Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/10/2011
06:27 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Enables Two-Factor Authentication For All

You can now protect your Google Account with security techniques employed by online banks.

Having recently made two-factor authentication available for Google Apps customers, Google on Thursday extended its more secure sign-on mechanism to all Google Accounts.

Google calls the process two-step verification. It is intended to reassure those who believe they need more than a mere password standing between their online data and the cyber-thieves of the world.

"Two-step verification requires two independent factors for authentication, much like you might see on your banking Web site: your password, plus a code obtained using your phone," explains Google product manager Nishit Shah in a blog post.

The set-up process isn't ridiculously onerous, but it isn't drop-dead easy either. Google suggests setting everything up may take 15 minutes. Thoughtfully, users aren't entirely on their own: Google provides a set-up wizard to guide people through the necessary steps.

Turning two-step verification on is done through the "Using 2-step verification" link on the Google Account Settings page. Users who don't see any such link can expect it to be available within the next few days.

Once enabled, a user who signs in with the Account password will be presented with an extra Web page asking for a code. Google will either generate an automated call with the code, send the code to a mobile phone via SMS, or allow the user to generate the code using an app on an Android, BlackBerry or iPhone device.

A particularly convenient feature is the ability to register a backup phone to receive codes, in case one's primary phone get stolen or is lost.

Additional security, however, should not be confused with foolproof security. In late 2009, Gartner issued a research note recommending further defenses beyond two-factor authentication. It seems cyber-thieves have had some success bypassing two-factor security schemes at some banks using man-in-the-middle attack techniques. The fraudsters managed to have verification phone calls associated with compromised accounts forwarded to their own phones.

But Google's decision to offer extra security to those who want it represents a step in the right direction.

Matt Cutts, who runs Google's Web spam team, notes that two of his relatives have had their Gmail accounts hijacked because someone guessed their passwords.

"If someone hacked your Gmail account, think of all the other passwords they could get access to, including your domain name or Web host accounts," he wrote in a blog post.

While conceding that the extra security of two-step verification may be an inconvenience, he insists it's worth the trouble. "I use it on my personal Gmail account, and you should too," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27638
PUBLISHED: 2020-10-22
receive.c in fastd before v21 allows denial of service (assertion failure) when receiving packets with an invalid type code.
CVE-2020-27642
PUBLISHED: 2020-10-22
A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.