Re: [Evolution] "Error occurred while sending" after enabling Google 2-step authentication [with solution]



On Wed, 2014-06-04 at 11:51 +0100, G.W. Haywood wrote:
Hi there,

On Wed, 4 Jun 2014, Nick Jenkins wrote:

... I recently turned on Google 2-step authentication
... (i.e. something you know + something you have).
...
 you can mark a browser as trusted after the first successful
login, and thereafter you only need your password ...

Can you explain how the first part ("something you know + something
you have") is not defeated by the last part?  Can the attacker not
simply impersonate your browser having first sniffed your password?
(And why involve a browser anyway?  You did mean 'browser'?)

The 2-step process uses an out-of-band channel (by default an SMS
message) for the first authentication and leaves a token on your local
machine. If the attacker can't penetrate your machine then he can't
impersonate you (and if he can penetrate your machine then all bets are
off anyway). Once the setup is complete then simply knowing your
password is not enough.

The (slight) downside is that you have to repeat the setup once on each
machine and client program that needs access. All the tokens are of
course different.

poc



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]