Monday, July 22, 2013

a look on the Google's two-factor auth

Now that I've been burned and had to enforce two-factor authentication for a private mail account (which obviously I thought it wasn't worth it), I get to look at the implementation options they've included. And I have to say I'm really impressed.

First factor - something you know - your password
Second factor - something you have - the phone or a dongle or a piece of paper. Or an application, as we'll see.

Right ? That we know.

A carefully crafted two-factor authentication which I've only started to use yesterday, being forced to do so ( ha ... ) gives you these options:

1. the mobile phone - receive SMS with the codes.
2. an app on the mobile phone. Google Authenticator. This generates the codes on your mobile, and it's the missing link between the site and you, because it won't involve your mobile operator delivering the SMS messages in due time. They tend to delay SMS messages, specifically when they're overloaded (on Christmas, for example)
3. backup codes. This is the piece of paper on which you write the access keys.
4. backup mobile phone ! You can add your wife's, or your second mobile, should you lose the main device. This looks like you can have the backup dongle receiving the SMS codes.

As a user, I now have:

- the dongle: my first mobile device
- at least one second dongle: my wife's device
- the application running on the first mobile device
- the piece of paper

So yes, they've implemented this geeky method in a smart way.

Sunday, July 21, 2013

being cracked on gmail

it's not pretty. I experienced this today, and the frustration is exactly the same as I discovered my car has been broken into, several years ago. 

It was a matter of minutes. Actually, when I received the SMS [we "prevented" a suspicious login], I actually had a browser tab opened to the emails ! When I refreshed, ups ! enter your password ! I think it only took 4 minutes to regain total control of the account, however: imagine my embarrassment when a friend SMSed me: hey you have a virus, you've mailed the entire gmail list of emails !

Whaaaaat ? no mail in the send folder, instead I started to receive tons of OOF and several "Mail Delivery Subsystem" informing that those addresses no longer exist. Doh .... the damage was done, the bot that cracked my account scanned the entire list and send a crap mail with a link to a phishing site, probably. I hope you've not opened it !

No other damage done and information loss on my side. Except for my reputation :)

So, more 30 minutes of frustration later [and some curses, we Romanians excel at that, English is really poor ... ] I thought I had to drop keeping contacts with Google and syncing with Android, pretty much the only commodity really useful on the smartphone for me.

Then I remember I have to check the Google's two factor authentication. This is not a new concept for me. We used it in at least two projects, I use it all the time working online with the bank, I'm rather familiar with it. But, I would have never thought I might need to get into it for private mails ! C'mon ! Two factor authentication is way too geeky ! I use gmail to register on sites and to exchange mails occasionally !

So here you have it, even if you think it doesn't matter, being cracked can be embarrassing, so get on the two-factor authentication. Times are truly changing.