If one steals someone's phone, he can easily use the password recovery mechanism to gain access to the person's Gmail account. Even if the victim had a alternative mail for a password recovery, the attacker can remove this mail address once he gains access to the account. Using Google's 2-step authentication will not help, since the authentication code is probably sent to the phone. This makes the phone a single point of failure. Is there anything to be done in order to protect an account from such hijacking, beside locking the phone?
Asked
Active
Viewed 84 times
4
-
1He who owns the phone, owns the account. It's all in the nature of tying authentication to a device. And there is no security if the attacker has physical access to the device, whether it's a server or a smart phone. – Fiasco Labs Mar 25 '14 at 16:49
-
...which is a major reason why 2FA, although useful and protective to a point, is no silver bullet and is absolutely no substitute for strong passwords. – Craig Tullis Jul 10 '15 at 15:44
-
The argument is that the phone is a substitute for the password, as you can reset the account password by proving you own the phone. – davide Jun 11 '17 at 19:03