Securing Gmail a little more - with OTPs and CardSpace


I had earlier posted a series of articles on Gmail gadgets. I had also written about using one time passwords like SecurID to secure Gmail better. This post describes the technical details to achieve that. The steps look something like this

  1. The user logs into Gmail
  2. The gadget is loaded. It sets the top.location to the securID login page
  3. The user is sent a random code via SMS (using Google Calendar). If the token is SecurID, the SecurID SDK is use
  4. The user enters the code in the page.
  5. If the code is correct, it is set as a cookie (or store it temporarily at the server) and the page redirects the user to Gmail
  6. The Gadget loads again and gadget asks the server for status of the token
  7. If the server gets the token code from the cookie (or from the user session) and sends the result of authentication back to the user.
The approach is simple. However, this is not 100% secure with the current state of gadgets. This is because of the following.
  • Gadgets are disabled in the basic mode
  • Gadgets are not "REQUIRED" to be executed for gmail to load. Only certain special gadgets (chat, labs, etc) are mandatory.
  • POP3 and IMAP could be other ways mail is retrieved. These have to be turned on.
Hence, if Gmail gives us the extra privilages, one time passwords and two factor authentication would be possible.