You Should Really Use Google Two-Factor Authentication

If you haven’t heard of it, Google Two-Factor authentication is a simple process that combines something you know (your password) with something you have in your possession (your smart phone.) You may think you don’t need something like this, but we suggest you read this completely terrifying article from Ars Technica that explains that with every password breach, the bad guys are getting smarter.

A sample of the terror:

Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.

“It has been night and day, the amount of improvement,” said Rick Redman, a penetration tester for security consultants KoreLogic and organizer of the Crack Me If You Can password contest at the past three Defcon hacker conferences. “It’s been an exciting year for password crackers because of the amount of data. Cracking 16-character passwords is something I could not do four or five years ago, and it’s not because I have more computers now.”

Lifehacker has put together a list of the places (besides your Google account) that you can now use two-factor… And as you may have heard, the newest and most welcome addition is Dropbox. But don’t stop there… you can also use the system with a whole bunch of other logins.

It may sound annoying, but, trust us, it’s worth a few minutes of your time. Here’s a soothing and informative video from Google that will get you started…

Comments

Edit Your Comment

  1. Torchwood says:

    Can I get my financial institutions to use two-factor authentication? Pretty please? Along with longer and strong-bad passwords?

    • rgf207 says:

      Amen. Util about a month ago I could not use a password longer than 7 characters for my bank. If I can get 2 factor authentication for my spam-only gmail account, my financial institution should at least offer it.

    • ldillon says:

      I, too, am disgusted by the weak (short) passwords that some of my banks force me to use.

    • DoodlestheGreat says:

      That’s the key reason I will not to any banking over the internet. The security is weak as herbal tea.

    • Jelly says:

      Chase always texts me (or emails if my phone’s not available) a code before I can login. I somehow doubt they’re the leader in online banking security though, so you would think there has to be others out there doing it too.

    • Not Given says:

      Out of 3 banks I deal with one has 2 factor and I didn’t see a choice to opt out so it must be mandatory. The other 2 have that picture and your word you chose on the page you put your password. They all have along list of security questions, but I don’t think the first bank uses them anymore since they have the text to the phone deal.

    • Telaviv says:

      I depend a lot on banking online and have always been concerned about the risk of exposing my credit card information. And the methods to prevent credit card fraud keep getting more complex, but the truth is it’s as simple as companies asking users to telesign in to complete a transaction by using 2FA. I am not sure why not all banks use this, in fact I feel suspicious when a bank doesn’t ask me to telesign in, now it just feels as if they are not offering enough protection.

  2. Misha says:

    That would be great if I actually had a smartphone.

    • MaxH42 needs an edit button says:

      You can get a set of verification codes that can be memorized, printed and stored in your wallet, or you could even copy them down so they look like phone numbers or something.

    • notovny says:

      You can also be sent the authentication code by text message or automated phone call. It’s simply easier with a smartphone.

      • waitetr says:

        That assumes you have cell service. I do not get it at my work but need to check personal e-mail while at work. This means I could potentially locked out because of authentication. Otherwise I’d be all over this.

    • eyesack is the boss of the DEFAMATION ZONE says:

      It would be great if I trusted Google never to do anything bad with my phone number, or never to have a breach.

      Seriously, all this does is make the inevitable Massive Google Security Fuckup worse.

    • George4478 says:

      You don’t have a phone that receives either voice calls or text messages?

      What does your phone do then?

      • Misha says:

        It wasn’t explained until after I had posted this thread that it can also be done by voice or text, but the article itself referred only to smartphones. But thanks.

    • Invader Zim says:

      You just need text messaging The phone can be stupid :o)

  3. Walker66 says:

    What if they also steal your phone?

    • aaronx says:

      If the person that is hacking into your google account also has access to your phone, then that’s a whole other realm of issues you need to worry about.

    • nishioka says:

      1) Remotely wipe your phone, if you have that capability
      2) Call your cell phone provider and tell them your phone has been stolen so service can be suspended.

      Or in other words, what you should do anyway if your cell phone gets stolen.

      • luxosaucer13 says:

        That’s exactly why I have a CDMA-based Windows Phone 7 device.

        Microsoft has a special website (www.windowsphone.com/en-us/my) where you can track (via GPS real-time on a map), lock, erase, or ring your device WITHOUT having to install a stupid app that’s loaded with ads and runs your battery down quicker than the sinking of the Titanic. Plus, via the same website, you can recover any photos or documents saved to your SkyDrive from your WP7 device. Your contacts are even backed up too.

