Gmail just got a huge boost in terms of security that puts it at par with banks that do secure online banking — via two-factor authentication (2FA).
Currently, Gmail is secure enough with its recent implementation of using HTTPS whenever its users have their email sessions (i.e., the passwords are encrypted). The problem is, a username-password combination can still be acquired by malicious entities thanks to users’ lack of awareness that their supposed email site being accessed is in fact, just a fake replica of the real thing. Phishing, in short.
Online banking is just the same — to be able to access one’s bank accounts, s/he will have to prove his/her identity by providing a username and password combination. So does this mean the same risk is posed for online banking clients? Absolutely.
Tokens are “what you have”. These tiny gadgets generally spew out randomly-generated numbers every so often. For online banking sites, after the username and password are entered (and correctly authenticated), the site will direct the user to enter the currently-displayed number on the device. The site has a way to know if the entered number is the correct one, so if the numbers match with the site, then access is granted to the user.
This means, if for some reason, your username and password have been determined by someone else, they still will not be able to gain access to your resources since they don’t have the token with them. It’s with you. They can chuck out random numbers at the site, but with the [usually] six-digit numbers changing every minute or so, the likelihood of them hitting a jackpot is almost nil.
Going back to Gmail, their solution is simple: Via text messaging. This simple technology places everyone on equal footing, as even the most archaic Nokia 5110 supports SMS. Enabling 2FA on your Gmail will require you (at least) a mobile phone that supports SMS, then a mobile number will have to be provided. When setup is complete, the next time you log on to Gmail, you might receive something like this on your phone, within seconds:
…And it’s for free! I haven’t noticed any charge whenever I tried it, so far. And the nice thing is, I don’t even have to coordinate with my local telco. As long as the country and/or telco is supported, there won’t be any problem.
It might be a bit cumbersome to have your mobile phone ready every time you logon to your email account; this feature can be disabled anytime, but at least we have an option if and when we choose to be “paranoid” about these things. Losing your account (and possibly, the consequences that could follow) might be enough for us to consider using these options.