Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Anybody using 2 step verification?

It's a mechanism that requires an extra code, in addition to your password, when you log in to google webmail.  When you get to the password, google send you a text message (or voice message) to your mobile phone;  you can have more than one phone registered, and they can be landlines too.  You then need to enter the code number from the phone message in order to access the account.  You can choose to do this on every login, or leave a cookie on the trusted PCs that allows 30 days use before going around the loop again.  There's other ways of getting codes, including a mobile App, and an old fashioned printed list that you keep folded up in your wallet.

IMAP/POP clients continue to work too, but need to be given a google machine-generated 'application specific password'.  I initially thought this was a weakness, but machine-generated passwords are obviously intrinsically less crackable than user-generated ones.  In any case, I don't think the apps that sign in with them can do a full identity theft; they can read/write/delete mail which would be awful, but I don't think they can change settings or passwords, which would be worse than awful.  You are meant to have a different ASP for each app, then you can revoke them at your will.

I'm trying it out and it all seems to work perfectly.  But I do have concerns and misgivings, including the niggling doubt that there's some basic flaw.  And then, the  dilemma of whether to trust google with the privacy of my phone numbers.  But it's hard to deny the improvement in security.   Any thoughts, anybody?

[burakkucat]

Anybody using 2 step verification?

   No, not me.

I'm trying it out and it all seems to work perfectly.  But I do have concerns and misgivings, including the niggling doubt that there's some basic flaw.  And then, the  dilemma of whether to trust google with the privacy of my phone numbers.

Google seems to be determined to find out every last little detail about anyone who makes use of just one of their services . . . 

[sevenlayermuddle]

Google seems to be determined to find out every last little detail about anyone who makes use of just one of their services . . . 

Indeed they do, nowadays at least.  How suddenly a pillar of society, as I used to think of them, can fall from grace.

Nevertheless, their entire business could be at stake should they be proven weak with security as opposed to privacy.  They also have a reputation for attracting the best techies, for these reasons I am prepared to assume they may be relatively competent in online security matters.

[burakkucat]

Indeed they do, nowadays at least.  How suddenly a pillar of society, as I used to think of them, can fall from grace.

Nevertheless, their entire business could be at stake should they be proven weak with security as opposed to privacy.  They also have a reputation for attracting the best techies, for these reasons I am prepared to assume they may be relatively competent in online security matters.

[Nods head.] I am in agreement with both of your last paragraphs. 

[tickmike]

What if you do not get a mobile phone signal at home like us  , We had a bank account that used that system but got rid of it.

[sevenlayermuddle]

What if you do not get a mobile phone signal at home like us  , We had a bank account that used that system but got rid of it.

Actually, that is not a problem.   When you attempt to login, a code is sent to your primary phone. 
As well as allowing you to log in, that would alert you if some other villain had hacked your password and was attempting to log in.

But it you don't have your phone (or a signal), you are invited to choose one of your alternative numbers, all but the last two digits being blanked out on screen.   If you one is landline, it rings pretty much instantly and a code is read out to you ( assuming you selected 'voice' when configuring it ).

You can also print out a list of codes to carry in your wallet, or you can get a smartphone app that will generate codes (internet connection not needed).

I've actually grown to like it quite a lot, since starting this thread.

[Chrysalis]

in recent years I feel a lot of security hoops are wasteful, I mean they are security hoops put in place with probably small impact.

google and microsoft both seem to suffer from this, but they not alone.

Things like not allowing auth for life. So forced relogin every X hours or every X days.  Is a dying breed.
Blocking copy and paste for passwords (sometimes also for usernames).  Pointless.
Requiring sms authentication if accessing a site from a unusual ip, I see some logic in this, but I feel it should be a user decision to enable this kind of security not forced.

I gave google a mobile number but its my spare PAYG number, so far still awaiting cold calls or spam txt to it.  More likely they have used it for data collation tho.