Advanced sign-in security for your Google account

(Cross-posted on the Gmail Blog)

Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.

2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page that looks like this:

Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.

It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.

To learn more about 2-step verification and get started, visit our Help Center. And for more about staying safe online, see our ongoing security blog series or visit http://www.staysafeonline.org/. Be safe!

Update Dec 7, 2011: Updated the screenshots in this post.

Posted by Nishit Shah, Product Manager, Google Security

National Cyber Security Awareness Month 2010: Stop. Think. Connect.

Governments, industry and everyday people have been abuzz this year about online security to a larger extent than ever before. People are talking about their information, how they share it with others and how they secure it. With more information moving online, and with cyber attacks on the rise, we think it’s important that we keep the conversation about security flowing.

Google has renewed its commitment to security this year and has pushed industry boundaries to help people better protect their information in new ways. Here are just a few examples: We became the first major email provider to offer default HTTPS encryption for the entire email session, and we introduced an encrypted search option for Google.com. We designed a new system to make Google Accounts more secure, and added suspicious activity detection for our users. Google Apps became the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification from the U.S. government. We also published new security products, tools and research to help web developers and network administrators make the rest of the web more secure.


I sit on the board of the National Cyber Security Alliance (NCSA) to promote work that encourages safer online habits. Together with that organization, the U.S. Department of Homeland Security (DHS) and a host of other companies, Google is taking the month of October to recognize National Cyber Security Awareness Month. As we did in a blog post series last year, we’ll explore simple ways that people can make use of Google’s technologies and tools, as well other freely available resources and advice, to better protect themselves and their information.

We will post links here throughout the month, so be sure to check back often:

Tips and Tricks: Sharing Google Docs Like a Pro
Protect your data in the cloud
This Internet is Your Internet: Digital Citizenship from California to Washtenaw County

Understanding the omnibox for better security (Google Chrome Blog)

Safe browsing on Blogger

Stop. Think. Connect. To protect yourself from fake Checkout invoices.

Tips for a more secure orkut experience

Remember these tips for safer shopping

Remember, even with so many people and groups focused on creating a safer web experience for everyone, we all have a responsibility to take steps to protect ourselves online. The NCSA recommends that we keep our wits about us and think carefully about our online actions before we take them. In that spirit, we encourage you to: Stop. Think. Connect.


Posted by Eric Davis, Public Policy Manager, Security

Three million businesses have gone Google: celebrating growth, innovation and security

Today we’re hosting more than 300 CIOs and IT professionals from around the world in Paris at Google Atmosphere, our annual European event dedicated to cloud computing—web-based applications that are built on shared infrastructure and delivered through the browser. This year, the discussion at Atmosphere is focused on how companies can benefit from the breakthroughs in productivity and security that cloud-based applications are uniquely capable of delivering.

This event also marks some major milestones:

• As of today, more than 3 million businesses have gone Google, and over 30 million users within businesses, schools and organizations now depend on our messaging and collaboration tools.
• We’re launching new cloud-powered capabilities: two-step verification to help enhance security and soon, mobile editing in Google Docs on Android and the iPad™.

First, Google Apps Premier, Education and Government Edition administrators can now have users sign in with the combination of their password (something they know) and a one-time verification code provided by a mobile phone (something they have). Users can continue to access Google Apps from Internet-connected devices, but with stronger protections to help fend off risks like phishing scams and password reuse. For the first time, we’re making this technology accessible to organizations large and small without the costs and complexities that have historically limited two-step verification to large enterprises with deep pockets. Furthermore, in the coming months, Standard Edition and hundreds of millions of individual Google users will be able to enjoy this feature as well.


Second, today we demonstrated new mobile editing capabilities for Google Docs on the Android platform and the iPad. In the next few weeks, co-workers around the world will soon be able to co-edit files simultaneously from an even wider array of devices.

Only cloud computing is able to deliver the whole package of productivity-enhancing collaboration, superior reliability and virtually unlimited scale at a price that’s affordable for any size organization. Our Atmosphere event is a nice opportunity to step back and fully appreciate the power of the cloud with customers and future customers alike.

Posted by Dave Girouard, President, Google Enterprise

Simpler sign-ups for Yahoo! users with OpenID

How many times have you created a new account at a website and seen a message that said: “Thank you for creating an account. To activate your new account, please access your email and click the verification URL provided.”

Even though you just want to start using the website, this lengthy process requires you to manually perform a whole bunch of steps—including switching to your mailbox, trying to find the message the website sent you (which might be in your Spam folder), opening the message, clicking the link, etc. Until recently, we also required people to follow these steps if they wanted to sign up for a Google Account using their existing email address, such as a @yahoo.com, @hotmail.com, or other address.

