Google 2-Step Authentication Defaults To Trusted?

April 9th, 2013

I’ve finally decided to try out Google’s 2-Step Authentication feature. This is a fantastic way to keep your account from being compromised. Since I am an avid traveler and I sometimes sign into my account from untrusted machines I wanted a better way to ensure security for my Google accounts.

There is one small annoyance that I found wasn’t documented clearly on Google’s pages. I often found that when I got to the page to enter in my authentication code it would automatically check “Don’t ask for codes again on this computer.” By habit I hit enter after I type in the code and I’m into my account and this computer has now been added to my trusted list. This means next time I sign in from that particular computer I will not be asked for the additional¬†verification¬†code. To undo this you can either clear the cookies in the same browser or visit http://accounts.google.com/security, click “Settings” next to 2-Step authentication, and then remove the computer as being trusted. Both are steps you shouldn’t have to consciously perform when you are trying to keep things extra secure.

When I searched for a reason, I found a small Google Groups thread¬†briefly talking about the issue but unfortunately the comments were less than helpful and the thread is now closed. I’ve noticed the behavior changes based on how you initially log into GMail/Google. The sign-in page by default will have “Stay signed in” automatically checked. When this is checked, 2-Step Authentication assumes you want to trust this computer because you can’t actually “Stay signed in” on an untrusted computer. It’s still not an ideal default for the extra security minded, but if anyone was wondering why 2-Step defaults to trusting a computer, this is why. Uncheck that box before you continue and the subsequent “Don’t ask for codes again on this computer.” will be unchecked. Or just uncheck “Don’ ask for codes again on this computer.” before you continue.

Occasionally it makes sense to do some house cleaning. If you visit the 2-Step Verification section from accounts.google.com/security you can also clear out all previously trusted computers just to be sure.

After that you can put on your tin foil hat and laugh maniacally.

Entry Filed under: Tech

3 Comments Add your own

  • 1. noname  |  May 24th, 2013 at 1:56 pm

    This annoys me too, What a stupid implementation of security.

  • 2. Francis  |  September 19th, 2013 at 7:18 am

    I was searching for this today, because these last days the checkbox has been automatically checked for me and I find it very annoying! It’s called a checkbox, not an uncheckbox.

  • 3. Tim  |  January 9th, 2014 at 2:24 pm

    Good to know.
    I have been working around this assumption by Google that you want to remember a computer that you login with by using LastPass. This is mainly on my work computer that I want to ensure always prompts for password and second-factor. I use LastPass to un-check the box. I login to LastPass first using 2-factor. Then I go to the Google login and LastPass fills in the username and password and un-checks the box for me so I don’t have to remember to do it each time. It has a feature that allows you to enter the data into the screen the way you want it first, then “Save All Entered Data” — which includes the un-checked box. Very useful.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed


Calendar

April 2018
M T W T F S S
« Apr    
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Most Recent Posts