Awesome Conferences

Google Enables Two-Factor Authentication For All

My apologies for flogging my employer's product, but I enough people have asked me "how can I protect my gmail account" that I feel this is worth it.

Google has enabled 2-factor authentication for GMail. I highly recommend you enable this. Attacks on gmail accounts (and all accounts) are increasing in frequency.

Posted by Tom Limoncelli in Security

No TrackBacks

TrackBack URL:

7 Comments | Leave a comment

Not true, still not enabled for my account...

Same here..

"This is an advanced feature. 2-step verification for this account will be available soon."

To quote the article on the Google blog... "Over the next few days, you'll see a new link on your Account Settings page that looks like this"

You don't think we roll out software to all servers at once, do you? :-)

I'm glad they're providing this but I really wish they had included support for security tokens, such as the Verisign security token used with paypal, ebay and others.

Mostly because I already carry it around, but moreso because I work in a secure facility where cell phones are not allowed, and I don't really want Google calling me at work. If I turn it on, my accounts are essentially useless for a good chunk of the day.

Yeah, that's a bit of a situation you are in. Let me see if I can help. There are some alternatives:
1. Cell phones are banned where you would, what about an iPod Touch? The software runs there. It might (I'm not sure) run on the Android emulator that comes with the ADK.
2. You can print out a set of "backup codes" that can be used any time. You could print enough to get you through the day. Since you only have to do the 2factor once a month (the cookie expires every 30 days IIRC) you won't need to do this very often.
3. Set up application-specific passwords for the machines at your office. Not perfect, but if you use SSL exclusively there it is relatively secure (and certainly more secure than plain old passwords).


I enabled this for my Google account last night. Neat.

Google Authenticator is basically a soft SecurID token. Did the patent on that expire recently?

I don't know nothin' about patents.

Leave a comment