I suggested the idea of using either an App or a SMS text message to add security.
The idea was that the server would send you a text with a randomly generated number to log in with.
This would prevent others from logging into your account unless they had stolen your phone too.
(you can read the post here)
I also sent Google an email with this idea.
Google started using this concept for their Google Apps accounts a few months ago.
They called it 2-Step Verification.
Recently, they rolled out the option to all Google accounts.
Which means you can set you GMail account to only allow you to log in once they've verified your identity via the possession of your phone.
It is interesting to see how they modified my idea for the phone app.
My original idea was that there would be an encryption program that was based on time.
It would generate a new code every few minutes based on a alpha-numeric key that it shared with the server.
My logic behind this was that you could use a non internet enabled phone.
They instead chose to have the server send the code to the phone upon a request to log in.
In my Oct-2009 post I analysed the positives and potential pitfalls of using such a process.
The obvious benefit is added security.
The obvious hindrance is the added time and step to log in.
There are some not so obvious negatives that would have occurred if Google had not modified my plan.
Scenario1: Your phone is lost/destroyed/stolen/eaten.
You have to contact someone with access to the server,
prove you are the owner of the account,
And they have to grant you access.
Solution1: Add a backup phone number
Scenario2: You are in a location that cannot receive cell phone service. (i.e. the library basement)
Solution2: Randomly generated printable one time use codes.
(Also a solution to Scenario1)
I'm thrilled that Google did this.
It's really cool to see an idea you came up with and submitted actually get used.
The only thing I want to know is this,
Did my blog post or email convince them to do this?
Had they been working on it before I came up with the idea?
Did they just never get my email and came up with it after the fact?
You know what would be really cool?
Getting a letter from them saying something like,
"Hey, Thanks for the awesome idea!
Now our users are even more secure.
p.s. Would you like a job?"
That and a check for $1.
I'd frame it and put it on my wall.