Few devices know more personal details about people than the smartphones in their pockets: phone numbers, current location, often the owner's real name—even a unique ID number that can never be changed or turned off.

easysecured

September 20, 2010 11:47am

"At the time a user logs into Google Apps, Google sends an additional code to the phone, which the user is required to enter to log in."

....the user is required to enter to log in....this means what the user enters can be captured by a key logger...even the second code.

"If a user is out of range of a mobile data network, the app can also auto-generate a password."

.....i am confused here....auto generate a password? or a Pin? Maybe it means the second code is auto generated if the cellphone is out of network. Otherwise the user receives an SMS containing the auto-generated code.

Either way, it wont be difficult to sniff both the password and the manual/auto-generated code before it is sent for authentication. And this is similar to the one time password that banks use using a security token which auto-generates the one time password. This has its flaws because there is a time gap for the user to receive the code and enter it before it is sent for authentication. This time gap has been exploited by hackers.

"You can also indicate when you're using a computer you trust and don't want to be asked for a verification code from that machine in the future."

How does Google App know this? Most probably it uses a Cookie to store information on the device. But yes, iPhone and BlackBerry offers to generate a unique ID for their devices so they might be using that to log the device as trusted.

If they are doing this, they will be storing the users unique device id on the server data. (apple and blackberry already does that) and that is another security issue.

I am not sure what Google has offered today is in conflict with our IP and I may have to refer this to our patent attorney.

MyCloudKey is a different solution using a cellphone nothing similar to what Google is offering and I would agree that the Google solution is more secure as you rightly mentioned it is well integrated with the app.

How does Google find out if the

I recently suffered through a facebook hack and let me tell you it is annoying as hell. I have no idea what I did or what I clicked on that compromised my account but somehow it was. It only took a few days to get my access back and the process was more tedious than difficult, but I still haven't recovered from it (fears of hackers still haunt my dreams). So let's just say I am more than happy to read that Facebook has implemented this security feature. This Mashable article does a great job of explaining the feature and how to set it up as well as additional tips and tricks about how it works.

Read more about it: http://bit.ly/a8SgJH