[sbronstein]

> We think it’s a rather significant hole in a strong authentication system if a user still has some form of “password” that is sufficient to take over full control of his account.

I don't really understand this sentence...they say that Google (post-fix) no longer enables access to security-specific pages unless you do two factor auth, so doesn't that mean that post-fix you cannot fully take over someone's Google account without two factor auth?

[marshray]

I think the "still" was meant to refer to "after the addition of the 2nd factor to the auth process" rather than "after the fix to the vulnerability described here".

It's making the case that this does represent a "real" vulnerability, even if certain aspects of the behavior were understood and expected by the system designers.

[sbronstein]

Yeah after re-reading I think you are correct. And yes, I certainly agree that it was a real vulnerability!