Do you trust computers?
December 14, 2012 5:53 AM

So I'm using 2-Step Verification with Gmail and I was wondering how Googlemail recognizes a trusted computer and how easy it would be to fake this. Apparently it works with a cookie since different browsers on the same machine ask for Verfication upon login. Wouldn't it be easy to transfer that cookie to another machine or is it tied to some hardware/ software specifics (MAC-Address etc.)? Is it known to what specifics it is tied?
posted by SweetLiesOfBokonon to Computers & Internet (9 answers total)
If somebody has access to your cookies file what would be the point of transferring the cookie to another computer? You are already owned at that point. Your password is not stored in the cookie, so just having the cookie would not give somebody access to your Google account anyway.

Cookies are just text files, I don't think there is any inherent security in them. Which is one reason why I have all my browsers set to delete cookies on close. I do allow the browser to remember Google and a couple of other cookies though, because entering the verification code after every time I close the browser would be a PITA.
posted by COD at 6:10 AM on December 14, 2012


The Old New Thing often refers to this sort of thing as an "airtight hatchway". You don't have to worry about not sharing your cookies, because if an adversary has enough access to your computer to read your cookie files he already has the power you are trying to restrict.
posted by katrielalex at 6:45 AM on December 14, 2012


As others have said, an attacker would need access to your computer to read your cookies. Basically, if you don't trust your computer for some reason (Spyware? Rogue family member with admin access? I dunno), then don't check the "trust this computer" button and be sure to log out after every session.
posted by Vorteks at 7:26 AM on December 14, 2012


Of course, you could remove the trusted computer cookie issue altogether by not marking any computers trusted. If that's too much of a pain, then two-factor auth is probably not for you.
posted by Mr. Anthropomorphism at 7:38 AM on December 14, 2012


Everyone above makes good points. Also, suppose some remote hacker did steal your cookie. GMail will usually notify you if it notices two simultaneous logins from geographically distant regions.
posted by sbutler at 10:29 AM on December 14, 2012


What? there is no trusted computer in 2-step verification. The 2 steps are 1) something you know, 2) something you have. The way google has implemented it, the something you know is your password, and the something you have is a code sent to your phone.

Now, perhaps the confusion is that you may have told your browser to remember your password, and it does that thru cookies, and maybe you're having your code sent to your computer. But those are separate issues, not related to 2-step verification.
posted by at at 6:03 PM on December 14, 2012


@at: you can tell google to trust your computer, then it won't prompt for 2-factor for another month. Just your password.
posted by sbutler at 12:49 AM on December 15, 2012


Note that my question was:
"Wouldn't it be easy to transfer that cookie to another machine or is it tied to some hardware/ software specifics (MAC-Address etc.)? Is it known to what specifics it is tied?"
I am curious how the trusted computer thing works.
posted by SweetLiesOfBokonon at 4:57 AM on December 15, 2012


A "trusted computer" cookie stores encrypted data about the computer/browser that generated it, making it very difficult to transfer over to another computer. And yeah, if you think there's any plausibility that someone would have access to your computer and try to transfer the cookies off of it to get into your Google account, that computer should not be marked as "trusted".
posted by girih knot at 7:24 AM on December 15, 2012


« Older Tips/studies/articles to help put myself in my 1...   |   Where can I buy a ham in Park Slope? Newer »
This thread is closed to new comments.