Send to Kindle

Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account.

The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users’ accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents.

Under the new authentication system for Gmail, which the company announced today, users will have the option in their Account Settings page of enabling a setting that will require them to enter a code as well as a password. Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.

“Once you enable 2-step verification, you’ll see an extra page that
prompts you for a code when you sign in to your account. After entering
your password, Google will call you with the code, send you an SMS
message or give you the choice to generate the code for yourself using a
mobile application on your Android, BlackBerry or iPhone device. The
choice is up to you. When you enter this code after correctly submitting
your password we’ll have a pretty good idea that the person signing in
is actually you,” the company said.

“It’s an extra step, but it’s one that significantly improves the
security of your Google Account because it requires the powerful
combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account.”

The system is similar in intent to ones used by some banks to offer an extra measure of security for online banking. Some banks allow users to select a picture that they then must identify during the login process, along with entering a username and password, while others allow users to set up an SMS verification system like the Gmail method. The Gmail system follows on the heels of a similar one that Google introduced for Google Apps recently.

Send to Kindle
Categories: Cryptography, Vulnerabilities, Web Security

Comments (67)

  1. Anonymous
    2

    I don’t have a smart phone and texts cost me money. So if they make people use it, it will cost me to check my email. I don’t like the sound of that.

  2. Anonymous
    3

    If my bank can verify me without SMS, why can’t google?  This is a bad idea :(  I don’t own a cell phone and do not want one.

     

     

  3. Anonymous
    4

    This is not a bad idea, it is clearly stated as being optional via an account setting you change.

    I have used two factor authentication before and it is a very simple and fast. This is a wonderful method of providing added security to those who want it.

  4. Anonymous
    5

    This is just plain wrong:

    The system is similar to ones used by some banks to offer an extra measure of security for online banking. Some banks allow users to select a picture that they then must identify during the login process, along with entering a username and password.

    The picture thing that some banks use is not two factor authentication. It’s no better than a longer password. What Google is doing makes it far more difficult for an attacker because they have to somehow both steal your pasword and your physical phone or find a way to intercept an SMS.

  5. Anonymous
    6

    This system is for people who do have some sort of local device that can be used as an authenticator and want additional security for themselves. This is a common system used in enterprise software and in video games to ensure account security when sensitive or valuable data is at stake.

    Systems that implement two-factor authentication also generally sell USB dongles or cheap portable devices (in the neighborhood of $20 or so) that generate the second auth factor for people who want the additional security. But doing it through your mobile phone would almost certainly be cheaper for the vast, vast, vast majority of users.

    The anonymous commentor above me shouldn’t be wondering why Google is in favour of two-factor authentication, they should be wondering why their bank doesn’t take data security seriously enough to offer a two-factor system.

  6. Anonymous
    7

    It’s good to hear that Google is taking security seriously.

    What is sad though is that there are already some negative comments on this… They’re just trying to make you more secure. Moreover it’s optional and they’re providing several options if you want to opt in, so get over it.

  7. Anonymous
    8

    Look, not everybody is buying android phones, how else is Google
    going to track your location for it’s latitude service if you don’t give
    them acces to your phone?

    Everybody knows total invasion of privacy is required to dispaly an ad.

  8. Anonymous
    10

    This is already in use in many games, its a great system, it is not forced on anyone, but is a way to allow those who want extra security to have it. 

  9. Anonymous
    12

    Egad,  The ignorance is mind bending.   This is a good thing.  If you want to make your email available to anyone who knows your kids name then that should be setting you have to do deliberatly.  The default should be 2 factor authentication.  If they can make a dongle or something available for those who dont have a cell, or cant be bothered with the other options, so much the better but the default should be the best security available.

  10. Anonymous
    13

    My bank has a password and a security question. The security question is chosen at random at each attmpt to log in. The question is chosen from a list that I helped create (first pet’s name, Mom’s maiden name, high school mascot, model of first car, name of best friend, favorite musical artist, etc.). This may not be quite as effective as call-backs, but it seems pretty good.

    The big problem with either of these solutions is they are incompatible with traditional mail solutions. A lot of people use mail clients like Apple Mail, Outlook, or Thunderbird to access their gmail and, while I use FireFox, I depend on WebMail Notifier to monitor all of my new mail for multiple accounts on multiple servers.

  11. Anonymous
    14

    Google has realized it has not yet your phone number and figures this is a good way to get it ;-)

     

    By the way, this only works with the web apps, right? If you use an actual email client (via IMAP or POP) there is no way to do that.