        CDMA carriers can also blacklist devices so that if someone steals your phone, it’s rendered useless to the thief. With GSM phones, the thief can swap the SIM and away he goes with his “new” stolen device. CDMA phones don’t have SIMs (except for so-called “World Phones”).

        • Evil_Otto would rather pay taxes than make someone else rich says:

          I’d point out that Apple has the same capability with iOS products. You do have to download a (free) app, but it’s pretty innocuous.

    • humphrmi says:

      Something you know (password), something you have (phone with codes). That’s why it’s called “Two factor”, they’d have to steal your password AND your phone.

    • Tim says:

      Watch the video. You can set a specific password for your phone and enter it just once on your phone. If your phone is stolen, you can revoke that password.

  4. consumed says:

    I tried out this two-factor authentication for a couple days, and it was such a pain in the ass. Just to access gmail on my phone I had to have a separate, long, impossible to remember passcode. Among other things, it’s inconvenient, and a simpler system should be devised before this could possibly become mainstream.

    • Marshmelly says:

      Once you type in that passcode to access the gmail app on your phone, you should never have to do it again though (same goes for any google app…I had to do it for google voice as well).

      My main issue with 2-step verification is that I have my browser set to clear clear cookies so every time I try to get back on gmail I have to type in an authentication code. So now I think I have it set to just except cookies.

      • DoodlestheGreat says:

        You can set the browser to accept cookies from specific sites, and block any from other specific sites like Doubleckick.

    • jeb says:

      In theory, the long password should only need to be used once. Granted, I have an Android phone, but I typed that password once and have never needed it again.

    • RedOryx says:

      That’s strange. Once I put the code into my iPhone it stored it and I haven’t had to type it in again.

  5. ldillon says:

    There’s go to be a better way then to depend on “smart” phone. Seriously, all of the genius-IQ people at Google and this is the best they can come up with?

    • aaronx says:

      There are other ways to get the authentication codes than just smart phones. But since most people have their phone on them at all times, they’re the easiest, most convenient way to handle the codes.

    • who? says:

      This is actually a pretty darn good way of doing it. It’s low cost, because most people already have the hardware, and it is indeed two-factor authentication. Short of giving you some sort of extra smart card or dongle that is expensive and gives you and extra thing to carry around, nobody has really come up with a better way of authenticating.

  6. Guppy06 says:

    No.

    My passwords are complex enough, they are unique across all website I visit, and I will not give my cell phone number to an entity whose main source of income is advertising.

    • aaronx says:

      You don’t give your cell phone number to anybody. You download an app that flashes a code that you enter when logging in. This way, if someone in Russia hacks your password, they can’t login to your account.

      • Guppy06 says:

        1.) I would be giving them my number because my cell phone is not a smart phone.

        2.) Even if I did have a smart phone, what’s to stop the Russian in your example from hacking that? If nothing else, if the Russian has access to Google’s own password database (which they’d need, as my passwords are unique across all websites), they’d likely have access to the key-generating algorithm as well.

        If there was an option to use a stand-alone, disconnected key fob (like I use for my bank account and MMO), I would. But I note that the only options presented involve giving an advertiser access to my mobile phone. I get enough spam on my phone as it is.

      • Misha says:

        Not if you don’t have a smartphone. Then it really does rely on giving them your cell number.

    • notovny says:

      Pointless paranoia, really. If you’re sufficiently paranoid to think that that Google would use a phone number given for account security purposes and sell it, what you should be doing is refusing to give your phone number to anyone who uses a Google account, as said person will probably be using Google Contacts to store it.

      • Guppy06 says:

        Google would be more careful with it because Google is too big to effectively hide behind a boiler room operation, like most spammers.

        But I do note that, in order to use this service, I will have to give clear, written consent to Google to send automated SMS messages to my mobile phone. How convenient!

        • notovny says:

          Holy crap, yes. To recieve automated SMS messages consisting of the two-factor authentication code, you have to give Google permission to send you automated SMS messages containing the two-factor authentication code.

          Dear sweet god.

          • Guppy06 says:

            And is there anything that limits your authorization to only sending authorization codes?

            Of course, even if there were such a restriction in the terms, such terms of service are updated regularly, frequently, and silently, so there’s no guarantee that such a clause will still be in the ToS next week.

        • Not Given says:

          Google already has my cell because I forwarded unanswered calls to GV. I get text messages telling me I have a voicemail.

      • Misha says:

        No, I have a Google account and use a piece of paper on my fridge to store phone numbers.

        • notovny says:

          Perhaps you do. But the vast majority of people who have Google accounts don’t. Especially if said person uses a smartphone to access their Google account.

