Google is rolling out comprehensive mobile phone based two factor authentication to regular Google accounts ...
Official Google Blog: Advanced sign-in security for your Google account
... If you like, you can always choose a 'Remember verification for this computer for 30 days' option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code....
Some notes from the help page (emphases mine, square parens my comments)
... Soon after you turn on 2-step verification, non-browser applications and devices that use your Google Account (such as Gmail on your phone or Outlook), will stop working. You'll then have to sign in using your username and a special password you generate for this application...
... If you have an iPhone, iPod or iPad, [3G or later, needs iOS 4] we recommend you use the Google Authenticator application to generate verification codes. The application doesn't require an Internet connection or mobile service to generate verification codes. If you would prefer to receive your verification codes by text message or phone call, follow the directions for Text or voice message below....
... Adding a backup number ensures you can receive a verification code to sign in even if your primary phone isn't available or working. ...
... After you set up your phone to receive verification codes, you will be given 10 backup codes. These backup codes can each be used once each to substitute for a verification code. These could be useful whenever you don’t have access to your phone (for example, while you are traveling)...
... If you've lost access to your phones, you can always sign in using one of your printed backup codes [and then turn off two factor authentication?], which you generated when you first turned on 2-step verification. If you've lost your phones and don't have your backup codes, you'll need to fill out an account recovery form...
... An application-specific password [revocable] is similar to a verification code in that you don't have to memorize it. However, application-specific passwords are longer than verification codes and you do not enter them into web browsers. In addition, you do not get application-specific passwords from your phone -- instead, to generate an application-specific password...
Visit the Authorizing applications & sites page (pictured below) under your Google Account settings...
Soon it will be safe to use my Google services on untrusted (keystroke logger possible) machines -- like my office XP box. I'll configure my trusted machines to remember verification. My iPhone will run an RSA-token like authentication code generator. I will keep at least one backup code in my wallet - albeit in a permuted form.
Of course I will wait several weeks before I switch over. I'm no fool. I'll let the brave and inexperienced take the arrows of early adoption.
The traditional password isn't quite dead yet, but it has one (rotted) foot in the grave.
Thanks Google. Special credit for making Google-authenticator open source and standards based ...
The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.
See also:
- Gordon's Tech: After the Gmail hack - passwords and security
- Gordon's Notes: Thunder in the Cloud: Lessons from my hacked Google Account
- Gordon's Tech: Google hack lessons - where the geek risks are
- Common issues - Accounts Help - managing a lost phone, sign in after losing phone access, multiple accounts, Google Apps admins have special powers, and so on.
- Implementing two factor (4/2011)