  12. Anony Mouse
    15

    After having my gmail account hijacked last year, I’m all for having it secure. I’ve chosen to secure all of my accounts by using a password generating program, and saving all of the passwords in an encrypted file. The random passwords are such as ‘EXM4Gm09gBm6QqSCkSPk’ which isn’t likely to be guessed by anyone. The unfortunate thing is that you have to cut and paste from the program to use it because you’re not likely to remember each password. I just don’t want to ever go through the hastle that I did.

  13. onosendai58
    16

    As a long-time user of Google, i.e., gmail and Youtube, I know far too well what “It`s optional now” means. It will be mandatory in a year or less. I use a regular cell phone for my home phone, no texting, nada. I don`t want Google to have access to my number, plain and simple. When it becomes mandatory, and it will, I`ll be switching to one of the many others available. Btw, I already use Chromium instead of Google Chrome because Chrome tracks your usage, and has anyone forgot the GoogleEarth streetmapping debacle?  No thanks.

  14. Anonymous
    17

    To those of you complaining about not owning a cell phone, I question your comprehension skills. Do you not have any phone whatsoever? Because they will also use a phone call, which does not require SMS or a cell phone. Yes, it will restrict your Gmail access to whatever abode has that phone and means security at that one location is limited, but it’s still two factor authentication.

    It’s optional to begin with.

    And if you’re really concerned about your privacy, don’t forget you have options: http://goo.gl/Q9xmO

  15. Anonymous
    18

    To those of you complaining about not owning a cell phone, I question your comprehension skills. Do you not have any phone whatsoever? Because they will also use a phone call, which does not require SMS or a cell phone. Yes, it will restrict your Gmail access to whatever abode has that phone and means security at that one location is limited, but it’s still two factor authentication.

    It’s optional to begin with.

    And if you’re really concerned about your privacy, don’t forget you have options: http://goo.gl/Q9xmO

  16. Anonymous
    19

    To those of you complaining about not owning a cell phone, I question your comprehension skills. Do you not have any phone whatsoever? Because they will also use a phone call, which does not require SMS or a cell phone. Yes, it will restrict your Gmail access to whatever abode has that phone and means security at that one location is limited, but it’s still two factor authentication.

    It’s optional to begin with.

    And if you’re really concerned about your privacy, don’t forget you have options: http://goo.gl/Q9xmO

  17. Anonymous
    20

    To those of you complaining about not owning a cell phone, I question your comprehension skills. Do you not have any phone whatsoever? Because they will also use a phone call, which does not require SMS or a cell phone. Yes, it will restrict your Gmail access to whatever abode has that phone and means security at that one location is limited, but it’s still two factor authentication.

    It’s optional to begin with.

    And if you’re really concerned about your privacy, don’t forget you have options: http://goo.gl/Q9xmO

  18. Anonymous
    21

     

    To those of you complaining about not owning a cell phone, I question your comprehension skills. Do you not have any phone whatsoever? Because they will also use a phone call, which does not require SMS or a cell phone. Yes, it will restrict your Gmail access to whatever abode has that phone and means security at that one location is limited, but it’s still two factor authentication.

    It’s optional to begin with.

    And if you’re really concerned about your privacy, don’t forget you have options: http://goo.gl/Q9xmO

     

  19. Anonymous
    22

    So, everytime a login attempt to your gmail account is made you get a phone call or SMS?  Nobody at google has noticed the huge flaw in this approach?

  20. Anonymous
    23

    So, what about those who access their Google account at a public library or even at a FedEx Kinkos?  They may be using one of those “pay as you go” phones that hit you with a $3 charge each day you actually receive or make a call.  There are ways to do this without requiring it to cost extra to check your email.  

    Although, Google really wants your phone number and other information.  That way they can mix that data with your email contents and browsing history and sell really customized ads and charge a bunch of money for them.  Evil?  No, just supercapitalist!  You are all just sources of cash for the rich to pillage from.

  21. Anonymous
    24

    I think I would prefer a USB dongle like Yubikey, or an external app to generate the 2nd input, rather than using a TXT SMS.

  22. Anonymous
    25

    “Real” two-factor authentication requires a hard or soft token.

    This is two-step authentication, and uses methods that will result in users frequently being locked out of their systems.  Not to mention methods that lead to the secret code being fairly easily intercepted giving users a false sense of security.  Bad enough for the banks to mis-label the auth schemes they are using as two-factor, but the experts at google should know better.

    Hey google, how about starting a “Real” globally centralized two-factor hard token based authentication that users can point other company authentication to?  Now THAT would be a real solution.

  23. Anonymous
    26

    So I will need to either pay for a text or pay for a phone call to check my e-mail. No thanks. I’l go elsewhere.

  24. Anonymous
    27

    Chase has a form of two factor authentication.  The first time you ever log in from an untrusted location you can either call in or text you a code to enter.   It then authenticates that machine for immediate future. 

