A few days ago Google activated 2-stage authentication on my account, and I jumped at it like an Irken Invader on snacks. I’ve used gmail since it was invitation only and have amassed quite a lot of important emails in there under various mostly well-organised labels. Things like site registrations, client relationship history, and funny photos of people who shop at Walmart. I want to keep that stuff private ofcourse, and I try to make up passwords that are hard to guess, but who knows how – or when – that password might be compromised? We all do it – immediately after you change a password, you feel bulletproof. Nothing could penetrate your ingeniously clever choice of password where you spelled “password” with dollar signs instead of S’s, and added a 1 at the end. Unbreakable.
It might surprise you to know that the leading cause of password theft is actually through a tactic called “phishing” or “social engineering”, which has nothing to do with guessing games. So how to you protect yourself from that kind of threat? Well, knowledge of how the web and password fields work is one way, but for most people that isn’t even remotely interesting. There’s another way though, and it’s been around for yonks. It’s based on an “authenticator” which generates a password according to the time of day (usually) or some other randomising element. Usually you use it in addition to your password, so that if someone steals your authenticator they still need to know something else, making it much more difficult. Far more likely is that you get tricked into using your password on a site that LOOKS like a site that isnt (most commonly made to look identical to your bank’s website). Even if you’re good at spotting a fake (tip: look at the address bar) you might accidentally type your password into a chat window, or a google search, and then it exists in your web history or someone else’s chat log.
It happens, hell I’ve done it myself more than once!
The good news now is that you can use an authenticator app on your phone (Blackberry, iPhone and ofcourse Android are supported as of writing this), and protect your whole Google account at once. That includes Gmail, Docs, Sites, AdWords and Analytics, everything. One catch is that you then need to generate new passwords for any off-site apps that link to your Google account (e.g. the Mail app on your iPhone, or the desktop version of Google Talk), but that’s quick and painless.
You also only need to use the Authenticator once per computer per 30 days, if you know that the PC / Mac / Phone you’re on at the time is safe. That makes life easy and secure, it’s win win.
To enable it, log in to gmail and then up the top right click on the little gear icon. Click Account Settings, and then click setup 2 step authentication. Google will then walk you through the steps to enable it, and there’s more help available here: http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284
For most people, that’s the end of the tute. You still should be careful about where you type your password, but it’s no longer a big deal if it does get out. Unless you’re using it on something non-Google related, that is.
On the developer front it’s a little trickier, as you will need to generate Authenticator codes (one off passwords, basically) to use for your API connections. You won’t have to regenerate them each time, you simply make one once, e.g. I have one to connect to Google Docs which I’ve named… Google Docs… which is a randomized 16 character password that’s now attached to my account. I use it as the password in my PHP connector script that writes to a spreadsheet, and it works again. I can then revoke access through the 2-step authentication control panel whenever I want, and not worry about who might have got a copy of my PHP file somehow.