One of my friends had her email account hijacked recently. The hijackers had obviously got hold of her password somehow and were sending out emails to her address book claiming she was stuck overseas and needed money sent to her. I’d read about this sort of thing but never had it happen to myself or anyone close to me. I suspect that it would be quite easy for the less-knowledgeable and naive to not realize and send money and be taken for a ride, as it was certainly more “sophisticated” than the typical Nigerian scammer email. I actually toyed with them for a while (to the extent of trying to sending them to my mate Kon Stabel at the address of the local police station :)) and the jackers were pretty “sneaky” about trying to get money out of me.
It was then I decided I should really do something about strengthening my own security around my accounts by turning on Google’s 2 step authentication which I’d read about but never got around to implementing.
Working in IT you’d think I’d know better; however, this got me thinking about all the information I have stored in my Google account. Access to my email alone would allow access to other sensitive information, which as a flow on from my emails gives them access to other websites indirectly. Password resets to the email address for other non-Google applications or sites could be performed, as well as the ability to gain access to applications that use your Google account as a “passthrough” login for that application. In addition if you’re part of the “Google-verse” (“luckily” my above friend had just a Hotmail email account ), access to your Google account gives you access to email and all your other Google apps such as Google+, documents, photos, reader, YouTube, and other info. A bit scary really
Google 2 step authentication works on 2 things, something you know – your password – and something you have – your phone/tablet.
It’s easy to turn on from your Google Account Settings
Once you turn on 2 step authentication, whenever you login to your Google account you put in your normal password and the site will then ask you to enter your authentication code consisting of a 6 digit number.
This code can be delivered to you in a number of ways:
- SMS to a specified mobile number.
- Voicecall to a specified mobile or land line number.
- Google Authenticator app for Android/iPod,iPhone,Ipad/Blackberry – This app generates a real time, time-sensitive code for you to enter based on your account. The system is very similar to the more commercial- and business-related RSA tokens that many enterprise businesses use for their 2 step authentication. It will allow you to create codes for multiple Google accounts if you have them.
So to log in, you need to know your password and also have your mobile phone to receive or generate your 6 digit code. So even if your password is compromised the would be thief still requires to get hold of your phone to finally hijack your account. Each code is only valid for around 30 secs.
You can apply this code to last up to 30 days, so you won’t get asked for a new verification code again for 30 days on that same machine. If you find yourself having to login to another new machine or onto an public/shared device, then you’ll have to input a verification code again. On a public machine if you don’t use the 30 day option, the next time you logon to that machine you’ll have to reenter another verification code, something quite handy if you find yourself having to use internet cafes to access you Google account. Even keyloggers will only be able to grab your password, as your verification code you enter will only be valid for a short space of time.
Some devices and applications won’t let you enter the second security code so you need to create an Application Specific Password (e.g. Gmail login for Android). To enable these to access your Google account you generate a 16 digit alpha/numeric code that you use in place of your normal password.
It appears to me that the code is a hash of your user name and what you name the application (e.g. “Gmail for Android Login”). (As per below discussion it would appear it’s not a hash unless it’s time based as well. Putting the same application name in gives different codes. Perhaps it is just random). You then use this code rather than your normal password to logon. You normally only have to use this password once, and you can always revoke the pass code if you need to for any reason.
If you’re out of mobile range or you don’t have your phone with you, Google can also supply you with a list of backup codes which you can print or store somewhere were you’d normally have access to it other than your phone.
As an exercise, sit down and work out what information and access would be available should Your Google account be hacked. While there’s a small amount of extra work involved with setting up 2-step verification as well as some extra “work” involved in logging into your Google account, the extra security you get is well worth the effort to protect your sensitive information.
Addendum: 4 Jan 2012 – I’ve just found that the Google Authenticator can also be used as a 2 factor authenticator for Lastpass password manager as well
Addendum: 7 Jan 2012 – A quick heads up about using the Authenticator on either multiple or on new devices. If you turn on authentication and just follow the instructions on a single device then when you want to add a new device ( which will happen with upgrades ) or add an additional device then you’ll actually have to turn off verification and recreate your account codes ( only your live ones, not the application specifics ) both on your old and new device. The trick is that when you initially turn it on take a screenshot of your bar code and/or the key it gives you and store in a safe place. Then you can just load GA onto your new device and rescan or manually input the account verifications when you create the account in the app.