With the ever increasing role email serves in people's lives as a central source of aggregation of account information, a compromised email account can result in extensive loss of personal/financial information. For example, users accounts with Google's Gmail service have been compromised which resulted in identity theft and financial theft from those users. Google has attempted to reduce the vulnerability of their Gmail service by allowing users to opt-in for multi-factor authentication which provides an increased level of account security for its users. However, many users are reluctant to activate such multi-factor authentication because of the inconvenience and access limitations that are arise.
Multi-factor authentication is as a security approach that requires the user of a system to provide more than one form of verification in order to prove their identity and allow access to the system. Multi-factor authentication takes advantage of a combination of several factors of authentication; three such factors include verification by something a user knows (such as a user ID and password), something the user has (such as a smart card or a security token), and something the user is (such as the use of biometrics). Due to their increased complexity, authentication systems that use a multi-factor authentication configuration are harder to compromise than ones using a single factor.
Google's multi-factor email authentication process requires a user to provide a user ID and password combination along with a device based code (e.g., SMS text message) which provides information that is used during the web based authentication process. A user's mobile terminal can be operated to generate an application unique password which is communicated to the email server for combining with other information provided by the user to authenticate the user. A user is therefore denied access to the user's Gmail account when the user doesn't have present access to a particular operational mobile terminal, such as when the user is away from the mobile terminal, the mobile terminal has a dead battery, or the has been misplaced or lost. When another person obtains control of the user's mobile terminal, the user's Gmail account becomes vulnerable to compromise depending upon the strength of the user's password and the user's ability to access Google's authentication dashboard to disable the misplaced/lost mobile terminal from further use in the authentication process. When the user is unable to access Google's authentication dashboard in a timely manner after loss of the mobile terminal or is unaware that another person has gained control, insufficient account protection may be provided.