Mat Honan wrote a long, four-page article for Wired about how his digital life was “destroyed” by hackers, partially blaming himself for not implementing Google’s two-factor authentication. The story, which is currently the top story on Techmeme, is not a bad plug for Gmail at a time when Google’s competitors are launching updates to their respective email products.
It may be four pages long, but the first two paragraphs of Honan’s piece sum of the situation pretty well:
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Google made the two-step verification feature available to all users in February of last year, after launching it for Google Apps accounts a few months prior.
“It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone,” explained product manager Nishit Shah, at the time. “A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘Remember verification for this computer for 30 days’ option, and you won’t need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”
Google’s Matt Cutts took the opportunity to caution Google users to “please turn on two-factor authentication” and read Honan’s “heartbreaking tale”. He shares the following video, and lists some myths about the two-factor authentication feature.
Here are the myths Cutts aims to dispel, as listed on his blog:
Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, Amazon Web Services, Drupal, and DreamHost, or even use a YubiKey device.
Google provides a step-by-step guide to setting up two-step verification here.