

Advanced sign-in security for your Google account - atularora
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

======
JoachimSchipper
This is _great_ \- getting access to your mail account allows someone to
essentially take over your online identity, so this helps a lot.

I do hope that you can't get in just by knowing someone's mother's maiden
name, though...

~~~
imd
RTFA, Google sends a code to your phone.

~~~
JoachimSchipper
Actually, I was talking about the _backup_ method. Happily, that's a list of
printable one-time codes. (Obviously, locking you out of your GMail if you
lose your phone is not acceptable.)

------
nbpoole
Devil's advocate here:

If I can trick a user into submitting their username and password on my site,
I can send a request to Google using that username/password and trigger a
message to the mobile application. The user continues with the flow, enters
the code on my screen, and I now have access to their account, same as before.

~~~
kbutler
Yes. 2-factor authentication does not address site impersonation.

This is for the more common case of trying to access a user's account without
the user's direct involvement. (e.g., if I grabbed lists of common passwords,
try to use your password from a cracked site to access an account on google,
etc.).

Classify this as "step forward" not "silver bullet".

kb

~~~
nbpoole
Except they specifically list anti-phishing as one of the use-cases:

"if you reuse the same password on multiple sites and one of those sites gets
hacked, or your password is conned out of you directly through a phishing
scam, it can be used to access some of your most closely-held information."

You're right that it helps in cases where all the attacker has is your
username and password. However, the blog post overstates the merits of this
feature a little bit. ;)

------
zyb09
Seems to be the same thing with the BlizzAuthenticator. Good idea, but I
wouldn't use it. You gotta consider what happens if you loose your phone. You
can't do any emergency calls and don't even have access to your saved phone
numbers anymore. You're also locked out of your Gmail Account for god knows
how long. I like my phone, but a little bit decentralizing can never be wrong
:)

~~~
Matt_Cutts
You can print out a set of one-time codes and then put that paper in your
wallet. That's what I'm doing.

~~~
jdludlow
I have a relative with a fire proof gun safe in another state. This is a good
place for crypto keys, master passwords, etc. For the cost of overnight Fed
Ex, I can recover from a disaster.

------
tomkarlo
This is great - and it begs the question why my brokerage and banking accounts
don't offer something similar, especially considering I have iPhone apps from
both that could be providing the second authentication factor.

~~~
minouye
BofA uses something similar when transferring funds between accounts--a unique
code is texted to a registered mobile device to complete the transfer. It
seems feasible that they could extend the technology to logins.

~~~
tomkarlo
Four or five years ago I did some work with a company that provides online
banking web platforms to smaller regional banks. I asked the CEO about 1+1
authentication (at the time in the context of a RSAID type keychain fob
device) and he said they'd pitched it but there was no interest from the
banks. In their defense, maybe those RSA thingies are just too expensive for
consumer accounts, I do know Citi now provides them to business accounts.

------
ximeng
A competitor for RSA's SecurID:

<http://en.wikipedia.org/wiki/SecurID>

I've been thinking how you'd do this as a generic application for web apps. A
daemon somewhere on the web that resets your password once a day for all the
web apps you use to "original password+unique daily code". Then you log in
with that code from your phone and your original password.

~~~
tptacek
My friend Dug Song is tackling this problem:

<http://www.duosecurity.com>

~~~
ximeng
Very interesting, I assumed someone would be working on something like this. I
guess it's a big market, if you can convince bigcos to trust the phone to be
secure.

------
ez77
I asked this before to the HN community, but I didn't get much feedback;
please share your thoughts. How come _domain registrars_ have not developed
this eons ago? [+] Isn't that arguably the most critical gateway for a
community of web developers? I humbly ask these questions as an amateur and
aficionado without any deployed commercial sites, so maybe the pros in here
would beg to differ with my paranoia.

[+] Better yet, why doesn’t some HNer take up launching a security-oriented
domain registrar? ;-)

------
beoba
It'd be nice they allowed secondary passwords for eg google talk. I don't much
care for having to hand out my full credentials just to use things like
bitlbee/meebo.

~~~
Matt_Cutts
You can generate application-specific passwords and then see/revoke those
passwords on your google.com/accounts page.

~~~
travisp
Are these "application-specific" passwords limited in any way? For example, if
one of them is stolen without my knowledge, can the attacker fully access my
Google account (e.g. account settings, all Google services, etc.)? Obviously
it's less likely that one of these passwords will be stolen than passwords,
but it's still possible.

From the screenshots (don't have access yet) it seems that you don't get to
specify the type of application or access, but I would assume there is some
limitation on what you can do with these passwords?

~~~
Matt_Cutts
Good question. I think app-specific passwords have full access.

~~~
beoba
If that's the case, what are they for?

