Gmail two-factor authentication
Aug. 9th, 2012 03:16 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jackOne of many potential links: http://www.mattcutts.com/blog/google-two-step-authentication/
Yesterday I turned on google two-factor authentication. (Stop using gmail is still on the TODO list! :))
I'd been leery of fancy new security measures, but recently it reached the tipping point where the risks of turning it on seemed smaller than the risks of putting it off.
In fact, my email and my bank are probably the things most vital, because most online accounts get tied to my primary email. It's a toss-up which is more secure: the bank will probably care more about a breach (if they can't just blame me), but know a lot less about security and avoiding social engineering than google.
I'm not sure how the parts interact, but I think how it works is:
* When you log in via a web browser, you need a password AND a verification code sent to your mobile (or android app).
* The verification code is good for 30 days, during which time you need a password to log in (?), but not another verification code. (Only enable this for computers you use regularly.)
* After that you need to reauthenticate.
* But signing in to a new computer needs a verification code
* If you lose your mobile, you can still log in to a "trusted" computer within the 30 days and choose a new mobile or turn off two-factor authentication
* If you lose your mobile AND your computer (or if you want to check your email abroad without any of your usual devices), you can print off a set of ten one-time backup verification codes, which function exactly like the mobile (except they're printed in advance instead of sent to you when you need to).
* I _think_ the back verification codes still need your password, so you're still safer than using a password only.
* But if you have "trusted" computers AND backup verification codes AND a backup mobile or landline specified, you're unlikely to lock yourself out.
Do you know, is all that correct?
For things like gmail on an android device you can generate a one-time per-device "password" which isn't really a password, but lets that device access your account, but (I think?) NOT reset your password or two-factor authentication stuff. And if you log into your account you can "untrust" computers or disable the per-app logins for android devices, apps, etc.
It seems the reason this is better is that if someone steals a device, they can access your account, but you can lock them out and they can't lock you out.
This _doesn't_ defend against trojans, or telling someone your password, but I think it's still better: I'm not a great judge of security, but it seems pretty well thought out and fairly reliable.
Attack vectors
I think the failures I'm protecting myself against are:
* A friend I trust rifles through my stuff or looks over my shoulder to see my password
* A hacker finds out my password somehow
I don't think I can defend myself against both of those simultaneously, nor a friend sufficiently dedicated to install spyware on my computer, but it's better to be somewhat protected against the most-likely case of hacker or an impulsive friend separately.
Recommendations
Find someone who knows more than me and do what they say.
Avoid using gmail at all (altough the risks of using gmail are different to the ones discussed above).
But FWIW, I think about this as, you may not be able to protect against the worst possible combination of events, but it's a start that you can still log in to your email and no-one else can if you suffer any ONE of the most likely things:
* You lose your computer
* You lose your phone
* Someone sees your password
* Someone keylogs your login, but isn't set up for a full man-in-the-middle attack
* Someone goes through your wallet and finds your back recovery codes
I still need to check that backup recovery codes still need your password.
I think you're still screwed if someone steals your "trusted" computer (assuming your password is stored in your browser but they can brute-force the browser's encryption), but avoiding that is significantly more hassle.
Yesterday I turned on google two-factor authentication. (Stop using gmail is still on the TODO list! :))
I'd been leery of fancy new security measures, but recently it reached the tipping point where the risks of turning it on seemed smaller than the risks of putting it off.
In fact, my email and my bank are probably the things most vital, because most online accounts get tied to my primary email. It's a toss-up which is more secure: the bank will probably care more about a breach (if they can't just blame me), but know a lot less about security and avoiding social engineering than google.
I'm not sure how the parts interact, but I think how it works is:
* When you log in via a web browser, you need a password AND a verification code sent to your mobile (or android app).
* The verification code is good for 30 days, during which time you need a password to log in (?), but not another verification code. (Only enable this for computers you use regularly.)
* After that you need to reauthenticate.
