2011年2月10日 星期四

"2-step verification,"

Posted at 4:58 PM ET, 02/10/2011

Google adds optional two-step Gmail security

By Rob Pegoraro

Google just launched a new, secured login for Gmail and other Google services. Done right, it can greatly increase a Google Account's defenses--but I worry that the less security-concious users who could use the help most will shy away from its complexity or get locked out of their service by mistake.

Google calls this option "2-step verification," although it's often referred to as "two-factor authentication." By either name, it adds an extra line of defense beyond your password: a numeric code generated on the spot for each login and then discarded.

google_logo.png

Google's blog post and help page explain how this will work. First you'll activate this from your Google Account settings page through a "Using 2-step verification" link, and then you'll be asked to enter a numeric code after having it generated by a smartphone application or sent by Google to your phone via text message or phone call.

This won't take the place of the traditional username-and-password combination, nor do you have to go through this ritual every time; you'll be able to tell Google to save it for every 30 days.

You won't need to have a working Internet connection or even cell service on your phone. Google's free Google Authenticator--available for Android, the iPhone, iPad and iPod Touch, and BlackBerry devices--works offline. You can also use one-time codes generated when you first set up 2-step verification.

But this extra security only works in Web pages; applications such as Microsoft's Outlook or Apple's Mail that connect to Google services don't support this. For those cases, Google lets you create passwords only good for those installations--for example, one for a smartphone's mail program and another for a desktop computer's mail client.

All that sounds good--though I can't speak from personal experience, since none of my Google accounts offer this option--and comes highly recommended. Lifehacker's Adam Pash, for example, writes: "start using this feature as soon as possible." The headline on Jason Kincaid's post for TechCrunch ends "You Should Use It." Google search guru Matt Cutts Twittered: "*Everyone* should do this."

But... I fear that the people who most need to strengthen the security of their Gmail won't follow any of this advice. They don't know who Matt Cutts is, don't read Lifehacker or TechCrunch and they're likely to get lost on the way to setting up two-step verification--or will balk at following advice that may seem like something cooked up by a paranoid IT department.

Fortunately, there are simpler ways to defend your Google account. You can choose a password that you haven't used at other sites and isn't in the dictionary or easily guessed from public details of your background; be smart and skeptical about not installing strange new software and ignoring phishing scams; and set up the account-recovery options already available to ensure you can regain control of your account if it's hacked.

Do those things, and then we can think about two-factor authentication. But whatever you do, please don't read Google's advice today and think "oh, security is obviously too hard to do right."

By Rob Pegoraro | February 10, 2011; 4:58 PM ET
Categories: E-mail, Security

沒有留言:

網誌存檔