  25. Adam C
    28

    I do not own a phone or have regular access to one. (I live in rural Alaska and communicate via Ham radio and radio-internet links) so I hope this remains optional.

  26. Anonymous
    29

    It’s optional people.  It’s an opt-in service for extra security.

    Chill. 

    The author makes huge assumptions in saying it may soon be mandatory.  Not true.

  27. Anonymous
    30

    PayPal has been offering a 2-factor authentication fob or SMS option for their customers for years … they are far more progressive than most banks in that they understand their trust relationship with their customers. Google is just taking notice.

  28. Owen
    31

    I’d use this if it only required the SMS code when you attempted to log in from an unknown IP address, otherwise having to have your phone handy and enter an extra code every time you want to open your email sounds a right pain in the ***.

  29. LT
    32

    Two factor should also work with Yubico’s Yubikey, for all Google users not just corporate users.

  30. Anonymous
    33

    Got no cell phone. Don’t want to buy one, certainly not for this. There are cheap little devices that can generate a changing code, Google should considering using these for users without cell phones, although I dread to think what happens when the battery dies or it breaks.

    Perhaps they should consider doing this only for e-mail asccess originating from outside your “home” domain. Currently Google exercises no different security if youl og into your account from the same ISP that you did yesterday or if it is accessed from Nigeria (I know this because I have a friend who’s Google account was pwned from Nigeria).

     

  31. Anonymous
    36

    Sorry, my response above was intended to be a reply to an earlier comment stating that pictures were not true 2-factor authentication (true), and that they only served as a longer password (false). The new true 2-factor authentication is a good idea, but there are certainly some logistical issues if they ever have any intent of making it a requirement (which I highly doubt will happen).

  32. Google Talk User
    37

    BIG PROBLEM.

    If my phone number is hosted with Google Talk, and I use my Google Account to get into Google Talk, how can I log into Google Talk to get the SMS message Google sends me so that I can log into my Google Account?

  33. Anonymous
    38

    Oh, my! It’s CHANGE. Evil Google is changing MY e-mail (which I pay nothing to use, use for free, and costs me nothing).

    How dare they change what they own (the servers, storage, maintenance)?!

    Get over yourselves. Y’all probably haven’t been this upset since they made password requirements longer than four letters.

  34. Richard
    39

    Sounds great to me. Now I wish the banks would do it. I’d hoped for some device that generated they key after you inserted your bank card – somethign that could be standardised so no matter how many banks you bank with you have only one. It looks like the mobile phone is becoming this item.

     

  35. nods
    41

    just another way for google to associate your phone# with their digital identity of you in their marketing system.

    remember its not paranoia if “they” really are tracking you. and “they” are.

  36. Anonymous
    42

    If they work it so the “From number” on the SMS or phone call contains the generated access code, then anyone using a pay-as-go phone would be able to get the code with out having to read the actual message or answer the call.

  37. Anonymous
    43

    I don’t have a cell phone. Why am I discriminated against? I guess they feel people without cell phones are not marketable and don’t matter. So I don’t get a Gmail account. So I don’t use Google apps. So I don’t use Google as my start page anymore. I’m just one person, they could care less about. So I won’t care about them either.

  38. Anonymous
    44

    Google will call you with the code, send you an SMS
    message or give you the choice to generate the code for yourself using a
    mobile application on your Android, BlackBerry or iPhone device.”

    Not having a cell phone does not mean you can’t use it. You can still have them call you (ie, it would work with a land line). If you don’t have either, okay, you have a problem. You also would not be able to read your e-mail when you are not home.

    All of that is easily solved by the fact that this is OPT-IN, not OPT-OUT. You CHOOSE to use 2 factor, it is not forced upon you. Logistically, they really have no good way to mandate it, unless they are going to give away the fobs to generate the code…which would be prohibitively expensive.

  39. Holly
    46

    To the comments concerned about the use of cell phones, not having one, etc., the truth is that two-factor authentication is needed. Whether it’s done by cell phone or some other measure, criminals are out there
    with the simple goal of stealing your personal and/or work related information
    and most people are currently making it very easy for them to do this. Thinking that the “username and password” system provides
    enough protection is like thinking that a screen door on a submarine will keep
    the water out. Neither of the two is very safe or secure. I work for Symantec and we’re glad to see strong authentication moving through the web.

     

  40. naymone
    47

    i don’t have phone to get SMS from Google. Cause i used from Burma. So give me alternative way to verify my account.
    Thanks.

  41. Anonymous
    48

    Wow I am stupified by the large number of dimwits out there that somehow think two factor authentication is a bad thing…

    I know that it is great and I use it on gmail and where ever else it is available.

