Google’s Two Step Verification – Why everyone needs to use it

15 03 2011

Google Authenticator Logo

Google have introduced a new feature called 2-step verification. To learn the basics read the Google Guide.

Why you Need it

This feature is a must have security feature that should make it very difficult for anyone to hack into your Google account, which is much more than simply your email. Google has a slew of products that you maybe using that store detailed personal information about you. Protecting this information is important to prevent Identity Fraud

Using the 2-step verification ensures that only authorized computers/devices will accept your Google password therefore restricting access to your Google email and other data. If someone finds out what your Google password is, they will still be unable to access your information. If you lose a device or computer you can revoke access to your Google account from it with immediate effect, while retaining access to your account via authorized computers/devices you still trust.

Protecting your Gmail account is great but the danger extends well beyond email;  if someone does gain access to your email, they could then use the ‘forgot username/password’ on financial sites and have password resets emailed to your account, which the thief now has access to. Your email can easily become the keys to your financial kingdom. Protecting your email is therefore very important.

Quick Overview of how it works

Once your computer or device is registered, then access to your account works as normal just requiring you to enter your account name and password. For computers only, the registration  is good for 30 days, after which it expires and you have to re-register the computer. (If you don’t like the idea of it being good for 30 days, you can opt not to do this and enter an access code every-time you access you Google account).

You register computers by generating and entering a special one-time access code as you login into your Google account. This is achieved by either using a Google app on your smart phone, or via voice delivery to any phone you nominate at the time you turn on the service. Devices such as phones or custom applications that access your Google account can be allocated a unique password dedicated to that device/application only. The unique passwords can be revoked at anytime and do not automatically expire.

The Google 2-step verification feature is their implementation of the security industries Two Factor Authentication. Two Factor Authentication provides better security because it requires two very different things

  • Something you know
  • Something you have

The ‘Something you know’ is your Google account username and password.

The ‘Something you have’ is your smart phone or designated phone number that provides you with a one time access code.

Rigid Two Factor Authentication requires both of these *every* time you login. you may have seem some people with a device on a lanyard around their necks that they use to access their corporate VPN. For convenience sake, Google have relaxed the requirement to use the one time access code every time by registering computers you own or trust with this code for up to 30 days at a time before requiring re-entry of a new access code. Very handy if you are on your home computer downstairs and your smart phone is on charge upstairs. The reduction in security is slight, since to access your account a thief would need access to the registered computer.

Because of the way Google have implemented two factor authentication using the registration process, it is important that you don’t have your browser ‘remember’ your Google password, especially for laptops which could be lost or stolen. If you do chose to have your browser remember the password, be sure to protect the browser with a master password different to your Google account password. Mobile phones should also be protected by setting them up to require a code or swipe sequence to gain access to them.

What if both you computer and smart phone are stolen by the thief? How would you gain access to your account to revoke access, or even just to read email? Google have provided the ability to print one time access codes for you to print and store somewhere safe (like your wallet). One can also elect to have the code sent to a pre-nominated phone number, like you home phone or trusted partner.

Flaws in the Google implementation

If you lose your laptop, there is no easy way to revoke access to only that computer. Devices can be individually revoked if they use a unique password, but computers don’t use unique passwords, they are registered by use of a  special access code.

Application Specific Paswords, why can't this include all registered devices/computers - Click image to Enlarge

It is true that even if your laptop is stolen, the thief would need to know the password to login to the computer (you do have one – right?) *and* the thief would also need to know the password to your Google account (you don’t have the computer remember it – right?). But I would prefer that each computer be given a unique ID you choose at the time of registration so you can manage/cancel the registration without having to cancel registration to all of your computers.

For laptops an extra security precaution one could take is *not* chose to have the registration be good for 30 days and it only be good for the current session. Despite the extra security risk, my guess is almost everyone will opt for the 30 day registration period, reaching for your smart phone every-time you want to read email will become tiresome. One could argue that the registration process is likely to encourage more people to adopt two-factor authentication without taking on too much inconvenience. The extra protection Google 2-step verification provides is better than opting not to do it at all because of the hassle factor. I’m sure this is why Google decided to relax the rules slightly to ensure greater adoption. Either way security is greatly enhanced.

Attempts to gain access to Gmail accounts is often done abroad well away from your computer hardware. Google’s 2-step verification is a very strong protection against such attacks, without having access to something you have, the hacker is thwarted.




7 responses

25 03 2011

What is the “unique ID” mentioned referring to ?

25 03 2011

What I refer to a ‘unique ID’ I mean an identifier like is given when one creates application specific passwords. I’ve updated and included a screen shot in the article of what application specific passwords are. I wish that each computer that is registered with Google could also have a user specified id.

8 04 2011

One could opt for not using the 30-day remembering option on said laptop, install Google Talk and allow it access with an application-specific password. Google Talk allows you to go to your inbox directly, without logging in to gmail (right click option). From there you have access to the rest of your account.

If you lose your laptop, you revoke the access of Google Talk and your laptop is safe.
The flaw (and a major one) is that anyone can access your account from you laptop until you revoke access.

It would be a lot better if Google Talk would be disconnected from your inbox, right? ;)

Thanks for this article, it was useful.


9 04 2011

Thanks for the idea of using GTalk as the Google authentication method making access revokable.

As for the laptop still having access, that’s not too awful bad, its no different than say having a credit card stolen, until you report it missing it is subject to abuse until cancelled by the CC company. It comes down to revoking access before any real damage can be done.

Another way increase security (following on from your idea) would be use Thunderbird or other desktop email client to access Gmail using IMAP. Authorize the email client for GMail access, the access would then be revokable.

Glad you found the article useful.

13 05 2011
[轉載] 如何保護你的Google Account 免避盜用 « 小棗棧

[…] Google’s Two Step Verification – Why everyone needs to use it : Google Accounts Help – 2-step verification : […]

28 09 2011

I have an iPhone and an iPad and I want both to have the ability to verify. All the instructions were not clear. What you have to do is scan the qr code for the iPhone 1st, then enter the 6 digit code. Now before you hit next, scan the qr code with the iPad and enter the 6 digit code. You will find they both work when you go to login to google.

18 03 2012

Access to laptops can be revoked – wrong information in the article. Go to Google Accounts>>Two Step Verification>>Advanced (at the bottom of the page)>>Trusted Computers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: