Google’s two-step verification

With some people using an “online office” with Gmail as their email client, Google Docs as their office suite and Picasa Web as a photo hosting service, security of their Google account is critical. The Google’s support forum is full of desperate stories from people having lost access to their accounts due to hijackers.

This normally happens if a user is not careful about his login data. Common mistakes include:

  • weak passwords and
  • logging to Google account (particular service—Blogger, Google Docs, YouTube, or Picasa—doesn’t matter) using unsafe computers (friends, colleagues, internet cafe) and not changing the Google Password soon after it.

Once the password is discovered, a hijacker can log into a Google account and change the password. At that moment, the original user basically looses all means to reliably restore his access: there is practically no way to prove that you have any more rights for the account than the current password owner. Google has introduced a few means of restoring the access in simple situations. You may be able to request a password reset code sent to your mobile or to an alternative email address; you may be asked, when approximately you have started using Google services or who have your most contacted addressees been; and there is a security question. However don’t forget that as soon as a hijacker knows your password, she can change your security question, download the list of most contacted people, and change the mobile number and the alternative email address connected to your account. It is very hard indeed to prove anything in such situation.

The above-mentioned mistakes are of course those, which should be never made. However, there is one threat against which even experienced users can do little if not nothing: key logging. However careful one may be with one’s account and password, it is impossible to prevent a well-written trojan from getting on your computer and monitoring your input of the Google password. Once this has happened, see above.

Now Google has introduced a new log-in method which may well prevent most of successful hijackers’ attacks: a two-step verification. While you still have access to your account, enable this feature (My Account > Personal settings, Security, Using 2-step verification) and get your mobile phone be used for verification. From now on, when you try to login to any Google service, you’ll be getting an SMS with a one-time code. This method is used by some banks to secure their online banking service. Even if a hijacker gets your password and the code, she will not be able to change your password, since she would need to enter a new one-time code which will be sent to your phone.

There are two security leaks in the current Google authentication procedure.

1) If, while entering the one-time verification code, you select “Remember verification for this computer for 30 days”, one gets the full control over your account (including changing the password and the connected phone number) provided that one has your Google password and access to this computer. Which is exactly the case if you have a trojan in your system. Therefore never select this option. If you don’t do so, Google asks to provide a verification code again when one tries to change the password. Therefore a hijacker will not be able to do any harm.

2) Google Talk, Google’s instant messaging client, allows to log-in to the Google Account without entering your password in the browser (and thus also without the one-time code). This would be perfectly fine and even useful if Google still required the one-time code for changing the account password. However it is not the case: once you’re logged in, you can change the password knowing just the password, no one-time code is required. This means that if a hijacker has intercepted both your main Google password (when you were entering it in a browser) and also the Google Talk password, it is enough to change the main password. Let’s hope that this will be improved soon. And for now try to never enter both the Google Talk and the Google account passwords on the same computer.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s