Anybody using 2 step verification?
It's a mechanism that requires an extra code, in addition to your password, when you log in to google webmail. When you get to the password, google send you a text message (or voice message) to your mobile phone; you can have more than one phone registered, and they can be landlines too. You then need to enter the code number from the phone message in order to access the account. You can choose to do this on every login, or leave a cookie on the trusted PCs that allows 30 days use before going around the loop again. There's other ways of getting codes, including a mobile App, and an old fashioned printed list that you keep folded up in your wallet.
IMAP/POP clients continue to work too, but need to be given a google machine-generated 'application specific password'. I initially thought this was a weakness, but machine-generated passwords are obviously intrinsically less crackable than user-generated ones. In any case, I don't think the apps that sign in with them can do a full identity theft; they can read/write/delete mail which would be awful, but I don't think they can change settings or passwords, which would be worse than awful. You are meant to have a different ASP for each app, then you can revoke them at your will.
I'm trying it out and it all seems to work perfectly. But I do have concerns and misgivings, including the niggling doubt that there's some basic flaw. And then, the dilemma of whether to trust google with the privacy of my phone numbers. But it's hard to deny the improvement in security. Any thoughts, anybody?