How does google recognize a "trusted device" with 2-step verification

Question

Assuming you have registered your device with Google 2-step Verification, what information does it use to verify that you are on that device when you come back to the website?

Does it store something on your computer (like a cookie), or does it use some other algorithm to determine where you are logging in from?

Answer 1

It stores various bits of information about your conversation with the server. SSL cookies, session data such as your IP address and other information about your browser. As you change this information, a risk assessment value is increased as deviation from the originally known values changes. Once this value reaches a certain threshold, based on your country's online risk profile, that sets off a chain of events that invalidates your session.

When your session is invalidated, you need to log-in again. It's more complicated than a cookie, but it involves cookies too.

There is a lot of debate in the security community as to whether it matters to add protection beyond endpoint and cookie verification and when it becomes a nuisance to the end user.

Answer 2

Just a quick follow-up on this question. A lot of people continue to view this question, but surprisingly, there hasn't been a good answer posted.

Since the original post, I did a lot of research to find out what technologies are used to determine a unique device, and I finally stumbled across the panopticlick project.

This website answered a lot of questions because it showed the exact metrics that a website can use to fingerprint your browser. Using this methodology, a site can really narrow down the exact device that you use to connect to a service, and therefore make it much easier to validate a 2-step verification.

Hopefully this helps someone trying to implement 2-step on your site.