The "Remember location for 30 Days" tick box just uses a cookie, which for me is redundant as I clear cookies on exit (Chrome, Firefox, etc.). This means I have to always enter a verification code, which to be honest doesn't bother me too much but possibly could be better without impacting the effectiveness of the security.
Using Ubuntu One as an example, machines are authenticated against an account. The list of authorised machines can be shown and any authorised machine can be de-authorised (from anywhere).
Could something similar be incorporated into two-step? Still the same process but instead of identifying a machine by a browser cookie (I.e. client-side) the machine itself is identified and the list of authorised machines be maintained server-side.
The Google Dashboard could be updated to allow users to manage their authorised machines.
Maybe a manual process is required to add a machine to the list of authorised machines. Remove the tickbox for "Remember..." so that you can never really accidentally add a "public" machine to that list.
Either way using 2-step and think it's a good idea. Thank you for the feature.
The one thing I don't like about thsi feature is the "Thank you for using..." part which comes up initially. Just give us the code up front (repeat twice).. then say the "Thank you..." message.
1. Its a waste of everyones time to listen to this message up front. 2. I think you are wasting energy unecessarily forcint people for a few seconds to listen to it... I am sure it will save a few barrels of oil if you remove that message up front.
Have you got the latest stats on how many gmail.com accounts are compromised per day?. This would be a more compelling argument for enabling 2-step verification
Hi, I generally find 2-step authentication a great feature, but the way it is implemented doesn't work for me for a number of reasons, the main one being that I frequently travel where I do not have mobile access, and one-time codes are a security risk.
Now I am less concerned in my account being accessed for read / write, but totally hijacked, i.e. password changed.
Wouldnt it have been better for special cases as myself and the general population, if standard account access was via simple password, BUT if chnaging account access, i.e. password, THEN some form of 2-step authentication would be required.
I think this would have been a good half-way house, and more likely with a higher adoption rate...
8 comments :
any chance an app for Windows Phone is on the way?
2-factor authentication is great, but I already have a YubiKey on my keychain. I think it would be great if Google supported YubiKey. Thanks!
I follow a couple of Google Blogs, which are very useful in keeping updated.
It pains me that all Blogs do not have a consistency in terms of being able to subscribe by email.
Some do allow email subscription, most do not.
What a pity since email allows me to choose only the blogs I REALLY read as opposed to "READ when FREE" type blogs on my Google Reader.
So, Please enable email subscription for all Google Blogs.
The "Remember location for 30 Days" tick box just uses a cookie, which for me is redundant as I clear cookies on exit (Chrome, Firefox, etc.). This means I have to always enter a verification code, which to be honest doesn't bother me too much but possibly could be better without impacting the effectiveness of the security.
Using Ubuntu One as an example, machines are authenticated against an account. The list of authorised machines can be shown and any authorised machine can be de-authorised (from anywhere).
Could something similar be incorporated into two-step? Still the same process but instead of identifying a machine by a browser cookie (I.e. client-side) the machine itself is identified and the list of authorised machines be maintained server-side.
The Google Dashboard could be updated to allow users to manage their authorised machines.
Maybe a manual process is required to add a machine to the list of authorised machines. Remove the tickbox for "Remember..." so that you can never really accidentally add a "public" machine to that list.
Either way using 2-step and think it's a good idea. Thank you for the feature.
Are sites like spy.scorpio.com really cracking accounts and getting passwords or is there an insider helping these Crackers out?
The one thing I don't like about thsi feature is the "Thank you for using..." part which comes up initially. Just give us the code up front (repeat twice).. then say the "Thank you..." message.
1. Its a waste of everyones time to listen to this message up front.
2. I think you are wasting energy unecessarily forcint people for a few seconds to listen to it... I am sure it will save a few barrels of oil if you remove that message up front.
Have you got the latest stats on how many gmail.com accounts are compromised per day?. This would be a more compelling argument for enabling 2-step verification
Hi,
I generally find 2-step authentication a great feature, but the way it is implemented doesn't work for me for a number of reasons, the main one being that I frequently travel where I do not have mobile access, and one-time codes are a security risk.
Now I am less concerned in my account being accessed for read / write, but totally hijacked, i.e. password changed.
Wouldnt it have been better for special cases as myself and the general population, if standard account access was via simple password, BUT if chnaging account access, i.e. password, THEN some form of 2-step authentication would be required.
I think this would have been a good half-way house, and more likely with a higher adoption rate...
Just thinking
marcel
Post a Comment