Thursday, August 23, 2012

Matt Cutts: Please turn on two-factor authentication


You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion onTechmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:
Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.
Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.
Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.
Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.
Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass,WordPress, Amazon Web Services, Drupal, and DreamHost, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.
One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.
Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?
” You create a special “application-specific password” that your mail client can use instead of your regular password.”
Doesn’t it kind of defeat the purpose? An attacker can simply use this password to access my information with 2-factor authentication.
He may not be able to delete the account, but he can delete my mails and stuff, so this is like a big hole on the shield.
Source: Mattcutts

1 comments:

Unknown said...


Good Blog ! It Is My first Time visit i Here. Thankyou For shearing This Information With Us.
Website Designing Company in Delhi

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Nilesh Kindarle - Free Press Release Website | Business Research