Eyes Above The Waves

Robert O'Callahan. Christian. Repatriate Kiwi. Hacker.

Monday 31 October 2011

Public Service Reminder For GMail Users

I was just reading the account of yet another victim of identity theft, whose GMail account was broken into. It's tragic, and preventable. If you have a smartphone, you really ought to set up GMail's two-factor authentication right now. It works very well for me.

Update And encourage your GMail-using friends to do the same!


Which works well unless you don't want to pay the outrageous rates for text messaging on your smartphone and have them blocked as a result.
If you’re charged for incoming text messages, you can install the Android, BlackBerry or iPhone Google Authenticator app, which doesn’t cost anything to run. New Zealand has free incoming text messages, so I use my old Nokia candy bar phone for two-factor authentication here.
Great, thanks for the tip!
I just use the Android authentication app, I didn't even consider the text message option.
Colby Russell
Unfortunately, it looks like you're supposed to use an "application-specific password" if you want to use an IMAP client. A couple of things: 1. It doesn't appear that you are allowed to set your own application-specific passwords. I understand that Google doesn't want to leave this up to users, so as not to allow the weak passwords most are sure to use. However: 2. The generated password is no more (and arguably less) secure than the one of my own choosing. These wouldn't be so bad if it weren't for the Google-generated application-specific password being a hardly memorizable jumble of letters. This itself wouldn't be so bad were it not the case that Google's expectation that I'll set Thunderbird to remember my password is incorrect. Again, Google's expectations end up being the less secure one in this instance of the user-approach-versus-theirs showdown.
Colby: OK, but I think very few users will find themselves in your situation.
Colby Russell
Robert: I wasn't trying to moan under any delusions that this is a common use case. It does make me wonder though, how common of a use case is it for people who don't set the mail client on their phone, etc. to remember their password? Certainly not the most common use case, but more common than mine above. For that reason, two-factor authentication might even open them up to an even larger risk than they would normally be exposed to, since now access to their mobile device -> access to their mail account when it didn't before.
Benoit Jacob
This is really interesting but I've not found where Google says that they're not going to use my cell phone number for any other purpose, including tracking / data collection. I really would rather not extend to my cell phone number further the graph of data about me that google knows.