Data and email security is pretty hazy in today’s world. A recent article by Hacker News talked about how easy it is for a hacker to access pretty much any account, using Facebook as a specific example, just by knowing your phone number, then resetting your account password and exploiting a weakness in the telecommunication infrastructure to gain access. Google has come out with options to help potentially guard against this.
The first new option is Google Prompt. Honestly this doesn’t really protect much against someone hacking into your account as there are already types of malware (viruses, trojans, etc) to take control of your phone remotely, hence circumventing the security of what Google Prompt hopes to offer, and security is only as good as the weakest link.
The next new option is much more promising. Security Key is a security certificate authenticating who you are and stored on a USB device that supports FIDO U2F that you can carry with you and is designed to only work with the Google specific sites. With this option though, it doesn’t work for mobile device users (there are not USB ports in most phones or tablets), and you can only use Google Chrome version 40 or newer (which for most people that’s fine). As a backup for mobile device users (though not without its risks as described earlier) or someone that needs to use a different browser, you can use verification codes sent either to your phone via text message, or via the Google Authenticator App.
With both of these options though, it’s not clear if doing a password reset on the account would still require the Google Prompt or Security Key USB, though these options are a step forward for helping to protect user data.
To activate either of these options with your Google Account, or to get more info, go to: https://myaccount.google.com/security/signinoptions/two-step-verification.