

Google Apps adds two-factor authentication via SMS - omh
http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.html

======
ez77
OK, I've been meaning to ask the HN community about this. Please share your
thoughts.

Wouldn't it make a lot of sense for Google (et al) to have this sort of
authentication _every_ time you want to change your Google Accounts password?
Isn't this a pretty safe way to prevent being locked out should someone gain
access to your account?

You may be thinking about costs, but this could easily be a premium service I
would gladly pay for! For instance, I could charge $10 to my account, which
should allow me plenty of password changes in the future. An intruder may
"waste" at most one SMS, since he would not have it and until then Google
should not send you any additional SMSs. Does it make sense? If it does, you
Googlers in here, please pass it on!

While we're at it... how about extending this to domain registrars? This would
be even more critical. I must say it, I'm pretty paranoid and by now it
clearly shows. I don't know how you guys have launched successful websites and
cope with this lack of safety features. I know I'm rambling, but please speak
your mind on this issue.

PS: I realize things are not so bad as they could be, that probably keyloggers
are rather hard to plant, etc. But it wouldn't hurt to have these features,
and the companies involved would only profit, both financially and in terms of
reliability.

~~~
borism
do you realize 2-factor authentification has nothing to do with changing
passwords?

~~~
ez77
Yes. My humble proposal is that it should. Do you think it would be
ineffective, or a bad idea? If so, why?

~~~
borism
Well, since two-factor authentification is required to login into your account
to change password, I would think it already applies to password change?

~~~
kgermino
I believe ez77 is saying to make it so that the 2 factor auth. comes every
time you try to change your password whereas this seems to be designed to only
be used the first time you use a computer with an account. I may be mistaken
though.

------
ams6110
I've thought about using this approach, my concern is that SMS is not always
"instant". I've had messages take up to 30 minutes to get delivered; it
probably does not happen often but it wouldn't take too many occurrences of
having to wait for a message on my phone before i'd get irritated.

~~~
nodata
From my limited experience, I think you can pay to have these types of SMS
prioritised.

~~~
v21
I work at an SMS aggregator, and I've never heard of such a thing. SMS are
pretty speedy, unless something goes wrong and they get wedged, in which case
priority messages wouldn't help you anyway.

~~~
nodata
My limited experience is unfortunately based on online banking: my bank can
send me a tan sms faster than anything I've seen.

------
borism
only for paid google apps users currently :(

~~~
DrewHintz
"Standard Edition customers will be able to access it in the months ahead"

(disclaimer: I work on the project.)

~~~
ez77
Hey! I don't mean to "spam" you... but I'd be really interested in your
opinion given your expertise and position regarding my original comment. Are
keyloggers and the like blown out of proportion? Don't you feel being locked
out of your account/domain is a pretty serious security issue for most small
players/home users? Please share my proposal at Google! Best.

~~~
DrewHintz
> Are keyloggers and the like blown out of proportion

Keyloggers and password reuse are a real-world security issue. Two-factor
authentication provides an extra level of protection against them.

> being locked out of your account/domain .... for most small players/home
> users?

The final step of configuring two-factor verification provides you with a list
of one-time codes you can print. This provides a back-up way of having codes
in case your phone is lost. You can keep these printed codes some place safe
like your wallet or safety deposit box.

[http://www.google.com/support/accounts/bin/answer.py?answer=...](http://www.google.com/support/accounts/bin/answer.py?answer=185839)

