Aug 25

Marc Hedlund

Marc Hedlund

Two-Factor Authentication and Gmail Sign-Ups

Two apparently-related news stories from the week:

Gmail is now, for the first time, open to anyone in the U.S. for account signups, even if the person who wants an account doesn't know anyone, and can't find anyone, to give them an invitation. The one restriction is that the account applicant has to have a U.S. cell phone number, and give that number to Google during the sign-up process. Google uses the number to authenticate the applicant by asking them to enter a special code sent to the phone as a text message. Since spammers create thousands of accounts to avoid detection, and each phone number can only be used to create a few accounts, a mobile phone requirement will make mass account creation, and thus spamming from Gmail, much more difficult.

I had the same initial reaction as many other people when I read about this -- namely, that Google, by asking for something as private as my cell phone number, was now just a few tented fingers away from the evil of C. Montgomery Burns. I'm sure there will be a good number of people who walk away on that reaction and don't come back.

(Based on my own experiments with text messaging, I suspect there are also plenty of people who will assume that their phones can't get such messages, even though they can. The WSJ reports, however, that the U.S. is figuring out text messaging to the tune of US$2.5 billion in 2004, so apparently this is a declining problem.)

Looking at it more closely, though, I think the Gmail team done as good a job as they can to implement this in a reasonable way. If you look at the sign-up page that asks for your phone number, you'll see that you can select whether or not you want them to use your number for future Gmail features, like text message alerts. Google will still save your number for the purposes of ensuring it isn't used to create too many accounts, but they make a reasonable promise to use it only for that if you indicate that preference.

But why ask for your phone number at all? Well, read the second article, which talks about how to defeat the most common test, known as CAPTCHA, used to prevent spam account creation. Given that CAPTCHAs are failing, what we're seeing is the next step in the arms race. While the Gmail signup also uses a CAPTCHA test, it verifies that test with a secondary test (originally an invite process, which requires you to have an existing email address, and now the phone number alternative). This idea, of using your cell phone as a second factor to confirm your identity, isn't a new one -- Bruce Schneier pointed to a New Zealand bank using the same idea last year, and a long and interesting discussion of the technique followed in the comments on his post. I think it's a good idea, and one that will see a lot more adoption very soon.

Of course, the more sites use this technique, the more sites will have your cell phone number, and the ability to send text message spam to it. The dollar cost of spam for the recipient is much higher for text messages than email, if your cell provider charges you by message (and that US$2.5 billion figure suggests that they do, and will). Maybe using two-factor authentication through text messages will allow Google to stem spam coming from Gmail, but the overall spam problem may just get worse if the same technique allows other sites to build text-message-capable cell phone number databases. The arms race will, of course, continue.

It probably comes down to this: do you trust Google (the corporation, not any particular founder or employee) will live up to its "Don't be evil" promise? If presented with the same type of sign-up form at another site, would you trust that site? What's the second factor you can use to verify your trust?

UPDATE: In the comments, Ben Bennett points out some good reasons for suspicion of the PWNtcha link. There are, though, other reports of attacks on CAPTCHA systems -- for instance, see Greg Mori and Jitendra Malik's work, "Breaking a Visual CAPTCHA."

tags:   | comments: 10   | Sphere It

Previous  |  Next

0 TrackBacks

TrackBack URL for this entry:

Comments: 10

  Ben Bennett [08.25.05 12:23 PM]

I am pretty sure that the PWNtcha link is a total fraud. Follow the GNAA link that they give thanks to (specifically in the GNAA about page "This website is maintained by GNAA, world-famous trolling organization."). Also look at the Cwazymail examples. The 2nd one is unfortunately goatse.

Unfortunately, I think you've been had.


  Alderete [08.25.05 12:36 PM]

I personally don't have a problem giving Google my mobile phone number. But then, I say that, but I already have a Gmail account.

But, after reading this, I went looking on Gmail and Google Accounts to see if there was a place where I could *add* my mobile phone number, for the alerts and so on that might be coming. Couldn't find one. Hmmm...

  Rob Sharp [08.25.05 08:47 PM]

I came across this link whilst reading up about CAPTCHA, where someone claims to have used a neural network to defeat the method:

  Marc Hedlund [08.25.05 11:52 PM]


Thanks for the link. There's also circumstantial evidence that CAPTCHAs are breaking, in that the companies that use them keep making them more difficult to read.

  Sam Hocevar [08.26.05 05:32 AM]

Hello! I hope the following link can help convince Ben that PWNtcha is not a fraud: Also, I do not think that because people are trolls their contribution should not be appreciated; try to get 1,000 samples of the IMDb captcha, for instance.

  Brian Rowe [08.26.05 07:04 AM]

I'm personally not terribly worried that google may use (or sell) the cell phone numbers for text message spam. That said, there is an aspect of this method that worries me. What if a cracker were to compromise google's (or some other company's) cell phone number database? I'm afraid that this may be the most likely event leading to widespread cell phone text spam.

  Jeroen Wenting [08.29.05 01:33 AM]

And of course it all comes with the standard Google clause that they can change their terms of service at any time for any reason without telling you and that you automatically agree to any change in terms.
All data entered becomes the property of Google to do with as they see fit within this agreement.

The future: Google changes their TOS so they can do whatever they want with your phone number and start selling it to telemarketeers (especially harmful since most mobile phones are now hidden from telemarketeers as they're unlisted in phone directories).

  James [01.10.06 01:27 PM]

Well, I am so tired of recieving 10 junk messages on my phone everyday from Mortgage companies, Penis Enlarger Medications hahahah etc. Every message I recieve as notifications, sprint charges 10 cents. I dont find such advertisement effective at all because it doesn't even contain a link to contact back or to get a hold of the person who sent you the mssage. It is very stupid..

Hmmm about google, why the hell do they ask for the mobile number and claiming they will use it and keep it in their records for future duplicating another account. Well, once you are signed up. You will be given automatically 10 invitations. Invite yourself and sign up for another account. After two months you are given a totall of 100 inivtations. hahhaha

I hate Commercial companies and spammers. They cause so much harm to people and society for their own fucking profits.

  unlisted [07.28.06 01:15 PM]

I need help in finding out how I can get my password OFF the auto sign-in. I want to input my password upon each sign on.


  Unlikely [10.05.06 05:59 PM]

I doubt this would cause any out roar. We Americans can't be so sensitive about these things. I mean it's fairly logical solution to an ongrowing problem and frankly I feel as though we are still in the stone age of technology where as someone from Korea or Japan could use their cellphones for almost anything, starting up your car, turning on a/c, etc, short of feeding your dog. So how come we are so scared of using our cellphones. I mean most cellphones don't even have a camera and there are no service underground! Outrageous. How hard is it to hook up a line underground? Whichever company decides to take up on that offer will most likely become the biggest telecom company in USA.

Post A Comment:

 (please be patient, comments may take awhile to post)

Type the characters you see in the picture above.