Google’s two-factor authentication system (they call it “2-step verification“) is a good safeguard against online criminals hijacking your account.*
After enabling 2-step verification, whenever you login to your Google account (e.g. for Gmail) you get a text message on your phone. Unless you provide the numeric code of that text message to Google, you cannot access your account.
This is classic two-factor authentication in that it ensures
- You know the password for your account and
- You have your phone in your possession
As this would quickly get annoying for people who login/out of their Google profile all the time, there is an option to “Remember this computer for 30 days”. This means that Google will not require two-factor authentication for a month for that particular computer & browser if the user says so.
But how does Google know that this computer is one to be trusted? This information is stored in a cookie. To safeguard my privacy I always setup my browsers to delete all cookies (and LSOs). But this wipes out the Google cookie that “remembers” my machine as well, which means I am asked again and again for 2-factor authentication. This situation quickly gets annoying. Isn’t it possible to tell my browser (Firefox) to delete all cookies EXCEPT the necessary Google cookies every time it exits?
Luckily it is. You need the following settings in Firefox:
- Accept cookies from sites
- Keep until: I close Firefox
- Exceptions…: accounts.google.com – “Allow”
This is what your Firefox Preferences window should look like on Ubuntu Linux:
…and the exception window that does the trick – this is how the critical cookies from accounts.google.com will NOT be deleted. Instead they will be preserved across browser sessions and you will not have to do two-step verification every time you login to Gmail with computers you trust:
For Windows users, the same options work just fine – here is what the options window need to look like on Windows 7:
Try it. Shut down Firefox, start it up again and have a look in the stored cookies from the main settings panel under Privacy -> Show Cookies. There should only be cookies from “accounts.google.com” and perhaps from your browser’s homepage there – nothing else.
You now have
- Better security of your Google account due to 2-step verification
- Better usability because you don’t need to perform 2-step verification all the time on your trusted computers
- Decent privacy & lack of tracking because Firefox deletes almost all cookies every time it exits.
This is the tip of the iceberg (think malware, LSOs, unique browser fingerprints etc), but hey, it’s better than nothing.
* Unfortunately it doesn’t really help when the attacker is the government. As Wikileaks and Privacy International have pointed out with the “Spy Files” project, when it comes to government surveillance Gmail users are screwed.




Posted by apapadop 



