Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Mike Hearn (hearngoogle.com)
Date: Thu May 17 2012 - 10:45:07 CDT
If you provide the name of the account you're logging in to, we can go
take a look what's happening.
On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgrayemitcode.com> wrote:
> Regardless of how you say it works, I can bypass it every time it would
> seem. Again, by using the method in my original post. It's likely you have a
> bug if this isn't the functionality you're after.
> I appreciate the statistics but they mean little to me.
> Thank you for taking the time to respond. I hope my suggestions and findings
> will assist you in correcting these issues
> On May 17, 2012 5:51 AM, "Mike Hearn" <hearngoogle.com> wrote:
>> I understand your concerns, however they are not valid. You can be
>> assured of the following:
>> 1) We do not see this system as a replacement for passwords. If we
>> block a login the user is notified and asked if it was them, if it
>> wasn't we ask them to pick a new password. In very high confidence
>> cases we will immediately force the user to choose a new password,
>> because passwords are still the first line of defense.
>> 2) We do not see this system as a replacement for 2-factor
>> authentication. However the reality is that the vast majority of our
>> users do not use 2-factor authentication and this is unlikely to
>> change any time soon. 2SV imposes a significant extra burden on the
>> user such that despite heavy promotion many users refuse to sign up,
>> and of those that do, many choose to unenroll shortly afterwards.
>> Therefore we also provide this always-on best effort system as well.
>> 3) In fact it is very effective at stopping the large, botnet driven
>> types of attacks we see on a daily basis and so saying it doesn't add
>> any security is wrong. Since going live the system has successfully
>> defended tens of millions of users who have a compromised password. A
>> single unrepresentative data point based on one account isn't enough
>> for you to judge the utility of the system, whereas we can clearly see
>> the stopped campaigns (and drop in number of attempts).
>> That said, if you have friends and relatives who use Google and you'd
>> like to to make them more secure, by all means encourage them to set
>> up two-factor authentication.
Mike Hearn | Senior Software Engineer | hearngoogle.com | Account security team
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/