By continuing to use this site, you agree to our updated Privacy Policy and Terms of Use. ×





How to Boost your Gmail Security

8th August, 2018 | Cyberprivacy | Entropic

Photo by Luis Alfonso Orellana on Unsplash


Over the years, Google has continued to evolve the ways they can help improve the level of sign-in security for their users.

Their 2-Step Verification feature, a type of two-factor authentication (2FA), now has several different options and, additionally Google has decided to start producing their own security key.

With these recent events, we thought it would be a good time to review the options, and provide an overview of what methods are currently available to secure your Google account.

Enabling 2-Step Verification can significantly boost the security of your Gmail and Google account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.

Regardless of the method you choose, implementing some form of 2-Step Verification is a critical step to enhancing your security on Google. You may have already been coaxed into setting up one of their existing methods of 2FA, which is good. Since the method you enabled may not be the most secure, it's also good to know about all of the other options available, including their pros and cons.

Below we have listed, from best to worse (security, not convenience), the options that Google provides as part of it's 2-Step Verification feature for increasing the security of your Google account. Please note also that the methods provided by Google described below are subject to change over time, as they adapt their security.

The sign-in security options provided by Google


OPTION 1:
PHYSICAL SECURITY KEY

You'll sign into your Gmail with a username/password, and then use an additional physical security key that you either insert into your USB port, place near your Bluetooth LE, or Near Field Communication (NFC) capable device, such as your smartphone.

Google sign-in using a security key


SECURITY: Best Available


SETUP: Difficult


PROS


CONS



OPTION 2:
APPROVAL BASED SIGN-IN
(VIA GOOGLE APP)

You'll sign into your Gmail with a username/password, and then approve a request that is sent to one of your registered devices, such as your smartphone.

Google sign-in screen


SECURITY: Moderate


SETUP: Slightly Inconvenient


PROS

  • Provides an additional layer of security, beyond using a simple username/password.

  • Simply press a button to approve sign in, instead of having to enter a code.

CONS

  • Needs additional setup, including the installation and setup of the Google App from where you will approve sign-ins.

  • Vulnerable to phishing attacks, such as those instigated from Fake Security Apps.



OPTION 3:
ONE TIME PASSCODE
(VIA AUTHENTICATOR APP)

You'll sign into your Gmail with a username/password, and then enter an additional code that is generated by a special authenticator app on another device, such as your smartphone.

Google Authenticator


SECURITY: Moderate


SETUP: Inconvenient


PROS

  • Provides an additional layer of security, beyond using a simple username/password.

CONS



OPTION 4:
ONE TIME PASSCODE
(VIA SMS OR VOICE CALL)

You'll sign into your Gmail with a username/password, and then enter an additional code that is sent to your smartphone via SMS, or an automated voice call.

Google SMS Authentication


SECURITY: Low


SETUP: Easy


PROS

  • Provides an additional layer of security, beyond using a simple username/password.

  • Provides the most user-friendly setup process out of all of Google's 2-Step Verification options.

CONS

  • Needs additional configuration.

  • You'll need to type in an additional code every time you sign in.

  • You'll need cellular coverage in the area where you are signing in.

  • Vulnerable to phone SIM card hijacking.

  • Vulnerable to phishing attacks.

  • Vulnerable to Trojan security Apps, including banking trojans.



OPTION 5:
USERNAME & PASSWORD ONLY
(NO 2FA)

You'll sign in to your Gmail with only a username and password.

Google sign-in screen


SECURITY: Worst Possible


SETUP: Easiest


PROS

  • You only need to remember one password.

  • No need for additional codes, apps and security keys.

CONS


How to Enable

To enable 2-Step Verification, go to Google MyAccount, and select Signing in to Google. On the right side, scroll down and select 2-Step Verification.

Features to Avoid

For all types of 2-Step Verification offered by Google, there are convenience features that tend to break down the original vision of 2-factor authentication. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.

Some examples are:

  1. The ability to download and print backup codes that allow you to sign in from devices, in cases where you can't use 2-Step Verification.

    Possible Risks: After printing, you might forget that your left a copy of these codes in you Downloads folder, or they might be lying around in your trash after you deleted them, or the printed codes might be intercepted in your baggage while you travel,...and so forth.

  2. Using the "Don't Ask Again on this Computer" checkbox, which defaults to ON.

    Possible Risks: If your device is stolen and the attacker has access to it, they also can immediately access your information on Google.

Regular Review

On a regular basis, you should check the following on your Google account:

  1. Regularly review the Recently Used Devices that you have authorized to access your Google account to see if theres any devices you don't recognize.

  2. Regularly review the Recent Security Events on your Google account to see if there are any questionable events, such as sign-ins from places you don't recognize.

  3. Regularly review and revoke all the Devices you Trust when signing in to Google. You can find this in your Google Account Settings, Signing in to Google, 2-Step Verification.

As a final note, despite the efforts of Google to secure their services, which includes the array of sign-in security options they provide, the single biggest vulnerability of their services is that they are centralizing the storage of their users information in one place.

This means that regardless of the blocking techniques used to stop entry into their fortresses, once access is gained, everything becomes available. This characteristic of Google and other services that centralize information, make it a very high value target for cybercriminals and nation states who will over time, unwaveringly continue to attempt to gain unauthorized access to the information of individuals and companies that is hosted in Google's data centers.

Panwrypter

Panwrypter is an App that is designed from the ground up specifically for decentralizing the storage of sensitive documents and files, protecting them from unauthorized access over time, including data breaches, cyber-theft, unauthorized physical access, or simply losing or forgetting about the existence of your files.

Being designed specifically for decentralized protection, Panwrypter is loaded with options that can help provide you with the best possible protection, while regarding your existing storage habits, which might include apps such as Google Drive.

Specifically, it can help you to define a decentralized approach to protecting your documents & files, based on your lifestyle, while helping you to continue to use your existing storage media and services - the ones that you are already comfortable with.

In addition, Panwrypter can help you recover your files in the event that one or more of your protected volumes is damaged, control where your files can be physically restored from, and help you to safely remember the details of your storage sites when you need to access your files at a later time.

Learn more about Panwrypter, or download it from the Mac App Store.

Conclusion

In the future, the use of Ethereum and decentralized apps (Dapps) along with decentralized storage systems will help us mitigate the problems associated with the way we currently centralize applications and information. This will empower better approaches to disclosing and monitoring your personal information. A good overview of Ethereum and Dapps is discussed in this article by Alex Moskov, originally posted on CoinCentral.com.

If you have any feedback, questions, or suggestions, please let us know.

Acknowledgements:
Photo by Luis Alfonso Orellana on Unsplash