          If Google is unscrupulous enough to take the phone number you explicitly give them for the sole purpose of using two-factor authentication and sell it to spammers, then Google is untrustworthy enough to raid the contact database of random Google users, and harvest your name, address, phone number, birthdate, and so on from the contacts stored in the Google Accounts of people who know you.

    • nishioka says:

      > My passwords are complex enough, they are unique across all website I visit

      Since you didn’t read the article, I will summarize for you:
      A) No, your passwords are not complex enough.
      B) It doesn’t matter that they are unique, because of A.

      • Guppy06 says:

        A) Cracking a 16-character password is one thing. Cracking a 16-character password remotely over port 80 is something else.

        B) Unless I get a gig as a high-profile technology news writer, I don’t have to “outrun the bear,” just the people using “password” as their password. I was a part of the Gawker password dump, but I’ve yet to see my particular hash cracked, and that was several password-changing cycles ago regardless.

        The usefulness of leaked password databases to crackers is to discern patterns in passwords across the general population, not necessarily the patterns used by specific individuals.

    • who? says:

      If you do a rudimentary risk analysis of the situation, you’d realize that

      a) If you have any friends with android phones, google already has your number in their contacts database.
      b) the odds of being part of a data breach because you’re *not* using 2 factor authentication are much higher, and the consequences greater, than the probability and consequences of any scenario I can think of that involves google having your phone number for two factor authentication.

      • Guppy06 says:

        a) Google may already have my number, but they do not my express permission to send me automated messages, which is required under federal law (for the moment).

        b) The odds are only statistically “much higher” if I am using a statistically typical password, which I am not. If the odds of a compromise of each factor individually is 50%, you do reduce your vulnerability from 50% to 25% by using both; but if one of those factors is 99% secure, you’re looking at the difference between 99% and 99.5%, a classic example of diminishing returns.

        And, of course, the consequences are only worse if compromising (for example) my email account exposes financial or otherwise sensitive information, which in my case it would not. The alternative is allowing Google to ding my cell phone bill by as much as 20¢ a pop, whenever and however often they see fit, and I’ll wager it’s much more difficult to stop this “feature” than it is to start it.

        As I said before, I already use two-factor authentication for several online accounts, in the form of standalone, non-connected key fobs. If Google (and Microsoft and Facebook, et al) were truly concerned about security, they would enable this as an option. The absence of that choice shows this to be more about establishing a legal beachhead on my mobile phone than any serious attempt to increase account security.

  7. ldillon says:

    Bruce Schneier – The Failure of Two-Factor Authentication:

    http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

    • rgf207 says:

      Nice article but I don’t really agree with what the author is saying. The attacks he describes are valid and do occur frequently but they rely on a lack of knowledge on the part of the user. With or without 2 factor authentication, that same user will fall for those types of attacks. There are multiple things that need to occur for online data to be safe. 1. The user must know what to look for. The trojans and man-in-the middle attacks usually rely on that user performing an actions to be implemented. Usually it’s clicking on a link in a suspect email. Users need to be aware of these attempts. That’s the first thing

      Second, 2 factor authentication is not just for you. It helps protect the institution that is implementing it. The recent attacks that have occurred where passwords were hacked involved hackers gaining access to the database itself which compromised millions of usernames/passwords. With 2 factor authentication, that data that was hacked would have been useless since the hackers still would not have the token. Most likely it would have saved the companies a lot of money.

      2 factor authentication also helps protect against stupid people. No matter how strong your password requirements are, you’re going to have people that write down passwords and send them in plain text across the internet. They can’t send the token codes so in essence, it protects the underlying data.

  8. Tim says:

    Here’s the thing: my phone’s battery life really sucks. So essentially, with two-factor authentication, when my phone dies, my access to Gmail and other Google services will die with it.

    • Tim says:

      Ha. Should have RTFAd. There’s a backup method.

    • davidng150 says:

      The video even mentions how you can print out backup codes to carry in your wallet or somewhere else just in case your phone stops working.

    • who? says:

      Basically, google’s two factor authentication sends the code to your phone in two cases:

      1) When you’re logging in from a browser that you’ve never used before.
      2) Once a month, just for the hell of it.

      So, if you’re not changing machines all the time, google’s only going to send you a code once a month. It’s not that hard to make sure that your phone is charged or plugged in that one time.

  9. mr91mr says:

    What about desktop email clients and other 3rd party clients that rely on access to your Google account? It’s my understanding this 2 factor authentication won’t work with those unless you use some convoluted system of setting individual pins for each and every 3rd party client you use across any device.