To make this process simpler, we’re now using an Internet standard called OpenID which is supported by several email providers, including Yahoo!. Instead of the process above, Yahoo! users who sign up with Google see the page below with a button that sends them to Yahoo! for verification.

Once you click that button, Yahoo! shows you a page to get your consent to share your email address with Google.

After you agree, you’re done and can start using any Google service, such as Google Groups, Docs, Reader, AdWords, etc. We have found that a much larger number of people complete the email verification process when this method is used.

In the future we hope to expand this feature to other email providers, and we also hope other website operators will read more on the Google Code Blog about how they can implement a similar feature.

Posted by Eric Sachs, Senior Product Manager, Google Security

Search more securely with encrypted Google web search

Update June 25, 2010: Since we introduced our encrypted search option last month, we’ve been listening closely to user feedback. Many users appreciate the capability to perform searches with better protection against snooping from third parties. We’ve also heard about some challenges faced by various school districts, and today, we want to inform you that we’ve moved encrypted search from https://www.google.com to https://encrypted.google.com. The site functions in the same way. For more information on this change, please read on here.

As people spend more time on the Internet, they want greater control over who has access to their online communications. Many Internet services use what are known as Secure Sockets Layer (SSL) connections to encrypt information that travels between your computer and their service. Usually recognized by a web address starting with “https” or a browser lock icon, this technology is regularly used by online banking sites and e-commerce websites. Other sites may also implement SSL in a more limited fashion, for example, to help protect your passwords when you enter your login information.

Years ago Google added SSL encryption to products ranging from Gmail to Google Docs and others, and we continue to enable encryption on more services. Like banking and e-commerce sites, Google’s encryption extends beyond login passwords to the entire service. This session-wide encryption is a significant privacy advantage over systems that only encrypt login pages and credit card information. Early this year, we took an important step forward by making SSL the default setting for all Gmail users. And today we’re gradually rolling out a new choice to search more securely at https://www.google.com.

When you search on https://www.google.com, an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network. The service includes a modified logo to help indicate that you’re searching using SSL and that you may encounter a somewhat different Google search experience, but as always, remember to check the start of the address bar for “https” and your browser lock indicators:

Today’s release comes with a “beta” label for a few reasons. First, it currently covers only the core Google web search product. To help avoid misunderstanding, when you search using SSL, you won’t see links to offerings like Image Search and Maps that, for the most part, don’t support SSL at this time. Also, since SSL connections require additional time to set up the encryption between your browser and the remote web server, your experience with search over SSL might be slightly slower than your regular Google search experience. What won’t change is that you will still get the same great search results.

A few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.

We think users will appreciate this new option for searching. It’s a helpful addition to users’ online privacy and security, and we’ll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL.

Posted by Evan Roseman, Software Engineer

WiFi data collection: An update

Update June 9, 2010: 

When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.

Update May 17, 2010:

On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.


You can read the letter from the independent third party, confirming deletion, here.


[original post]
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.

In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.

So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.

As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.

Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:

• Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
• Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.

In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.

This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.

The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.

Posted by Alan Eustace, Senior VP, Engineering & Research

A new approach to China

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this Report to Congress (PDF) by the U.S.-China Economic and Security Review Commission (see p. 163-), as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve's blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China."

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Update: Added a link to another referenced report in paragraph 5.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

Cutting back on your long list of passwords

Does anyone actually like passwords? Most people can't stand them because they end up having to keep track of a long (and often memorized) list of usernames and passwords to sign into the websites they visit. Website owners hate them because it's hard to get people to create a new account on their website, and almost half of those account registrations are never completed. Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%. The most visible examples come from Plaxo, Facebook, Yahoo! and Google using a technique the industry calls hybrid onboarding. In the past, if you're a Gmail user who got an invitation to use Plaxo or Facebook, you were asked to perform the traditional process of creating a new account with yet another password, and then you might also have been asked to provide the password of your email account so Plaxo or Facebook could look up the list of your friends. With hybrid onboarding, if you click on such an invitation in your Gmail, you'll see a page like one of these:


Clicking the large button on the Plaxo page takes you to a page at Google like this:


If you give consent to share a few pieces of information, you are sent back to Plaxo with all key registration steps finished.

The registration process used to involve more than 10 steps, including requiring you to find one of those "email validation" messages in your inbox. If you've followed the steps above, you can now sign into Plaxo more easily — by simply clicking a button.

