Please turn on two-factor authentication
You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.
Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works:
I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:
Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.
Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.
Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.
Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.
Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, Amazon Web Services, Drupal, and DreamHost, or even use a YubiKey device.
One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.
Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?
View full post on Matt Cutts: Gadgets, Google, and SEO
I also have one question…if you were to log into a Google account via a web browser using an application-specific password, do you have full access to the account? In some ways you’re still protected right because Google will ask you for your main password if you try to change any account setting. Is this correct?
Good post. I turned on 2-factor authentication on my Google account when it first came out. It’s funny reading this because I just called Amazon a week ago because someone got my password and tried to order a gift card.
They suspended my Amazon payments account and when I called to get it restored, I asked them about 2-factor authentication and the guy didn’t even know what that meant. I’m sure he was just a customer service person, but it’s something that really needs to be addressed by huge companies other than Google.
As for application specific passwords, I would feel more secure if there was some way to have a password automatically be revoked if it’s not being used by the intended app. For example, if you create one for YouTube, then I’m sure Google must know which third-party service is trying to use that password correct? If you could specify which application-specific password went with which third-party service, you could block it if it suddenly starts being used somewhere else (like from a web browser).
With so many apps needing application specific passwords, it just seems that the password could be stolen somehow while being sent across the Internet in clear text, which is not likely for most apps, but maybe some small time developers don’t use proper encryption.
Google 2-Factor does not really support Yubikey what it supports is a ineffective workaround
http://binaryelysium.com/blog/2011/12/13/a-reluctant-relationship-yubikey-google-authentication.html
The problem with this workaround is it requires a helped app (Windows) or python script (Linux) to be available when authenticating which eliminates the ability of users to use Yubikey in connection with Gmail 2-Factor while at a public workstation etc.
Google should just natively support Yubikey
I’m sure there is a Googler who would love to implement this in his personal project time.
@Edward: exactly. Chrome knows about two factor authentication, because it asks specifically for my application specific password, and yet it doesn’t support it. Why not?
Good to see you promoting this Matt (here and on HN). For those that are complaining about, or are put off by the minor inconveniences – think about the major inconvenience of being hacked. While not all stories are as dramatic as Mat Honan’s, they are still becoming more and more common. You insure your house, car etc – think of this as insurance of your identity.
Thanks for the double twitter alert on this option. I didn’t know it existed before. I just signed up! I feel safer already
Does Chrome support Google’s two-factor authentication yet? I’d be a lot happier if I didn’t have to have application-specific passwords hanging around on every computer I use regularly – seems like they’d be easy fodder for targeted malware.
I turned it on after you tweeted about the video and the common objections. It sounded like a pain before watching the video, but is easier in practice than I anticipated. My only issue so far is with Chrome Sync. I assume I use a different application specific password for each PC’s browser, but sync doesn’t seem to work. It says it’s syncing, but doesn’t update bookmarks and possibly others. All in, for a little extra effort, it’s worth it IMHO. Just remember to get the app and write down some backup codes.
I´ve used two-factor authentication for some time. Stoped using because the ‘turn around’ with external services for Gmail on smartphone and tablet, or apps that uses Google account, like external RSS readers for Google Reader. Made several application-specific password and renew them from time to time. It wasn’t the best hobby.
great post. I learned a few things. Though, still there’s some inconvenience with the 2-steps auth, but overall worth it.
• i set my browser to detete cookies and other data when i quit. That means, everytime i relaunch browser (Chrome), even to update Chrome, i have to re-login to gmail (thru that phone message).
• I use Thunderbird too as a backup of my email. Every time you launch Thunderbird (e.g. Windows restart), you have go to a special Google page to get a new throw-away password.
• other apps (such as Google sync) has the same inconvenience as using Thunderbird. Each needs a special throw-away code.
i turned on 2-steps auth when last month for mysterious reasons unfathomable to me, Google warmed me that my account might be hacked by some state run org.