The two-step verification used by Google is based on the TOTP protocol [1] which is the open standard for this sort of thing.
To answer your questions Amin: 1. Tokens last 60 seconds according to the TOTP standard. 2. Your journalist friends would be very well-advised to use an app [2] instead of SMS codes. By using an authenticator app, they will be able to obtain codes without using SMS and even with their phone completely not connected to a network. [1] http://tools.ietf.org/html/rfc6238 [2] https://support.google.com/accounts/answer/1066447?hl=en On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <[email protected]> wrote: > Hi, > > Recently, a bunch of Iranian journalists/ activists have been targeted by > Iranian hackers. > > Some of them said their 2-step verification was active during the attack > but hacker could reuse the code that sent by Google via SMS and passed > 2-step verification! > > I was wonder to know if some folks here know the validation time for the > 2-step verification code that users receive through SMS not the app. > > Cheers, > > Amin > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
