Good to know this thing exists, but there is absolutely no way I would ever use this. I will keep relying on strong passwords. God forbid it comes the day that to use basic services on the internet, strong passwords aren’t enough and we have to start using ever more complex methods to safeguard our privacy or property. It will just mean the whole internet as failed.
Now, for those who don’t use strong passwords this may be useful. But if that’s the case, this just seems to be an upside down solution, where the least knowledgeable have to go through the biggest loops to secure their email account. That’s no way to provide a security service. It’s begging not to be used.
The only people I see having a real interest in this feature are those for whom gmail is a mission-critical service through which they pass on sensitive information. But then one must question the wisdom of using gmail for mission-critical sensitive data. And on top of that having to disclose to the service company a phone number.
Technically I think this is an interesting concept. Something an academic might smile at. It’s however practically useless.
@Ed Falk: Did you miss the section “what if I lose my cell phone?”
@JoynerCN: I was wondering the same thing. If we use application-specific passwords, doesn’t this effectively revert back to single-factor authentification with a strong password? Sure, we’re still using 2-factor at most places, but there still is a way to get in with a single password. The system is only as good as its weakest link, right?
@Neil Neyman: The point is that you can control the access right for every single device. So if your cell phone gets stolen, you can revoke its access rights.
“But, the thief can use and access my Gmail on the phone right away!” That’s why you’ve set a code for unlocking your phone. You have done so, haven’t you? An access code might not stop an expert hacker, but it will deter them long enough so you can buy time to revoke your phone’s access rights before they can get around to wrecking havoc with your Google account.
I’m on $15 (Australian dollars) per month plan, which includes more than enough “credit” for me (not a 1:1 relationship to “minutes” due to flagfalls, off-peak, SMS, etc; all incoming calls and SMS are free) and even includes 1GB of mobile data. My landline costs me $22/month and has higher call rates than my mobile and no included credit: I really only have it for DSL. These days landlines can receive SMS messages anyway, via a special phone or text-to-speech.
My wife is on a pre-paid plan and barely uses the minimum $10 every three months. So we have two mobiles for less than the landline base cost! With calls mobiles are at least an order of magnitude better value, for us at least.
I’m not a security expert, but I doubt this adds that much security.
Correct me if I’m mistaken:
I think most attacks occur due to vulnerabilities that allows hackers to hijack an open session in some site and it does not require the hacker to guess/discover the password.
If the hacker hijacks the account, then he can change the phone number and password or get back to the 1-step authentication (login and password only) and access all information he wants.
This 2-step authentication may be giving a false sense of security.
Thank you for posting this. I’ve meant to turn on the Two-step verification process at Google but procrastinated doing that for a long time. Your article (plus some free time at hand) finally pushed me to do it. So thank you!
I enabled it. Then about a minute later I disabled it. There are dozens of individual “applications”, and each of them would require a different application specific password, and I have dozens of devices. If there was ONE application (non?) specific password, I could deal with it, eventually getting everything in sync over a few days or maybe even longer as I used the apps on the different devices. Instead I have to go into each of maybe 20 apps on each of 6 or more devices. I would like to do something else this weekend besides generating and entering mind-numbing random strings (they don’t even show it as a QR code - otherwise I could just point my device).
Google even has an authenticator app but apparently it cannot generate application specific passwords. I don’t think there is any easy way to do this from my tablet or something else, I would have to be at the desktop and request one for each. I can’t even batch them and print out or save the list (which I would burn afterward).
This is the equivalent of having a global reset so I would now require different password on every application for every device.
They need to have an easier way to sync all the applications. Maybe a secure one-time password to a master authenticator so all apps on my tablet would be authenticated.
2-step verification is pain in the butt and unusable for one simple reason.
When your Android loses 3G/4G connection it asks you to reauthenticate. Why, for Christ sake?! Obviously you have to re-generate temporary password which you can’t do unless you’re near your computer. Stupid.
I have Android 4.0.4 and the problem still exists.
“our [email] correspondence would certainly have included every number or code that was important to us – credit card numbers, bank-account information, medical info, and any other sensitive data you can imagine.”
Oh, boy. would “certainly have included”? Why? I have been using email for 15 years and have never emailed, nor received via email, any credit card number, bank details nor sensitive data of any kind. Why would you even send these via email? More specifically, why would anyone send them to you via email - or maybe that’s how banks roll in the US, which would be pretty insane to be honest.
And as Jose pointed out above, the most likely scenario is not that the hacker was able to guess or brute force the password, but managed a session hijack - circumstantial evidence - the user’s experience with gmail was sluggish - [badly written] injected script-kiddy exploit, maybe…no authentication system will save you then because the phone call is coming from inside the house, dun dun DUN!!!
I get that it will stop some hackers. But not as many as you might think. The cynic in me says that this is just another way for Google to get people’s mobile numbers.
@Jose Coimbra Session hijacking would only provide access to the inbox, since switching between 2 factor and 1 factor auth requires input of the account password.
