I've been on it since the first day they would let me, and I couldn't be a larger fan. I know how vulnerable I would be if I lost control of my email account, and it's scary. I don't trust the recovery options with google because they're useless if someone gets your password and changes it.

I lost my phone skiing, used an application to find it, and realized someone else had the phone already. Without two factor authentication I would have had to change my gmail password, update it everywhere, and type the wrong password in for the next 2 weeks. Revoking the application was simple and made me feel better about the situation. This was huge for me.

I would recommend everyone who keeps a fancy phone with them nearly 24/7 to enable 2 factor authentication.

What it's like to use: -Once every 30 days I have to put the code in. -I keep a paper copy of the 10 backup codes on me. I've had to use 2 of these for when my phone was dead or lost and I was logging on to a new browser. -I've also emailed these codes to an account that is totally unaffiliated and has no link to my google account. -I have about 3 other applications I had to set up the application passwords for. This was less painful than I expected.

The real risk is when you're in a worst case scenario - without your wallet, without your phone, and every online email you have is compromised.

Even if someone does manage to get through the 2 factor authentication, there's a pretty good chance they won't disable it or clear out the emergency codes.

Because of the long-state persistence of sessions in Google accounts, this shouldn't be a problem unless you're logging in from public terminals.

I've had Two-Factor on for about a week now and it works very, very well. Most annoying part is setting up the one-off auto-generated passwords for the applications that can't use two-factor.

I don't think it's annoying. I think it's actually enlightening: It shows you excactly how many applications have access to your Google account. And how much potential there is for a screw up.

Agreed; I got half way through setting up Google's 2 factor but then was told I had to use it for every login, instead of say when I was logging in from a different IP or doing some big change.

The second factor auth can live in a cookie for 30 days. Since I use the same two computers all the time, I only have to pull out the 2factor authenticator app every couple of weeks. Not a big deal.

I am really, really happy to have 2factor auth for my gmail account. In retrospect, I think it's crazy I hadn't set it up before.

You don't actually have to use it on every login. There's an option to remember a computer for 30 days. I have this option ticked in a single browser on my main laptop, and I input the verification key for everything else. Not a pain at all and definitely worth the added security.

If you use more than one browser per machine, you need to reauthenticate for each one, which multiplies the inconvenience. Also the need to generate passwords for apps that don't use 2 factor authentication (IMAP, IM clients).

Although, I still think it's worth the added effort.

If you feel your machine is well-secured and your passwords are properly encrypted, you might want to set up a device-specific password for yout machine, with limited access somewhat as suggested in the top post. Then you'll only need two factors to access your account settings.

The downside, like I pointed out in another comment [1], is that even with (hypothetical) read-only access to your email account, a malicious party could arguably steal your accounts elsewhere on the net — that being the main reason why you'd want to have 2-factor authentication whenever possible.

But the trading the 2-factor auth for Google's disposable, device-specific passwords is not at all unreasonable.

[1] http://news.ycombinator.com/item?id=2699867

When you log in with 2 factor you have the option to validate the current machine for 30 days.

Then again, with as little as read-only access to your inbox, someone can steal your accounts in other websites.

Plus, the two-factor authentication may sound like a hassle but it really isn't. You get used to it really fast, and you have to use it surprisingly less than you'd expect because of the option to automatically remember devices (for a month).

If you don't mind using gmail over IMAP/POP then you can essentially do this. You can create a special password for access over IMAP/POP that does not require 2-factor authentication.

Then just use the web interface for managing your settings.

Of course, this isn't a real solution and only will work for people who already are not using the gmail web interface.

What I'd like to see is these criminals hunted down and brought to justice.