    The code is generated by an app running on your Android, iOS or Blackberry smart phone, it does not need sms or a phone call.  When you first sign up for this Google generates a small number of single use codes that you can (print off) and save just in case you lose your phone.  These one time codes allow you to recover your gmail account if your phone is lost or left somewhere.

    If you are one of the paranoid ones who have commented then good luck with the rest of your life and do not use any sort of e-mail or browsing because THEY are watching YOU.

  42. Anonymous
    49

    Well its 2-factor authentication. So if you loose your phone, atleast the guy who has it cannot get into your account. After that its simply getting a new code sent by SMS.

  43. Anonymous
    50

    Quote: If my bank can verify me without SMS, why can’t google?

    I used to work at a VERY large banking institution.And the answer is that we could not.

    Fraud is rampant, the attacks are sophisticated, and their is no money in defense so long as we don’t end up on the front page.

    We reguarly asked management who was making the call that an RSA token was to expensive an option to even offer. You could get one for your WOW acccount, but not for your bank.

    If you know what your banks security looked like you would cry yourself to sleep.

  44. Anonymous
    51

    Your bank can’t be as certain that it’s you without 2 factor identifaction as it can with it.  Many banks (including mine) are sufficiently confident with username/password that they don’t require 2 factor authentication.

    I don’t have a cell phone either so I hope Google keeps this optional.  It is however a good thing.

  45. Anonymous
    55

    No, every time you log in on a strange computer you have to get a phone call or SMS.  If you’re on your own computer, then you set it as a trusted machine, and you have to do it once.

  46. Anonymous
    56

    The bank pic isn’t two-factor authentication, but it does have value. It tells you that you have actually reached the bank’s web site (as opposed to someone imitating your bank.)

    In essence, your user ID and Password authenticate you to your bank, and the bank picture authenticates your bank to you.

  47. Anonymous
    57

    And in return for this pillaging you get nothing, except free email, free search, free maps, free office suite etc etc.

    You always have the choice to just not use Google, if you prefer.

  48. Anonymous
    58

    >If my bank can verify me without SMS, why can’t google? This is a bad idea :( I don’t own a cell phone and do not want one.

    Because your bank probably has subpar authentication.

    Think before you post.

    There was a test way back where people were told to log into their BoA account. The people administering the test found that many of the people logging in did not even notice the “security image” was gone making BoA’s security a joke.

  49. Anonymous
    59

    And the secret is… banks can’t verify you.

    Most people use simple passwords (easy to remember), and some even have secondary questions…

    But they’re all susceptible to the same attacks:  as long as it’s something that doesn’t change (username and password), it can be attacked.  Things with limited randomness (pictures of people you know, etc.) is exactly that: limited — it helps, but not by much (especially if you’re famous).

    That’s the point of the two factor login  You must know something (password), then you must have something.  Even if you were able to intercept one SMS, it’s only valid that one time and is probably just a completely random number.

  50. Anonymous
    60

    It actually isn’t even better than a longer password. Passwords are used to authenticate you to the server (ie, to prove to the server that you are in fact you). The picture is used to authenticate the server to you (ie, to prove to you that you are actually talking to your bank). This is to defend against phishing attacks, since the assumption is that the attacker would not know the correct picture to display back to you when they send you a fake login page.

    This of course is really only a band-aid. It may protect against mass phishing, but it will not protect against a spearsphishing attack, since the attacker would likely already know your username. If they know your username, they could just provide that information to the bank’s webserver, and it would respond with the same login page that you would see (and thus with the bank’s “credentials”). This is only slightly offset by the fact that some banks ask a security question first (mother’s maiden name, grandparents’ first names, etc). This mechanism provide no real protection in the spear phishing case, becase pretty much all of the security information could be found through open source means, and any successful spearphisher would probably have harvested that information already.

  51. Anonymous
    62

    If your talking about using the ATM, your bank already uses multi-factor authentication…  Some you have (card) and something you know(pin).  What do you want google to send you a card that you can use each time you log in?  That would cost to much, also not every computer will have a card reader…

    The way you talk to your bank of the phone is by giving a boat load of personal information each time you log in…

    Thats the problem with security, its inconvenient :-)

  52. Anonymous
    64

    Right.  It’s only a “dumb idea” until your own account gets hacked.  Then you’ll be wishing you hadn’t been so negative about a company taking steps to make YOUR information more secure.  I applaud Google for taking this step – and for making it optional so that those of us who care can be more secure, and those who don’t will be the easier targets the hackers go after!

  53. Anonymous
    65

    try lastpass, it is free and it can not only remenber and fill the password, but also generate a random passwor like the one you just mention.

  54. asmiller-ke6seh
    67

    Google can call your HOUSE phone with the code. If you don’t have a cell phone OR a house phone, why are you on the Internet?

Comments are closed.