Help me secure my Google account

canderson

Fomenting voting confusion and angst since 2016
SoSH Member
Jul 16, 2005
25,444
Harrisburg, Pa.
I have a very - very - easy and common name as my Gmail address. I get at least 10 wrong emails daily - not counting the thousands I have marked as spam or whatever from newsletters and sales emails people signed up for,.

I had to do the + xxxxx trick for my Apple ID because I was locked out of my account weekly due to people not knowing their own address.

I have 2FA turned on it but was curious if there is anything further that’s easy to do to help potential future hacks (nefarious or just an idiot not knowing their address)? Today’s Twitter shenanigans prompted this thought, fwiw.
 

milfordsoxfan

Well-Known Member
Gold Supporter
SoSH Member
Jan 26, 2006
336
Connecticut
Google (and a lot of other companies) sell U2F security keys. I looked into it for a bit, but it seems like more hassle than it is worth (to me). All of the keys that I researched also had kind of mixed reviews, including the one that Google sells that I linked. Supposedly it is a step above 2FA. I'm sure plenty of the tech folks here would know more than I. My IT guy ultimately dissuaded me from it for reasons I don't recall.

I have to use one of those random number generator keys at work. This specific one is RSA securID brand. I don't know if you could adapt it for person use, would probably take some doing. Banks use them for big lines of credit, so I imagine they are pretty secure.
 

canderson

Fomenting voting confusion and angst since 2016
SoSH Member
Jul 16, 2005
25,444
Harrisburg, Pa.
Google (and a lot of other companies) sell U2F security keys. I looked into it for a bit, but it seems like more hassle than it is worth (to me). All of the keys that I researched also had kind of mixed reviews, including the one that Google sells that I linked. Supposedly it is a step above 2FA. I'm sure plenty of the tech folks here would know more than I. My IT guy ultimately dissuaded me from it for reasons I don't recall.

I have to use one of those random number generator keys at work. This specific one is RSA securID brand. I don't know if you could adapt it for person use, would probably take some doing. Banks use them for big lines of credit, so I imagine they are pretty secure.
Ya I’ve had the same feelings about the keys - more hassle than it’s worth. We have so many experts here I figured maybe someone has a better solution.
 

canderson

Fomenting voting confusion and angst since 2016
SoSH Member
Jul 16, 2005
25,444
Harrisburg, Pa.
I use Google authenticator for my 2FA - if you're using smartphone SMS, consider changing over to an app at least if you don't want a hardware key.

Two dumb questions:

1) can one app work for different sites (Google, Twitter, Vanguard, etc)
2) What happens if the app isn’t supported by future iOS updates or the phone dies and your account is lost?
 

saintnick912

GINO!
Lifetime Member
SoSH Member
Oct 30, 2004
4,379
Somerville, MA
Two dumb questions:

1) can one app work for different sites (Google, Twitter, Vanguard, etc)
2) What happens if the app isn’t supported by future iOS updates or the phone dies and your account is lost?
Look into an app like Authy (there are other similar ones I'm forgetting, LastPass might make one). It will let you sync your 2FA sequences to a backup device using information only known to you.

I have the hardware keys for work and the track record is remarkably good in our org but I haven't set it up on my own yet.
 

cgori

Member
SoSH Member
Oct 2, 2004
2,627
SF, CA
Two dumb questions:

1) can one app work for different sites (Google, Twitter, Vanguard, etc)
2) What happens if the app isn’t supported by future iOS updates or the phone dies and your account is lost?
1) yes, if they support this kind of authenticator. I use this for a half dozen sites now, it's quite nice. And it's way better than SMS 2-factor.

2) there are other versions (it's a standard protocol, TOTP/HOTP, that is implemented by this app. But Microsoft also makes an Authenticator app, and I think 1Password can do it inside the app now). I wouldn't be super-worried about it not being supported by future iOS updates - there will always be some way to run TOTP/HOTP on your iPhone. The second half is the better question - if your phone dies, you need to re-enroll the new phone on each site. How difficult that is depends on how the specific site handles it, but in theory it should not be hard.

The key tokens are even better, maybe look into the yubikey ones (I'm not sure what the hassles were, but they have some that work with Lightning + USB-C which should get you most everywhere). The google TitanKey for bluetooth is pretty nice too. All of this stuff is better than SMS 2-factor, which I would ditch everywhere if I could, but I can't.

The RSA secureID tokens are an interesting thing. They actually got hacked about 10 years ago. I also know of certain kinds of attacks that they were vulnerable to (maybe not now) - one of my fellow researchers hacked one and ran around the office saying something like "the next number will be 777342" ... and it was. But that depends on a lot of expertise that generally I don't worry about.
 

Joe Sixpack

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
4,479
Mansfield, MA
Authy is a good one because of the backup feature. One thing I only recently discovered (wish I'd known sooner) is that they are all compatible so if a site says you can use Google Authenticator, you can just scan the barcode in Authy instead.

When you set them up you have to save backup codes somewhere safe (I store mine in cloud storage) - if you have Google Authenticator and you lose your phone you are fucked without the backup codes. If you use Authy you can store a backup which is easier to restore (as someone mentioned above).

Good overview explaining some of these options here:

 

canderson

Fomenting voting confusion and angst since 2016
SoSH Member
Jul 16, 2005
25,444
Harrisburg, Pa.
Thanks, all! I’m torn between Authy or a Ubikey NFC key. I dont want to have to carry around a key so leaning toward the app, though in general I like the key idea a bit better.
 

Reggie's Racquet

Member
SoSH Member
Aug 1, 2009
5,594
Texas/Montana
Anyone have experience witht the 1Password application for this they talk about in the Wired article?
We use 1Password for our passwords so it would be nice to have a one stop one app solution.
 

cgori

Member
SoSH Member
Oct 2, 2004
2,627
SF, CA
Anyone have experience witht the 1Password application for this they talk about in the Wired article?
We use 1Password for our passwords so it would be nice to have a one stop one app solution.

I use 1Password and just found out (because of this thread) that it can do TOTP 2FA, so I might move things over. Those instructions look basically identical to enrolling the Google Authenticator app, honestly.
 

canderson

Fomenting voting confusion and angst since 2016
SoSH Member
Jul 16, 2005
25,444
Harrisburg, Pa.
Oh wow. This would be oerfect and probably get me to actual pay for a 1Password membership (I use it via Dropbox for free now),
 

FL4WL3SS

Member
SoSH Member
Jul 31, 2006
11,417
Andy Brickley's potty mouth
You did print the 10 codes to carry around in your wallet, right?
Wow this thread is timely.

I was on vacation last week and dropped my phone in the pool. My Google account was 2FA into the broken phone, my backup email was 2FA into the same phone. Obviously text messages didn't work and all of my backup stuff required me to sign into my Google account. To make matters worse I have Google Fi with a downloaded SIM, so when I bought a new phone, I couldn't set it up.

I effectively thought I was screwed, my only saving grace was that I was still signed into my email on my work computer. I immediately downloaded my codes and changed some of my backup sources. I'll also be changing from a text based backup to the authenticator app.

Tldr; don't lose or break your phone.
 

FL4WL3SS

Member
SoSH Member
Jul 31, 2006
11,417
Andy Brickley's potty mouth
Oh yeah forgot to add, when I logged into LastPass they didn't recognize the device I was logging in with and sent an email to the account I couldn't get into.

This all happened on Thursday and we didn't get back until Tuesday. It was a stressful 5 days.