It's a fair point though. At some point you're putting too much of a barrier on everything. You can have security and convenience at the same time, we just haven't done it yet.
However, I have 2FA turned on with GMail and I authenticate basically once, then it remembers my PC and I don't have to authenticate again for a long time.
Actually, I was recently pointed at Joyent's node-http-signature[1], which is pretty clever. It can sign an HTTP request using one's SSH keys. Handy for a CLI client for a HTTP API.
I've done a couple of HTTP auth schemes for my dayjob and am thinking of using something like this for my next.
as long as we need to depend on javascript for crypto there will not be a secure way to do such things. im saying this because you can not safely assume the integrity of your crypto system to be intact if you have to download it with the page it's used on. thats about the same as always having to download your ssh client first from the server you are connecting to. someone could tinker with that download and give you something that uses the attacker as a proxy to connect to your server of choice and while you notice nothing, that malware would upload your private key. same thing could happen when you use some sort of crypto implemented in javascript.
lets talk about this when someone made it possible to have a website instruct the browser to make a call to a crypto library or some such
Indeed; more generally, I said CLI. TLDR of the previous link: it's an interesting general-purpose take on using ssh public/private keys (and methods) to sign and authenticate HTTP requests.
With two-factor authentication you are happily providing gmail with your phone number. They say they need this to send you a verification code when you log into your gmail account. Then they say:
"During sign-in, you can tell us not to ask for a code again on that particular computer."
Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
I have a couple of old legacy gmail accounts I don't use any more but still keep active, so I have 2FA on them, but anything important goes to my own mail server.
>Probably to prevent an attacker from stealing your account, but not to stop them from reading your emails.
Since nothing important goes to them any more and I mainly keep them active to stop them getting squatted for for some highly intermittent email (3+yrs) I might have forgotten, then it doesn't matter much there. As it is, the main attacker where gmail is concerned is google itself, followed by the NSA.
As for other people with gmail accounts, yes, but I'm aware of when that happens and wouldn't email anything sensitive to any gmail(hotmail,yahoo,etc.) account.
The problem is that, as a security solution, having your own mail server and being careful about who you send emails to doesn't scale and it's not feasible in the general case. If you're worried about Google/NSA/spies as the main attackers, I'm not sure hosting your email is the best solution. Yes, it works if you never send email to anyone with Gmail, Yahoo, Hotmail, etc. But that will prevent most normal uses of email. And if you do send email to regular people, then someone, somewhere, will read your emails; that's what they are for after all. And then the privacy of your email is as good as the security measures your recipient has in place.
Same with 2FA: it's a security measure to make it difficult for an attacker to gain access to your account, and one all of us should use, but it's not there to prevent them from reading your emails.
Maybe the overall solution is "don't use email -- self-hosted or otherwise -- for anything sensitive, ever." This will probably work, but is not feasible for most of us.
I'm not sure exactly what point you're trying to make, but you seem confused about how 2FA works.
The goal of 2FA/MFA is to make you demonstrate that you're in possession of two independent secrets (authentication factors). Once you've shown that, it's considered safe enough to replace the second secret (OTP sent to your phone or generated by your TOTP app like Google Authenticator) with a cookie (the check is not IP-based). Typically the cookie only lasts for 30 or 60 days.
If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.
I do have an OSS client, but the very first step to enable Gmail's 2FA is to give your phone number.
I agree that there are good reasons for asking that, but the comment above apparently raises a good point, namely, that you apparently cannot enable 2FA without giving Google your phone number.
My gmail(and aws and dropbox and digital ocean and github and zoho and ...) TFA uses a TOTP app, not my phone number. (and works just fine on my iPad - which doesn't really have a phone number - at least not one I know or worry about...)
Also, according to the three biggest telcos where I live:
> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways.
Although that wouldn't be 2FA, it's worth noting that Facebook, Hotmail and Flickr will ask for some extra verification if you connect from a different country that usual. So that's probably not a bad idea.
> With two-factor authentication you are happily providing gmail with your phone number.
Which I also provide to Google because all of my phone numbers are forwarding numbers for my GVoice account, so that's not a big deal.
> They say they need this to send you a verification code when you log into your gmail account.
Sure.
> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
How can they determine its valid without the second factor the first time you log on from a particular device? That's a key feature of 2FA (plus, if you ever use a shared computer, you don't want to choose the option to never ask for a code again on that computer!)
- Google: https://www.google.com/landing/2step/
- Github: https://github.com/settings/security
- AWS: http://aws.amazon.com/mfa/virtual_mfa_applications
- Facebook: https://www.facebook.com/settings?tab=security
- Twitter: https://twitter.com/settings/security
- Dropbox: https://www.dropbox.com/account/security
- Lastpass: http://helpdesk.lastpass.com/security-options/google-authent...
- More: https://twofactorauth.org/