You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme . Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked. Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works: I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions– check out his post, which even has pictures . But here are some misconceptions that I hear, along with the reality: Myth #1 : But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country? Reality : You can install a standalone app called Google Authenticator (it’s also available in the App Store ), so your cell phone doesn’t need a signal. Myth #2 : Okay, but what about if my cell phone runs out of power, or my phone is stolen? Reality : You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone. Myth #3 : Don’t I have to fiddle with an extra PIN every time I log in? Reality : You can tell Google to trust your computer for 30 days and sometimes even longer . Myth #4 : I heard two-factor authentication doesn’t work with POP and IMAP? Reality : You can still use two-factor authentication even with POP and IMAP. You create a special “ application-specific password ” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time. Myth #5 : Okay, but what if I want to verify how secure Google Authenticator is? Reality : Google Authenticator is free, open-source , and based on open standards . Myth #6 : So Google Authenticator is a free and open-source, but does anyone else use it? Reality : Yes! You can use Google Authenticator to do two-factor authentication with LastPass , Amazon Web Services , Drupal , and DreamHost , or even use a YubiKey device. One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account. Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?
I wanted to post about Google’s new two-factor authentication announcement. Two-factor authentication is something you have (e.g. a phone) and something you know (e.g. a password). It’s a Big Deal because if your account or business has two-factor authentication, those accounts are immediately less likely to be phished, hijacked, or otherwise abused. There’s a neat Google Authenticator application that runs on Android, iPhone, and Blackberry: For the “something you have,” Google provides lots of ways to authenticate: – SMS, e.g. for cell phones – a voice phone call, e.g. for landline phones – authentication apps, e.g. for smartphones that might be abroad or not have a signal. Android, iPhone, and Blackberry phones are supported. – one-time/single-use codes that you can print out as a final fallback and put in your wallet, desk or a safety deposit box. This announcement has a few bonus features. Here are some extra-good things that make me happy: – Two-factor authentication will be offered on all Gmail accounts “in the next few months,” according to TechCrunch. – You can authenticate a particular browser using cookies for 30 days per browser . So you don’t get bugged with a login message on a computer you use every day, like your home computer. – Google open-sourced the Android authentication app and according to that page will open-source the iPhone app soon. – Drew Hintz mentioned in the TechCrunch comments that the Google Authenticator app uses RFC 4226, so a lot of this work is open stuff that people could take and build on. Drew also does a great job debunking misconceptions in the TechCrunch comments: “Random commenter: Google wants my phone number? (insert too-much-data-conspiracy here)” “Drew: Actually, you can use the app if you prefer not to provide a phone number” Overall, this is a great launch. I’ve seen the pain that a hijacked account can cause , over and over and over again. Don’t just protect yourself with a password. As soon as you can, add an extra layer of protection with two-factor authentication on your account. Two-factor authentication: it’s not just for World of Warcraft any more.