send a txt message to your cellphone or a phonecall to your landline
How charitable from Google! And int he meantime they get some extra information on you :)
Google will allow users of Gmail and its other free online services to employ a second form of verification when logging in that uses one-time passwords transmitted over mobile or land-line phones. The ability to use two-factor authentication, which will be rolled out over the next few days, is designed to make it considerably …
And how much do you want to bet that something will muck up and the Deaf will have to rely on SMS authentication only.
Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google
"Not to mention problems with mobile stolen phones, or if you've given your landline number, house mates trying to get into your account knowing they have access to the phone number you've given google"
2-factor means 2 methods of identification - in this case you know the password and have the phone. If you don't know know the password having the phone won't help (but probably make is much easier to get it reset - but that's no different to your bank account).
It's wrap your phone in tinfoil and your head in clingfilm.
***Children! This was a joke! Do not really wrap your phone in tinfoil or you'll block the signal!***
(seriously, if you do wrap your head in clingfilm 'cos I told you to then don't come crying to me if you die as a result. Have some common sense...)
Major problem is that this can not be forced in google apps.
Making two factor authentication voluntary in a business environment is next to pointless!
I still really rate Google Apps, we moved our business to it last year from Lotus Notes and I've never had a project so well received.
Hopefully they'll have some sort of app to generate the keys like other 2-factor systems, otherwise the whole thing is useless when I'm abroad with a local SIM..
Abroad being also exactly the place where one is most vulnerable, connecting to dodgy wifis and using spyware infested PCs.
Replying to myself, there are apps out there already to do this on Android, iOS and Blackberry, so no need to give your phone number to google.
It just gets really complicated because it breaks IMAP, IM, and every client outside the web which then needs special, unique, passwords. Definitely not something to turn on for the parents..
I don't think it will help the seemingly bigger problem of session hijacking and people just forgetting to log out.
They already have most of this infrastructure already set up since if you *have* given Google your phone numbers, then that becomes a preferred method of delivering a password reset.
"The security measure, which goes well beyond what many banks and e-commerce sites offer, was first made available to Google Apps customers in September."
Wait, what? I'm sorry, maybe in your country. Here (Hungary) you actually can't have az online bank service without a mobile phone. Every time you log in or wire money, you get your one-time pad with additional infos (target account number, how much you're going to wire).
Oh, wait, I remember reading about UK banks a couple years back. So they still haven't implemented this security feature? I guess it is easier to say "it is your fault" then actually doing something to prevent it.
Natwest implement a challenge-response handshake whenever a new payee is added to the account, but it's done via a card reader: http://www.natwest.com/personal/online-banking/g1/banking-safely-online/card-reader.ashx I believe Lloyds-TSB make mobile phone calls in the same situation. So, yes, our banks have got their arses.
Now, can I share with you some of my prejudices about Hungarians? :-P
The Co-op Bank also uses a card reader with challenge-response codes every time a new payee is added (or other high-risk request).
Halifax still uses it's "wish it was two-factor" by asking you for a regular password, then asking you to provide certain characters from another password. Phtooey!
My bank does this. I have a card reader at home that authenticates against my debit card and gives me a one time code to log in. Also, if I'm trying to send money online I have to use the same device to authenticate the transfer. This is on a business account.
On my personal account if I'm sending money to someone for the first time I get a phone call from the bank asking me to authorise the transfer.
Obviously more can be done, but at least the banks are starting to improve security.
I just had to reactivate my Gmail account via SMS after it had been accessed from a Chinese IP range (which seems to be amazingly common - do a Google search). Now, this is the second time this has happened, and both times I was using 12-character randomly-generated passes, so what gives? How are they cracking them? Are they brute-forcing the passes (seems unlikely) or is the suggestion that's floating around that there's some fundamental security flaw in Google's authentication system true??
This post has been deleted by its author
Android based Google Authenticator please.
None of this waiting for SMS and Voice Call rubbish. Lets face it, a landline isn't tenable... what's the point of web based email that can only be used from home, and SMS can have very long latency between send and receive, which most don't realise!
I use this to see if anything new has popped (geddit?) into my gmail account, but with this additional step I would need to be answering my phone every ten minutes.
It's a good idea - but I suspect that I and many others would prefer convenience over security, which is wrong I guess, but hey, I'm only human.
ttfn
FWIW, my password is complex & unique to my Google account and having to wait for a one time password to login on the only 2 systems I ever use seems quite pointless.
Better to enable it only if its not one of your regular machines.
And I can't see anyone who needs to use it (because they have a weak password) actually enabling it.
If you lost you mobile you would need a method of getting in and changing your settings. This method needs to NOT use your lost mobile (so security questions are the norm). Therefore knowing/guessing security answers is still a method of gaining access to somebody's account - regardless of mobile SMS passwords. The weakest link is normally the 'reset if....' or 'i've forgotten my password...' or in this case 'I've lost my mobile...' scenario.
A good idea though (not that I would trust Google with that information).
Is it really doing this EVERY time I log into Gmail? I've given Google my mobile # for recovery purposes already, so I don't care.
But, if every time I log in I need to wait for an SMS (my operator has a "relaxed" attitude towards timeliness of sms transmissions) then that's no good.
On the other hand, I would love something that does use 2-factor SMS, in the the context of an unusual event that would trigger that extra security layer. Maybe logging in from a never-before-used machine (new IP address/no gmail cookies yet, that kinda thing). Of course, that might be difficult in practice when using my cell phone which will be hopping from wifi to wifi.