The 2-step verification is currently rolled out to all users. You can check the Account Settings page to see if the “Using 2-step verification” link is already available under Personal Settings > Security.

But what does it do? It basically adds a second login step after the username and password have been entered. It is possible to receive the code via SMS, a call from Google or with a software that gets installed on the phone so that the code can be generated by the user without direct contact to Google. The software is available for Android, BlackBerry or iPhone devices

The code is a unique temporary verification code that needs
to be entered during login.

Once you enable 2-step verification, you’ll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we’ll have a pretty good idea that the person signing in is actually you.

A hacker would need access to both the phone and the Google login information to access the account. While that is still possible under certain circumstances it eliminates many possible attack vectors.

The verification code can be remembered for 30 days on a specific computer so that it only needs to be entered again once the 30 days are over. There is also an option to create a one-time application specific password to sign in from non-browser based applications that do not prompt for the code.

A backup phone and backup codes can be created in case the phone gets destroyed, stolen or lost.

Users need to carry their phone with them if they want to access the Google account. They also need to make sure that the phone is accessible, as it is not possible to log into the account if it is not. (via)

How does this work? Using the IP address you provide to us, our automated system can determine your broad geographic location. If you log in using a remote IP address, our system will flag it for you. So if you normally log into your account from your home in California and then a few hours later your account is logged in from France, you’ll get a notice like the one above at the top of your Dashboard page – alerting you to the change and providing links for more details. [via]

Google has now rolled out the feature to all Google services, and will display suspicious account activity in the Google Dashboard.

This means that they now check the IP address in all Google services and not only Gmail, a useful change that adds to the security of the account.

google dashboard

Two links are provided in the notification message, details opens a small popup with additional information about the account activity listing the location, IP address and date and time. The alert can be ignored or closed in this popup. The other option is to change the Google Account password, an option that is also provided directly in the initial notification message.

The only problem with this service is that most users probably do not access the dashboard regularly, if at all. It would be great if the feature would be activated for all Google services so that the suspicious account activity would be displayed right there. Up until then it might be wise to visit the Google Dashboard regularly to check the account.

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user’s web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)

Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted at the Register.

Sometime in the last three days, Google’s login pages began setting a cookie with a unique token on each user’s browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.

Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.

The reason why this vulnerability is still working in Google Chrome is because Google has been using an older version of Webkit for their browser’s core. First of all, users without Java on their computers are completely safe. Users with Java and Chrome installed should read on.

The problem is serious but requires the user’s action to be triggered. If the user clicks on a specifically prepared download the file downloads and executes itself automatically without further user input.

Security expert Aviv Raff has setup a demo website that demonstrates the vulnerability in Google Chrome. The demonstration page provides a download button which will download and execute a Java file immediately without further user interaction. This demo only opens a notepad application but serious harm could be done with such an exploit.