[liberationtech] Time validation for 2-step verification codes
Nadim Kobeissi
nadim at nadim.computer
Wed Aug 27 10:08:46 PDT 2014
The two-step verification used by Google is based on the TOTP protocol [1]
which is the open standard for this sort of thing.
To answer your questions Amin:
1. Tokens last 60 seconds according to the TOTP standard.
2. Your journalist friends would be very well-advised to use an app [2]
instead of SMS codes. By using an authenticator app, they will be able to
obtain codes without using SMS and even with their phone completely not
connected to a network.
[1] http://tools.ietf.org/html/rfc6238
[2] https://support.google.com/accounts/answer/1066447?hl=en
On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <aminsabeti at gmail.com> wrote:
> Hi,
>
> Recently, a bunch of Iranian journalists/ activists have been targeted by
> Iranian hackers.
>
> Some of them said their 2-step verification was active during the attack
> but hacker could reuse the code that sent by Google via SMS and passed
> 2-step verification!
>
> I was wonder to know if some folks here know the validation time for the
> 2-step verification code that users receive through SMS not the app.
>
> Cheers,
>
> Amin
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140827/847f6957/attachment.html>
More information about the liberationtech
mailing list