* But signing in to a new computer needs a verification code
* If you lose your mobile, you can still log in to a "trusted" computer within the 30 days and choose a new mobile or turn off two-factor authentication
* If you lose your mobile AND your computer (or if you want to check your email abroad without any of your usual devices), you can print off a set of ten one-time backup verification codes, which function exactly like the mobile (except they're printed in advance instead of sent to you when you need to).
* I _think_ the back verification codes still need your password, so you're still safer than using a password only.
* But if you have "trusted" computers AND backup verification codes AND a backup mobile or landline specified, you're unlikely to lock yourself out.
Do you know, is all that correct?
For things like gmail on an android device you can generate a one-time per-device "password" which isn't really a password, but lets that device access your account, but (I think?) NOT reset your password or two-factor authentication stuff. And if you log into your account you can "untrust" computers or disable the per-app logins for android devices, apps, etc.
It seems the reason this is better is that if someone steals a device, they can access your account, but you can lock them out and they can't lock you out.
This _doesn't_ defend against trojans, or telling someone your password, but I think it's still better: I'm not a great judge of security, but it seems pretty well thought out and fairly reliable.
Attack vectors
I think the failures I'm protecting myself against are:
* A friend I trust rifles through my stuff or looks over my shoulder to see my password
* A hacker finds out my password somehow
I don't think I can defend myself against both of those simultaneously, nor a friend sufficiently dedicated to install spyware on my computer, but it's better to be somewhat protected against the most-likely case of hacker or an impulsive friend separately.
Recommendations
Find someone who knows more than me and do what they say.
Avoid using gmail at all (altough the risks of using gmail are different to the ones discussed above).
But FWIW, I think about this as, you may not be able to protect against the worst possible combination of events, but it's a start that you can still log in to your email and no-one else can if you suffer any ONE of the most likely things:
* You lose your computer
* You lose your phone
* Someone sees your password
* Someone keylogs your login, but isn't set up for a full man-in-the-middle attack
* Someone goes through your wallet and finds your back recovery codes
I still need to check that backup recovery codes still need your password.
I think you're still screwed if someone steals your "trusted" computer (assuming your password is stored in your browser but they can brute-force the browser's encryption), but avoiding that is significantly more hassle.
no subject
Date: 2012-08-09 03:21 pm (UTC)I've been using it for maybe 6-12 months now, and yes, you seem to be correct. I use the Google authenicator app on my iPod to generate codes, and do keep a set of printed back-up codes somewhere safe - and yes you do still need the password with them! I've not locked myself out.
The other useful thing is that you can generate some "single-purpose" passwords for your account to use on devices where logging in on the website is inconvenient - eg for your Calendar app on your phone/other device. These don't need a verification code - and can be disabled at any time if you lose the device or just decide to stop using them.
no subject
Date: 2012-08-09 03:22 pm (UTC)no subject
Date: 2012-08-09 03:25 pm (UTC)Thank you! It's reassuring to hear from someone who's tried it that it does seem to do all the sensible things.
I see you already mentioned the second bit
Thanks, don't worry.
no subject
Date: 2012-08-09 04:59 pm (UTC)no subject
Date: 2012-08-09 05:02 pm (UTC)But I didn't want to assume: I didn't think it likely google would fuck it up that badly, but there definitely are companies who, in the process of creating a "secure" login, make the "I forgot my widget" mode massively less secure than the whole site was to start with :)
no subject
Date: 2012-08-14 11:28 pm (UTC)Mine seems to randomly hiccup and ask for my password sometimes during that 30 days, even on my home/trusted computer. This may be because I log on from other computers too (and enter the code every time).
Also, my computer has a Windows logon password, so I'm only completely screwed if they steal it while it's on and logged in. I would be sure to notice this, since it's usually within 3 feet of me when I'm at home and awake. So they'd have, you know, about 10 minutes while I tried to chase them, caught my breath, called the police, and changed my password.
There are times I forget to take my phone to work, or phone charger, and I do have a backup email address without two-step that I use sometimes... but there's not anything important that goes there. I just use it to chat with a half-dozen people when I don't/can't log into my regular email.
If I were really smart, I'd have a backup email address and have all my Gmail stuff forward there, but... I don't. Yet.