Friday, August 24, 2012

Automatic detection of a Google Mail log in

In the past I've written about measures I've taken to protect my Google Mail account: I use long random passwords and Google's two-factor authentication with no recovery options and I have a tempting canary waiting for any intruder.

But to further protect my account I created a system that automatically tells me when a log in occurs on my Google Mail account. The system sends me an SMS whenever there's a new log in. The system is able to distinguish a machine that's used on different IP addresses (such as when I move my laptop from home to an office) and brand new log ins from machines that have never been seen before. And unlike the canary it doesn't require any action. It happens automatically.

Here's the SMS chronicle of a trip to the San Francisco office of CloudFlare and my return home. The first SMS was received because I logged in in my hotel, later I went to the CloudFlare office and a few days later I returned home.

I'm posting this because I'm curious whether anyone else would like this as a service. How much would it be worth to you?


Will said...

Google can - and in this case should - release the functionality for free.

Of course, if your service extended to cover other aspects of your online identity, then it might remain interesting.

Anonymous said...

Well it seems cool feature, but 2-step Verification is already enough. So in order to be competitive - some cents or even free.

martijn said...

I agree that Google can/should release it for free. I'm not sure if I would pay for it, but that's probably because I'm used to things like this being free. (Like Google Mail itself, which is worth a lot to me, yet it would feel hesitant if I had to pay.)

Does it detect logins into other Google services using the same account as well. I recently discovered that "log out all other accounts" in Google Mail, doesn't log you out of Google Talk. And you can still send an email (and, more generally, get access to Google Mail) from Google Talk.

Chaz6 said...

This is a great idea. I would love to take this a step further and have some sort of cloud-hosted "syslog" style service that collected events from all my accounts. E.g., "logged in", "uploaded photo", "changed password", "changed profile", etc.

Unknown said...

what if you get a foreign login?

i would not know what to do then. so i cannot quite see what to do with that information.

i'd like the syslog. there are too many things just working (or not) and there is nothing to look at. do you remember when you had devices that all had logfiles? when is the last (first?) time you saw a log on anything your smartphone did?

Anonymous said...

What sort of access would you need to my account? I suspect that makes this a not-starter.

That issue aside. I'm thinking about a hardened gmail account for password resets and the like. For that account, I could imagine paying $5-10/year.

Q said...

If you have a strong password on your gmail account, how likely is it that someone will break into it. The only risk to such an event is when you use a public computer, like in an infected internet cafe.

But ok, if it happens, and in security sooner or later bad things will happen, being aware of the event is step 1. But what is step 2? Rushing to a computer, logging on and change the password as soon as possible? What if the perp already did that for you?

If the perp is smart enough to compromise your particular account or any person smart enough to be interested in your service, the perp is smart enough to first change the password and then to mess around. Changing the password will alert a user sooner or later, but then again, how much time does a smart perp need? And how likely a target are you?

I'd personally rather pay for a one-time-password solution based on sms to google mail.

In security within a company, you want to be alerted ofcourse, and you must prepare for the inevitable. You must have your processes and procedures in place (how to treat a compromised server for example). What would you do once you get that dreaded sms?

Q said...

2 factor auth provided by dropbox.

Q said...

2 factor auth by Google:

Francis Turner said...

Like the others say, I'm not positive I want to pay much for this service if it is google login specific. I would be very very interested in details of the API you are using and I'd be extremely interested in the more general "syslog' service mentioned above.

I'd also be extremely interested in working with you to extend the service and perhaps commercialize it. For example, if there is a way to get access to google cloud access, android or iphone syslog files (or similar) then I already have the tools to parse this for interesting events.