Isn’t this pretty useless as you can use IMAP/SMTP to receive and send messages in GMail (at least when I enable it, and I do)?
In terms of insecurity, I think the weakest link is that my email is permanently connected on my phone, so if I lost my phone and someone bypassed my pin they could access all of my email. And 2 factor authentication does nothing to solve that.
2 factor authentication does solve that. In order for your phone to access gmail, you create an application-specific password in your Google account. And you can then revoke access for that application with one click (which you could not do without the 2 factor setup).
Keep in mind that application specific password are not really specific for that single application and if an attacker gains access to one of them they will be able to access your email with it (for example by an imap client)
@Yaakov Ellis: “In order for your phone to access gmail, you create an application-specific password in your Google account.”
Which solves a part of the problem: the attacker won’t see any new e-mails. However, most mail clients will keep a local cache of the e-mails, so your e-mail history is compromised one way or another.
Firstly, to SCdF. The two factor auth sorts out keyloggers or insecure wire transfers. Both are way more common than you’d believe. I’ve seen compromised accounts with passwords so complex, that is the only way they could have been hit.
As others have pointed out, the best thing about this is that it is simple. You can explain this sort of two factor auth to your grandmother, same reason the banks use it. Its even quicker with the app and means it is actually ok to login to your account on an untrusted pc these days. Just remember to terminate all the logins, not just logout when finishing.
As for gmail blocking accounts, they do indeed shut down access for failed attempts. Even if you connect too many times using the “correct” password, it will get blocked. The blocks appear to be timelimited and IP based, so I’m not sure how that works for something like tor but I’m guessing they have a system to protect against those attacks.
FYI, I use google apps for domains and I do not have this option in my account settings.
You don’t need two-factor authentication if your password is (1) unique to the site, (3) stored nowhere, and (3) strongish.
Really it’s not that complicated. Use a secret hash to convert site names into non-dictionary passwords, and don’t write anything down anywhere. Problem solved.
@Marc Reside: are there still countries where land lines are cheaper than mobile?!
In Norway the cheapest land lines cost about 35 USD per month (and that’s just for the privilegue of having a telephone, not including actually calling anyone), while several mobile plans have no base cost and some have a free use for 17 USD.
Almost nobody below the age of 40 have land lines here, since it’s ridiculously expensive…
Great article (as all your articles about e-mail tend to be). Backup verification codes are the bit I needed to enable two-way verification.
(Now, I wish Gmail worried about e-mail itself as much as they care about security.)
If you want to be ‘hacker-proof’ you’ve left out a vital step.
Disable imap and pop as Google have not stopped these from acting as a gateway for brute force attacks. (They are ‘rate-limited’ but given enough gmail accounts and enough IP addresses, this is not a deterrent)
I don’t know if two factor auth closes that gap. Better to be safe.
Background reading:
http://seclists.org/fulldisclosure/2009/Jul/254
http://edwincastillo.com/archives/111
@Hayden Muhl (or anyone else who thinks you get a text every time you check your email) : You only have to do the text message once every 30 days per computer you access it from. So if you visit the library daily to check your email, then yes, you do need to get a text every time, but if you use your personal computer it’s only once every 30 days.
I’ve used this setup for a year now and you couldn’t pay me to go back.
It may not be as secure, but much easier to implement. Here is my system:
An email for spam and sign ups for sites that still require it and that also block mailinator. I never check this email unless I need a verification code or something to sign up.
An email for high security accounts, like banks and social networking. It is password protected with an extremely complex password, and I never share that email with any apps or outside vendors for auto-connect.
Last is my personal email that I use for communication. This is the one that I share with apps for my smartphone. I never store any potentially devastating information on this email, so if it was compromised, they wouldn’t gain any sensitive data.
Unfortunately, 2-set verification is not available for free Google Apps accounts.
Diego Mijelshon - yes it is. I use 2 step verification on my free Google Apps account that I use for my domain (which I primarily just use for personal email).
I’ve had 2 step verification turned on for a good 6 months now, and it has never really been a huge pain at all. But I forgot to print out my backup codes when I first did it, so thank you for reminding me to do so.
This is essentially using your smartphone as a SecurID dongle, right? That seems well accepted as good security, so it’s surprising so many people are down on it when Google gets involved. (Or not really surprising at all.)
Damn, I hoped this post is about making email spammerproof…
Again, boring 2-step verification article.
One thing I’m always curious about this. If security is so important, why many web sites ( even banking web sites ) only let you to put short passwords ? I know a bank who only let you to type 8 characters, and tell you not to include certain set of characters.
Isn’t this an awful fail in security ? Why they do that, then ?
Jeff - would you mind changing the title to Make Your Gmail Hacker Proof? It’s not really relevant to other email providers.
Thanks for the notification and explanation. Now using 2-step verifcation.
fwiw - merely adding two-factor is not a panacea
Recently a good friend of mine had his account snagged even with the two-factor option enabled: the attacker had set his email as the backup/recovery address, and therefore was able to bypass the authentication field (by doing a reset).
Timing on that attack was carefully coordinated, but it’s still a cautionary concern.