While Plaxo showed the first successful results of this technique in early 2009, other companies like Facebook are starting to use the same model and to recognize its business value potential. At the same time, the hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all. Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused. We'd like to applaud Plaxo and Facebook's work in designing the user experience needed for this technique as well as pushing us to create the optimizations needed to carry out their design. Today we're happy to announce that all of these login flow designs are now available to any website operator. All of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well. For more technical details, check out our Google Code Blog post.

Hybrid onboarding is also being used by Enterprise Software-as-a-Service vendors — such as ZoHo — that want to eliminate the need for employees at their customers' businesses to create another password. More details are available on our Enterprise Blog. In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites.

There is still a long way to go before you'll be able to trim down your long list of website passwords, but this progress demonstrates the potential for even the largest websites to adopt to adopt the hybrid onboarding model. We hope many other websites will follow.

Posted by Eric Sachs, Product Manager, Google Security

Next steps in cyber security awareness

(Cross-posted from the Public Policy blog)

Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill organized by Congresswoman Yvette Clarke and sponsored by the Committee on Homeland Security. The conversation focused on things everyday Internet users can do to help protect their computers and stay safe online. Given that we just wrapped up our observation of National Cyber Security Awareness Month, I thought I'd share some of the key recommendations from the panel:

What are the most important things we all need to do to protect our computers and mobile devices?
You should have the same expectations when using the Internet as you would when exploring a city: you don't give your credit card to the person selling watches on the street just because you recognize the brand, you don't let your kids wander around by themselves and you don't give personal information unless you know who's getting it. If an offer is "urgent" or seems too good to be true, take a step back and research the offer. Add a password to your mobile phone, and browse cautiously on open WiFi networks as you would when using a computer.

What are the most common misconceptions about cyber security?
Many dangerous websites are not designed to be dangerous. In fact, most of the sites that serve malware (malicious software) are innocent sites that have been compromised in one way or another. Your computer isn't necessarily safe just because you're avoiding sites that contain adult content or pirated software. Use reputable anti-virus and anti-spyware programs, and keep your computer operating system and applications updated with the latest software versions.

How do I know if my computer or network has been compromised?
First, disconnect it from the Internet. Take note of any slowness, and if you're not sure how to proceed, get someone with technical expertise to check your network logs for high traffic appearing during times when you're not using the computer. When in doubt, contact a computer support expert.

As President Obama recently stated, cyber security is a shared responsibility. At Google, we recognize how important awareness and education are because many online security threats can only be avoided if we work together.

We spent the month of October exploring cyber security and talking about how to use Google products in a more secure manner. If you haven't seen them already, take a look at the posts we've released over the last month:

• Kick-off and YouTube Cyber Security Awareness Channel
• Choosing smart passwords
• How the website malware review process works
• Blogging security tips
• New malware snippets feature for webmasters
• Protecting users and ads from malware
• Best practices for verifying and cleaning up a malware-infected site
• Gmail account security tips
• Online commerce security
• Updating your web browser
• Taking charge of document sharing with Google Docs
• Web browser security and Google Chrome security messages

Be sure to share the tips you find most helpful with others, and remember to stay safe online.

Posted by Eric Davis, Head of Anti-Malvertising

Celebrating National Cyber Security Awareness Month 2009

Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to make the Internet a safer place, it can be difficult to know what to do as an Internet user beyond creating numerous passwords for your various online accounts and steering clear of that email from a "long lost relative" who wants you to immediately wire thousands of dollars to him. Here's the good news: even though security can become quite technical and complicated, there are simple steps you can take that can make a big difference in helping to keep your information safe.


This month, Google joins the National Cyber Security Alliance (NCSA), governmental agencies, corporations, schools and non-profit organizations in recognizing National Cyber Security Awareness Month. Throughout October, we'll be raising awareness of important Internet security and safety issues that will teach you how to be an informed web user. Keep an eye on our various product blogs, as we'll be sharing tips that are tailored to users of Google products and services. To kick off the series, visit our newly created Google Cyber Security Awareness Channel on YouTube to watch a variety of online safety videos created by individuals and groups with an interest in cyber security.

The web is a great platform for all kinds of things — finding information, interacting with others and even running your business. Practicing good cyber security habits can help keep it that way. Join us this month by brushing up on your cyber security awareness and sharing the tips you like with others.

Update on 10/22/2009: We're excited to hear that the U.S. House of Representatives today unanimously passed a resolution formally supporting the goals and ideals of National Cyber Security Awareness Month 2009. Rep. Yvette D. Clarke’s resolution signals the government's willingness and commitment to help better protect the nation's online and information security.

Posted by Eric Davis, Head of Anti-Malvertising