    I think I’m holding out for something better.

    • who? says:

      Yeah, you go to your google account and set up a password for each device or app, then enter the password into the device. Once. Then it works, forever. It isn’t really all that hard. Personally, I think it’s easier than remembering my password to log back into my google account every couple of weeks. The cool part about it is that if you lose your phone or something, you can then go into your google account and essentially log the device out remotely.

    • Sean says:

      Did you even watch the video? It talks about that particular situation

  10. pegr says:

    Remember folks. If you don’t pay for the service, you aren’t the customer, you’re the product!

  11. dicobalt says:

    Why not let me use a 128 character password like I want to? That’s why I have password management software…

  12. Applekid says:

    About a year ago, I had kinda been forced to sign up for it BoA’s two factor identification by trying to wire some money a few years ago. It was sort of a pain in the ass.

    About a week ago, I got an unsolicited text message with my SafePass (that ‘magic number’ to put in) and realized someone was trying to hack in to my account. At that very moment.

    After some panicked hourly checking of my account activity, I realized that it did exactly what it was supposed to do, keep riff-raffs from trying to guestimate how to hack into my account. It never quite seemed like a pain in the ass after that.

    • who? says:

      Exactly. There’s been exactly one public case of a bad guy getting around google’s two factor authentication, but lots of stories of people getting their google account hacked that start with the words, “I knew I should be using two-factor authentication, but I wasn’t.”

      Another really public case involving two factor authentication was the RSA breach. A little over a year ago, bad guys got into RSA and stole the database with all the keys for the little tokens that we all have to carry around for work. There was some panic and “oh, my god, the sky is falling” at the time. But really, what happened was, it being two-factor authentication and all, everybody’s accounts were still protected by passwords, and not much happened, except that RSA had to issue a bunch of new tokens.

  13. GrillinBurgers says:

    Next we’ll need 3 factor authentication, 4, 5, etc. :/

  14. SamEBates says:

    I use about 6-7 devices a day. This would get annoying really fast. My bank’s website already asks me a security question every time I try to log in with a different IP address.

  15. HogwartsProfessor says:

    Very nice, but I don’t typically log into my email when I’m out and about, or else I leave it logged in so I don’t have to type it (when I’m at home). No smartphone either–just a prepaid feature phone. Every time I get a text, it costs me money and I don’t have a lot of money.

    I think I’ll have to wait until I get a (decent) job and perhaps a smartphone and then I can just use the app. That seems to be the easiest way to do this.

  16. tz says:

    The problem is that everything else, including a lot of google apps on android need an app-specific password. One can be used for all, but isn’t very secure, but it is painful and will take hours if you use one app spec pw per app. Fail.

  17. Fafaflunkie Plays His World's Smallest Violin For You says:

    This sounds exactly like the last episode of Security Now. “The Death of Clever,” as the podcast was so aptly named. Steve Gibson explained everything this blogpost talked about. A week ago. Thanks for keeping up, Consumerist!

  18. CrackedLCD says:

    Those of you concerned about text message charges can opt for a phone call, and it doesn’t have to be to your cell. When I set up two factor auth it said any phone number except a Google Voice number (because if you got locked out, you’d also be locked out of GV and unable to check in there.)

    I’ve done it, and it IS a huge pain in the ass to get everything set up. My biggest worry is what will happen later this year when my phone contract is up and I jump ship to a new carrier with a new phone & number. I don’t do portability (again, because everyone uses my GV #) so may have to set everything up all over again. Hopefully I’ll be proactive about it and not get myself totally locked out!

    Is the hassle worth it? Maybe not, but I have just one e-mail address for everything, and that e-mail address is where password reset mails go from literally hundreds of other services, some financial in nature. So why not be extra careful?

    Remember, we have Amazon and Apple to thank for this recent interest in two factor auth. Nogoodnicks used weaknesses in Amazon’s setup to get info used to make changes to a guy’s Apple account, then used that access to wipe his iDevices and take over his Twitter account. With two factor auth on Apple’s end this would not have happened.

  19. RoguePisigit says:

    Except you’re screwed when your phone needs to be reset, especially if it’s an Android phone — can’t log into Google without the code; can’t get into the Google Play store to download the app until you log in with your Google account. Fortunately I found the list of backup codes, but that was the day I disabled two-factor authentication.

  20. acatchyscreenname says:

    Wow! Great for everyone who has a smart phone and an unlimited texting plan. Of course, those of us who don’t have either, well, who cares about us, right?