Skip to main content

Automatic detection of a Google Mail log in

In the past I've written about measures I've taken to protect my Google Mail account: I use long random passwords and Google's two-factor authentication with no recovery options and I have a tempting canary waiting for any intruder.

But to further protect my account I created a system that automatically tells me when a log in occurs on my Google Mail account. The system sends me an SMS whenever there's a new log in. The system is able to distinguish a machine that's used on different IP addresses (such as when I move my laptop from home to an office) and brand new log ins from machines that have never been seen before. And unlike the canary it doesn't require any action. It happens automatically.

Here's the SMS chronicle of a trip to the San Francisco office of CloudFlare and my return home. The first SMS was received because I logged in in my hotel, later I went to the CloudFlare office and a few days later I returned home.

I'm posting this because I'm curious whether anyone else would like this as a service. How much would it be worth to you?


Will said…
Google can - and in this case should - release the functionality for free.

Of course, if your service extended to cover other aspects of your online identity, then it might remain interesting.
Anonymous said…
Well it seems cool feature, but 2-step Verification is already enough. So in order to be competitive - some cents or even free.
martijn said…
I agree that Google can/should release it for free. I'm not sure if I would pay for it, but that's probably because I'm used to things like this being free. (Like Google Mail itself, which is worth a lot to me, yet it would feel hesitant if I had to pay.)

Does it detect logins into other Google services using the same account as well. I recently discovered that "log out all other accounts" in Google Mail, doesn't log you out of Google Talk. And you can still send an email (and, more generally, get access to Google Mail) from Google Talk.
Chaz6 said…
This is a great idea. I would love to take this a step further and have some sort of cloud-hosted "syslog" style service that collected events from all my accounts. E.g., "logged in", "uploaded photo", "changed password", "changed profile", etc.
Unknown said…
what if you get a foreign login?

i would not know what to do then. so i cannot quite see what to do with that information.

i'd like the syslog. there are too many things just working (or not) and there is nothing to look at. do you remember when you had devices that all had logfiles? when is the last (first?) time you saw a log on anything your smartphone did?
Anonymous said…
What sort of access would you need to my account? I suspect that makes this a not-starter.

That issue aside. I'm thinking about a hardened gmail account for password resets and the like. For that account, I could imagine paying $5-10/year.
Q said…
If you have a strong password on your gmail account, how likely is it that someone will break into it. The only risk to such an event is when you use a public computer, like in an infected internet cafe.

But ok, if it happens, and in security sooner or later bad things will happen, being aware of the event is step 1. But what is step 2? Rushing to a computer, logging on and change the password as soon as possible? What if the perp already did that for you?

If the perp is smart enough to compromise your particular account or any person smart enough to be interested in your service, the perp is smart enough to first change the password and then to mess around. Changing the password will alert a user sooner or later, but then again, how much time does a smart perp need? And how likely a target are you?

I'd personally rather pay for a one-time-password solution based on sms to google mail.

In security within a company, you want to be alerted ofcourse, and you must prepare for the inevitable. You must have your processes and procedures in place (how to treat a compromised server for example). What would you do once you get that dreaded sms?
Q said…
2 factor auth provided by dropbox.
Q said…
2 factor auth by Google:
Francis Turner said…
Like the others say, I'm not positive I want to pay much for this service if it is google login specific. I would be very very interested in details of the API you are using and I'd be extremely interested in the more general "syslog' service mentioned above.

I'd also be extremely interested in working with you to extend the service and perhaps commercialize it. For example, if there is a way to get access to google cloud access, android or iphone syslog files (or similar) then I already have the tools to parse this for interesting events.


Popular posts from this blog

How to write a successful blog post

First, a quick clarification of 'successful'. In this instance, I mean a blog post that receives a large number of page views. For my, little blog the most successful post ever got almost 57,000 page views. Not a lot by some other standards, but I was pretty happy about it. Looking at the top 10 blog posts (by page views) on my site, I've tried to distill some wisdom about what made them successful. Your blog posting mileage may vary. 1. Avoid using the passive voice The Microsoft Word grammar checker has probably been telling you this for years, but the passive voice excludes the people involved in your blog post. And that includes you, the author, and the reader. By using personal pronouns like I, you and we, you will include the reader in your blog post. When I first started this blog I avoid using "I" because I thought I was being narcissistic. But we all like to read about other people, people help anchor a story in reality. Without people your bl

Your last name contains invalid characters

My last name is "Graham-Cumming". But here's a typical form response when I enter it: Does the web site have any idea how rude it is to claim that my last name contains invalid characters? Clearly not. What they actually meant is: our web site will not accept that hyphen in your last name. But do they say that? No, of course not. They decide to shove in my face the claim that there's something wrong with my name. There's nothing wrong with my name, just as there's nothing wrong with someone whose first name is Jean-Marie, or someone whose last name is O'Reilly. What is wrong is that way this is being handled. If the system can't cope with non-letters and spaces it needs to say that. How about the following error message: Our system is unable to process last names that contain non-letters, please replace them with spaces. Don't blame me for having a last name that your system doesn't like, whose fault is that? Saying "Your

The Elevator Button Problem

User interface design is hard. It's hard because people perceive apparently simple things very differently. For example, take a look at this interface to an elevator: From flickr Now imagine the following situation. You are on the third floor of this building and you wish to go to the tenth. The elevator is on the fifth floor and there's an indicator that tells you where it is. Which button do you press? Most people probably say: "press up" since they want to go up. Not long ago I watched someone do the opposite and questioned them about their behavior. They said: "well the elevator is on the fifth floor and I am on the third, so I want it to come down to me". Much can be learnt about the design of user interfaces by considering this, apparently, simple interface. If you think about the elevator button problem you'll find that something so simple has hidden depths. How do people learn about elevator calling? What's the right amount of