Posted 23/Feb 2011 at 15:39
by in Science & Tech read by 75 people

Google Accounts have gotten a lot more secure!

Are you one of those people who prefer to avoid having to enter - and remember - your password for every website you use? And have you, like me, realized that more and more websites offer login through Facebook, Google, Twitter, OpenID and what not? If you've answered yes to the previous questions, then I guess you'll say yes to the next one two:

Are you worried about that if someone gains access to one account, they'll suddenly have access to all of your accounts?

Well, I've been increasingly worried about that. And when I read that you can set Facebook up to always let you surf over HTTPS, send you emails whenever your Facebook account is used to login somewhere and even whenever someone, possibly not you, logs in from an unknown computer I made a jump of joy.

Maybe I won't be in time to stop the person from hacking all of my accounts, changing all of my profile settings and add some harmfull content to my wall - but at least I'd be informed about it.

Google's "two step verification" has been around for a while. I believe it started in premium Apps accounts, but quite recently it was launched for any Google Account. But how it's available for all Google Accounts. The instructions might not be in your local language yet, I was presented a funny mix of English and Danish, but it works.

The idea behind it is simple and very comparable to many online banking applications. Instead of logging in with just your username and password (things you know), you'll be asked to enter an additional code generated on your mobile phone (something in your hand). This way, just knowning your password or just having your mobile phone isn't enough. You need both.

The setup is easy. Go to GMail, or just www.google.com and login. Click "settings" in the far top right corner and then choose "account settings". Under the header "security" you'll find "using 2-step verification". Click that.

From there, Google guides you along the way. They offer apps for Android, iPhone or Blackbarry. The app will generate a time-specific code, based on a secret stored inside the app. This secret is a rather long string of characters, which you won't have to enter manually - you can use the barcode scanner for that. A time-specific code means that it will generate a code which is valid for a limited time, and that it won't require an internet connection to generate the code.

After setting up the app, Google is smart enough to insist on you setting up two backup methods. One is just to print a list of 10 codes you can use should you not have access to your phone, the other is to enter your phone number so Google can send you an SMS message with a code. Or call you, and tell it to you using their automated voice service.

Have multiple Google accounts you'd like to protect with two step login? Fine then, you can get the App to remember many account secrets. And you can use the same mobile phone as a backup to several accounts.

If you use Google Mail inside your Apple Mail, Thunderbird, Outlook or such program, or use your Google Account on your Android mobile, or use Picasa, none of your saved passwords will work. Instead, Google invites you to create application specific passwords for those services which aren't - yet - compatible with 2-tier verification. Just remember that your passwords for IMAP/POP are probably stored seperately from your SMTP password, so just send an email to yourself while you're setting it up to trigger the password-check and change for that as well.

And here comes the best thing of it all. Something that's literally making me cry with joy. Well, almost - my eyes got a little bit wet. Google's motto is still "Don't be evil" and they put their deeds where their motto is. The whole thing is compatible with open (OAUTH) standards. And the Google Authenticator app can be used by anybody, to secure any service.

So, if you are a software or website developer, just visit google-authenticator on Google Code, read through some of documentaton and start securing.

A bit of Googling led me to instructions on how to secure SSH access with it: mnxsolutions.com/(..)/henticator.html - could be a pretty darn good idea ;)

You might also want to explore these likealots