiring link to a password.
Gmail uses STARTTLS where available to deliver email inside SMTP, so even that traffic is encrypted. Certainly Gmail-to-Gmail email is encrypted on the wire.
"The account had seemed sluggish earlier that morning because my wife had tried to use it at just the moment a hacker was taking it over and changing its settings—including the password, so that she couldn’t log in again. "
Sigh… why would an email service slow down because someone was changing the password?
FUD like this is almost as bad as Microsoft.
However - The 2 factor authenication is a GREAT thing to enable. I use it, and while its annoying sometimes to have my regular systems sign me out after 30 days, and maybe I don’t have my phone with me at the time (very rare) I does give me a happy safer feeling
