Advanced sign-in security for your Google account

Thursday, February 10, 2011 12:02 PM



(Cross-posted from the Official Google Blog)

Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.

2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page that looks like this:



Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.


It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.

To learn more about 2-step verification and get started, visit our Help Center. And for more about staying safe online, see our ongoing security blog series or visit http://www.staysafeonline.org/. Be safe!

Update Dec 7, 2011: Updated the screenshots in this post.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

15 comments:

Saqib Ali said...

I would like to take this opportunity to remind Google services users that while padlocking the front using the 2-Step verification, they should not leave the backdoor (3-Legged OAuth) wide-open. Please check and double-check the legitimacy of the 3rd party website before giving it access to your Google data.

If that 3rd party website is malicious and you have granted it access to your Google data using OAuth, 2-Step verification won't help much. That 3rd party site can siphon off your data without ever logging into your Google account and without your knowledge.

Please check all your OAuth Tokens today by going into your Account Settings page and clicking on Authorizing applications & sites

Saqib

Jim Manico said...

Also, multi-factor AuthN for Gmail can be circumvented via standard password brute force via IMAP or POP. One time app specific passwords only help so much. Please disable IMAP and/or POP if you only view your GMail via the web!

Larry Seltzer said...

So what happens if you check GMail from the same phone you use for your SMS factor? I assume this defeats the whole point of it.

Saqib Ali said...

@Jim, It is not easy to brute-force a Google account. A brute-force hacker would probably get Locked out within first couple of attempts, and a Captcha would be enforced on the account.

Saqib Ali said...

@Larry: If you're syncing (IMAP, ActiveSync or NativeAndroid) your Gmail to your phone, than the 2-Factor verification doesn't help much if your phone is stolen. Hopefully you had a pin or a unlock pattern set on your phone.

However if you are using the Gmail Web UI on your phone, then you will still be prompted for your Gmail password in addition to SMS verification.

In any case if you lose your phone or think it is missing, immediately un-enroll from 2-Step verification. If you find the phone, re-enroll. It only takes couple of mins.

Gyenes Gábor said...

I'm courious when it will be available for broader audience (it is not yet available in certain countries). I could add Google to the SMS Key application for real confortable login. If somebody has an SMS and Android, may post a sample to me.

Thanks in advacne.

Marcelo said...

I've setup the 2-steps verification and I am pretty disappointed. It only asked the PIN once on my laptop. It says may laptop is now a recognized device and will not ask the PIN again! What is the point? If someone stolen my laptop (and knows my password, let's say) he/she will be able to logon without any problem!

Gmail should provide an option to "always ask the PIN", regardless any recognized device.

Eric said...

How about bringing support for Yubikey? I don't want to deal with text messages or even having my phone with me to gain access to my information.

Nishit said...

Hi Marcelo!

When you enter your pin ('verification code'), you can check the "Remember verification for this computer for 30 days" box, to have that computer remembered for 30 days. You will not need to enter another code on that computer for that time -- even if you hit "Sign out".

If you don't check this "Remember verification .." option, you will be prompted for a pin every time you log in -- which is the behaviour you're requesting.

John said...

I would like some options like:

1. Never ask for PIN for this computer/device.
2. Ask every 30/60/90 days for this computer.
3. Always ask.

gp said...

It sound like a very good feature and unsurprisingly Google is the first company to implement 2 factor authentication. I had a few questions regarding how exactly it works.
1.What about brute force on the verification code? How do you protect against that?
2.Is the code fixed length?
3.How random is the code that is generated? The 'backup codes' looks like a bad idea. If the user can lose his/her password then can also lose the backup code. Ideally the user should be send a new randomly generated code every time he/she enters the correct password.
4.How does the password retrieval process play out if you have two factor authentication setup?

Nishit said...

Hi gp@,

1.What about brute force on the verification code? How do you protect against that?
Yes, Google has brute force protection on password and verification code attempts.

2.Is the code fixed length?
Yes, the code length is fixed, based on what code is used. It is:
6 digits for Google Authenticator or SMS based verification codes
5 digits for Voice based verification codes
8 digits for Backup verification codes

3.How random is the code that is generated? The 'backup codes' looks like a bad idea. If the user can lose his/her password then can also lose the backup code. Ideally the user should be send a new randomly generated code every time he/she enters the correct password.
-The verification codes generated by the Google Authenticator app use the OATH TOTP standard. So the codes aren't random, but are computed as a function of the secret key and the time.
-The SMS/Voice codes are randomly generated

The Backup verification codes are for situations where the user doesn't have access to the phone - e.g. while traveling or if the phone has no network coverage. For normal usage, users wouldn't use Backup verification codes. If the backup codes are lost or stolen, the user is still protected as long as the person accessing the codes doesn't know their password. Lost backup codes can be revoked and replaced by the user at any time.

4.How does the password retrieval process play out if you have two factor authentication setup?
The Account Recovery process is further fortified for 2-step users. The password and the verification codes are treated as independent factors, and having one is not sufficient to gain access to the account using Account Recovery mechanisms.

Susanna said...

@GP -

This is EXACTLY what I want to know as well - what you are talking about in #4 regarding password retrieval process. As someone who has had her ex regularly hack into her accounts, I am particularly concerned about this. I signed up for the two-step authentication, only to realize that if my ex just does what he normally does - which is just to reset my password (maybe doing this brute force cracking Saqib and Jim talk about) - then surely this may not be any help.

Does anyone know if two-step still kicks in after a password change to not let anyone else in? Any other suggestions for how I can stay safe online?

Nishit said...

Hi Susanna,

If the account has 2-step verification enabled, a password change requires also providing a verification code. So, someone who doesn't have access to your phone can't lock you out by simply changing the password.

dave said...

i received an alert saying that my account had been accessed from an ip in CA - this was obviously not me. After looking further into my account i noticed it had stored address and billing information from a purchase long ago - how do i remove this data from my account?