Aleksandar Ivanisevic wrote: > Hm, I'm failing to understand how would a two factor auth prevent > session/cookie hijacking? Once the attacker is in, he could turn off the > two factor auth as easy as he can change the password, couldn't he?
Two-factor auth is controlled from https://www.google.com/accounts/ -- turning it on or off is HTTPS-only. The relevant control cookies are https-only non-scriptable, IIRC. Bob Leigh wrote: > That article says that this feature is only offered for "Google Apps > Premiere, Education, and Government edition customers". Tom, do you > know if that's still true, or if it's available to plain ol' Gmail > users? If you go to the accounts page (URL above) then in the top right, you have "Personal Settings", starting with "Security". If you can see "Change 2-step verification" then you have it. Click to turn it on. [Nothing secret there, anyone who is in Google Apps P/E/G already can see that]. You might also want to read a post from Matt Cutts (on his personal blog): http://www.mattcutts.com/blog/google-two-factor-authentication/ [I know that it has been publicly announced that it's coming to consumers, can't find an official reference which I can cite to say more than that] Tracy Reed wrote: > Two factor auth is indeed great and I am all in favor of adding more hoops for > an attacker to jump through. Don't forget that now we need to worry about the > security of the mobile phones on which we intend to receive the authentication > messages: [ url for intercepting SMS ] Per the http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.html post, there are apps for Android, iPhone and Blackberry. You can use those as code generators, instead of receiving an SMS, and choose to click on the send-an-SMS link (I forget the text) if the app is broken. Bear in mind that the code generation is time-based, so if you're using the app, you do need to have time syncing turned on for the device, so we're back in very-familiar sysadmin territory here. ;-) Different mobile phones have different security models. With Android, each app gets a distinct Unix uid and root access is normally limited. So an app which wants to intercept data has to jump through more security-exploit-hoops than on platforms where this is not the case. For SMSs, there are APIs to have applications able to receive incoming SMSs (which you get prompted for, as part of the security model, at install time) but the authenticator app does not provide such a service, so it means getting to the codes involves a stronger break. -Phil _______________________________________________ Tech mailing list [email protected] http://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
