Gmail Two-Step Verification: Mission Possible
It took somebody else’s mistake to get me to correct one of my own. Nineteen months after Google announced it was adding a security option called “two-step verification” — a move I thought a good idea at the time — I finally activated this on my own Gmail account.
If Wired writer Mat Honan had done so, he wouldn’t have had hackers break into his Gmail, remotely wiping his MacBook Air, iPad and iPhone along the way, to hijack his Twitter account. (A $1,690 data-recovery session rescued photos and other personal data from the laptop.) That was enough motivation for me.
Almost a month after making that switch, I can report that two-step verification works, with the occasional snag. I thought that might be the case, but I didn’t foresee that it would also be educational and, in a weird way, fun.
DNEWS VIDEO: GPS Shoe Hotfoots Your Location
Setting it up starts with adding a phone number to your Gmail account, to which Google can send a numeric code by text message or synthesized speech. You then enter this code each time you log into your account–or you can install Google’s free, open-source Authenticator on an Android, iPhone or BlackBerry device to generate these codes for you.
That’s a better idea: Authenticator works even if your phone is offline (as long as it has the correct time) and can secure logins on such third-party services as the LastPass password manager. But setting it up involved an extra detour, scanning a barcode displayed on my Google account page.
Codes expire in 30 seconds, and without them your password alone is useless. This neatly solves the problem of logging on from a strange computer. And I’ve realized that I enjoy this little Mission: Impossible routine — in part because it doesn’t require me to carry a separate fob generating one-time codes, the traditional way IT departments handle two-factor authentication.
That’s also the biggest vulnerability in Google’s approach: If you get my phone, you can both see my Gmail account and use Authenticator to verify a login I might have saved in one of my browsers. To ensure you can log in without your phone, stash a printout of backup codes in your wallet.
A second is the application-specific passwords Google generates for sites and apps that can’t take a one-time code. These 16-character strings of gibberish don’t expire but are only shown to you once. You can then revoke any of them–handy if somebody steals a laptop that syncs your Gmail or a phone dies with your Google login saved – but you have to name each one clearly first. Think “MacBook Air system preferences,” not “laptop.”
The app-specific passwords page also lists services to which you’ve granted access to your Google account. I didn’t realize I had so many, 28 in all.
Two app passwords stopped working mysteriously, requiring me to generate new ones, but otherwise this has caused much less friction than I’d feared.
A third vulnerability is the option to exempt a “trusted computer” from two-step verification. But if somebody breaks into my house to get to my desktop, I have bigger problems.
I feel safer and smarter — and sheepish about taking so long to follow my advice. I also wish Google’s competitors would do a better job of following its lead: Microsoft and Yahoo‘s two-factor authentication is more limited and less convenient. And being tied to Google can itself be grounds for insecurity.
Credit: Rob Pegoraro/Discovery