Ask HN: Google 2 factor authentication security?

5 points by Havoc ↗ HN
I've got it enabled & it works well using the authenticator android app. I'm worried about the android device though: If I lose it someone has a device with both the authenticator plus android apps (gmail etc) that allow access.

Is this enough for the crook to take control over the account? i.e. Can one change the master password from there or will I always be able to kill the device specific password with my PC + Master password?

2 comments

[ 3.4 ms ] story [ 15.0 ms ] thread
If you printed out the hardcopy one-time codes like they instruct, you can immediately log in with that as soon as you realize the phone has been lost and remove the Android device from your account so that it can no longer generate the 2-factor codes.

You also can't change your Google Account password from your phone and once you enable 2-factor auth, your Android phone's sync/email/etc uses an application specific password to authenticate so your master password isn't used on the device anymore. You can also kill that application specific password from your web-based profile settings and while it doesn't "wipe" the phone, it halts further syncs.

Excellent just what I wanted to know. Thanks