Regardless of how you say it works, I can bypass it every time it would seem. Again, by using the method in my original post. It's likely you have a bug if this isn't the functionality you're after.
I appreciate the statistics but they mean little to me. Thank you for taking the time to respond. I hope my suggestions and findings will assist you in correcting these issues On May 17, 2012 5:51 AM, "Mike Hearn" <[email protected]> wrote: > I understand your concerns, however they are not valid. You can be > assured of the following: > > 1) We do not see this system as a replacement for passwords. If we > block a login the user is notified and asked if it was them, if it > wasn't we ask them to pick a new password. In very high confidence > cases we will immediately force the user to choose a new password, > because passwords are still the first line of defense. > > 2) We do not see this system as a replacement for 2-factor > authentication. However the reality is that the vast majority of our > users do not use 2-factor authentication and this is unlikely to > change any time soon. 2SV imposes a significant extra burden on the > user such that despite heavy promotion many users refuse to sign up, > and of those that do, many choose to unenroll shortly afterwards. > Therefore we also provide this always-on best effort system as well. > > 3) In fact it is very effective at stopping the large, botnet driven > types of attacks we see on a daily basis and so saying it doesn't add > any security is wrong. Since going live the system has successfully > defended tens of millions of users who have a compromised password. A > single unrepresentative data point based on one account isn't enough > for you to judge the utility of the system, whereas we can clearly see > the stopped campaigns (and drop in number of attempts). > > That said, if you have friends and relatives who use Google and you'd > like to to make them more secure, by all means encourage them to set > up two-factor authentication. >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
