Google Google Account 2-Step Authentication

[Name Trader]

Is Google Account 2-Step Authentication, worthwhile/good?

I just signed up all my Google Accounts to 2-Step Authentication. It seems worthwhile because I am not bothered with it when signing on from my laptop, anywhere in the world. But hackers cannot login without triggering a verification code sent to my cellphone. The only problem I can envisage is if both my cellphone and laptop are stolen or damaged, at the same time.

Are there any other downsides?

 

[TheWatcher]

No downside. When you activate the 2 factor authentication, you have another form of backup did you keep that random number?

Anyway, when you lost your cellphone just to the store and get a new one.

Bottom line, your security is in place.

 

[Name Trader]

One huge downside I've noticed is I can no longer send any eMails through their SMTP Server. It won't accept my password, even though it is correct. How to correct this?

@TheWatcher - No I haven't kept the random number. I assumed they would be sending me a new number to verify any new computer/phone etc.

If you lose just your phone, no problem, you can buy a new one and reset your phone number in your Google Accounts. But if you lose both your phone and your computer, how are you supposed to login?

 

[Name Trader]

OK. smtp/pop email via Thunderbird, appears to be an app. So I set up an app password for mail Other (Linux) and what I though I was setting as a password, appears to be the name of the app, according to google. I then tried to send/receive an email, and it failed. I was asked for another password, and input the 16 digit code which was generated for both smtp/pop access, and I can now send/receive emails again. It was far from intuitive. It was a good job I wrote down the 16 digit code, even though google told me it wasn't necessary.

I had to repeat the process for each Google Account I owned. As I said. It wasn't exactly intuitive. But the 16 digit code becomes your new password for both sending and receiving eMails in your mail client.

 

[TheWatcher]

Something to learn everyday.

Once you know how to use it, you will appreciate later. Believe me it's best to have it.

 

[Name Trader]

I'm liking it so far, despite the rocky start

 

[Paul]

MFA/2FA is a great feature for any service. Google's implementation is particularly nice. It's theoretically possible to circumvent if a hacker gains access to your cookies, but I have yet to hear of that being done en masse.

The application-specific passwords are an awesome addition. Even if your laptop is stolen, intruders still don't have access to your real password. You can easily deactivate passwords that have been compromised. Resist the temptation to reuse app-specific passwords: it defeats the purpose. Although someone with an app-specific password or your cookies can gain access to your account, it's only temporary, and you can easily invalidate the cookie/password. Rather importantly, they can't change your password to hijack your account.

You can only use your real password in applications that explicitly support Google's 2FA. Most applications let Google handle authentication: they'll give you an embedded web browser with a Google login page. When you're logging into most Google websites, including the embedded authentication page, you can use your real password. Behind the scenes, Google creates a temporary password for the application or website that you're using, much like an app-specific password. A notable desktop application that works this way is Google Chrome, as you would probably expect.

When you're logging into applications that require a traditional password--in particular, e-mail programs that use IMAP/SMTP--you'll need to create an application-specific password manually.

If you want to get really fancy, you can get a hardware MFA device. These are super-secure--more secure than text messages or Google Authenticator. They also make you look like a computer ninja. Here's a picture of one type that I've used, though there are lots of different kinds:

(I'm not sure that those work with Google specifically, as I haven't tested that type with Google. They're pretty generic, though.)

We've had some requests to add MFA support to NamePros. I think it's a great idea, so hopefully we'll get around to that in the future. (Remind me if I forget!)

 

[Paul]

If you lose just your phone, no problem, you can buy a new one and reset your phone number in your Google Accounts. But if you lose both your phone and your computer, how are you supposed to login?

You can generate "backup" security codes. If I recall correctly, the link to do that is near the application-specific password tool. Print them out and hide them somewhere safe.

 

[Name Trader]

Actually, I noted all those 16 digit codes down and put them in a text file I'll print that out and delete the file

I also had to put them into Thunderbird's password manager in order to be able to get/send emails. I couldn't deal with remembering 16 digit codes for a bunch of gmail accounts and having to put them in manually every time I wanted to send or receive a message.

 

[Jenna Smith]

One more security option of secondary/alternate phone of your wife, Girl friend or any other family member. You can use this option while you don't have your laptop and mobile.

 

[cmdomains]

http://www.securityweek.com/attackers-bypass-2fa-systems-used-banks-operation-emmental