Google’s 2-Step Authentication is Awesome

by Louis Marascio on February 20, 2011

How important is your email account? How much damage can someone cause if they got access to your email? In my opinion, your email account is more important than any single other account you might have. The reason is simple: with access to your email an attacker can access every account you have. All they have to do is ask the target site, let’s say Facebook, to reset your password. Facebook will happily send an email to you with a link to change your password, allowing the attacker to take control of your Facebook profile. Ouch. Imagine the amount of damage someone can do if they had unfettered access to your email for 8 hours, approximately the amount of time we all sleep each night. 8 hours before you might notice anything is wrong. Double ouch.

Most people take security for granted. They use the same password everywhere. If they are security conscious they might use a different password for their bank accounts. The same password. Everywhere. That means anytime a web site is compromised not only do the attackers have your standard password but they also have your email address. Email address + password = a very simple way for an attacker to automatically scan for potential accounts to compromise. You don’t have to be targeted individually because the ability to automatically try every email and password in the compromised database is trivial to acquire.

Google’s new 2-step authentication is a god send. In security parlance it provides what is known as Two-factor Authentication. The basic premise is simple: by combining two secrets from two separate sources you can achieve better security. One source should be something you know–the password you remember, for example. The other secret should come from a source that is in your physical possession, often referred to as “something you have”. For Google’s 2-step authentication the first secret is your Google account password. The second secret comes from an application that is installed on your phone–something you have.

If you haven’t enabled it you should. Here’s why:

  1. It uses your phone. You always have your phone on your person or very near by.
  2. It instantly makes you a non-easy target. Most attackers will happily move along when they realize your password is more than just HappyFunr0s3z.
  3. There are two backup options in case you lose your phone or it gets stolen.
  4. It stops the proliferation of your primary email password to other accounts and applications: for example your instant messaging client.

Google has made this really easy. It’s great that Google has realized how important your email account really is and that it deserves the level of security typically reserved for other services. For example, many banks will provide you with a hardware token that serves the same purpose that Google’s 2-step authentication does. Unfortunately, most people don’t take advantage of their bank’s hardware token either.

Do this now: go read Google’s announcement about 2-step authentication and then enable 2-step authentication for your Google account. Don’t wait. Just do it. Right. Now.

Why are you still here?

Previous post:

Next post: