Can I use one-time passwords with Gmail?

Question

I am about to leave for a trip. During this trip, I would have to connect to my Gmail account, and I'm totally unhappy to type my password using public, unsecured machines, potentially having keyloggers and similar nice stuff.

I already use 2-step verification and I'll change my password as soon as I come back, but I'm still unhappy with the idea of using the same password, given that my mobile can be lost or stolen during the trip.

Is there something similar to one-time password system in Gmail?

Answer 1

You can generate one time codes that can be used as part of two-step verification that doesn't require your phone. You can print out a bunch before you go and stick them in your wallet or luggage to use as needed.

Other than that, there are a number of guides with suggestions for trying to stay secure. Make sure you are using HTTPS (default now) and if you are super paranoid about keyloggers you could try bashing a bunch of random text into notepad then cut pasting the letters for your password into the form.

Happy travelling!

Answer 2

I spent much time looking for the same answer, which brought me to this forum.

I am using 2-Step authentication but do not want to use my private password on public computers nevertheless. Google supplies application specific passwords which unfortunately do not seem to work with desktop browsers (Google still asks for your original password).

What you could do if you are travelling is to change your password before travel. Use the new password with the authentication software and re-set the password once you come back.

I found no other solution other than that for the time being.

This might be a good reference: Passwords and codes used with 2-step verification

Answer 3

You are wise to try to protect your password, but modern malware can attack you in many other ways (monitoring the network traffic, real-time session hijacking, etc.), so you really just shouldn't expect anything you do on a public machine to be secure. See the answers at the IT Security Stackexchange for more information:

• How easily are keyloggers foiled? - Information Security Stack Exchange
• Is there a safe way to login to my gmail account from a public pc? - Information Security Stack Exchange

One good strategy noted there is to use an additional low security account in unsafe locations. E.g. if all you want is to be able to read an occasional email, e.g. to print an airline boarding pass from a computer at your hotel, you could set up a separate email account and forward copies of emails to it from your main account.

Back to your specific question: in 2012, Google was experimenting with a way to log in to a desktop computer, using your smart phone, scanning a QR code displayed on the desktop: Open Sesame: Google’s Newest Security Log-In Uses QR Codes | WebProNews. Sounds like a good option for some situations, but they cancelled the service before going public with it.

The Google option to use OTP for the 2nd authentication step, in the answer by John C, is handy if you can't get SMS messages while travelling, but you still expose your main password to keyloggers. His idea of mixing it up via notepad may help, but won't protect against a determined attacker.

I still wish there was a way to avoid having to enter your main password on a public kiosk.