Saturday, June 4, 2011
Gmail Security - Two Step Verification
Anyone who follows geek websites knows that Facebook is not very concerned with security, but Google has a much better reputation. That's why I was surprised this spring when James Fallows reported the rise of Gmail hijackings. Since then it has happened to people I know and to government officials. It's also happening to Yahoo, Hotmail and AOL.
The solution for Gmail is similar to the "Login Approvals" Facebook precaution I advised you to take. Google calls it 2-Step Verification, and I've been using it without a hitch for a couple of weeks now. Because phishing and other forms of data-theft have compromised the security value of passwords (even good, strong ones), 2-Step Verification requires someone signing into your account to have both the password and a physical object - your phone or your computer. The first time you log onto each computer after initiating 2-Step Verification you will be asked to provide a code which Google will send to your phone. A hacker in China or Seattle might have your password (sooner or later one probably will) but won't have your hardware.
Google explains the process for activating 2-Step Verification here, and there's a "wizard" that guides you in setting it up. I have an Android phone and I use the program "Google Authenticator," downloaded free from the Android Market, to generate codes when I need to login to gmail (and Calendar and Reader and Google Docs, etc.) on a new computer. IPhone and Blackberry have equivalent apps and if you don't have a smartphone you can get the codes via text message.
While losing control of your Facebook account must be annoying, you really shouldn't keep personal data there. Losing control of your email must be devastating. Although the 2-Step Verification process sounds complicated it really is not difficult to set-up and once it is up and running you rarely have to do anything differently (unless you sign into email on new computers frequently.)