Thursday, September 18, 2008

Password twilight: bad from Gmail, not so bad from OpenID.

Bad news, then not-so-bad news, in the twilight of the password.

From Google, another scary installment in their online safety series:
When it comes to Gmail specifically, there are a couple of things that might cause account-related interruptions in access: a lost or forgotten password, unusual activity that triggers the safety measures designed to keep accounts from being compromised, or, in the worst case, someone has stolen your login info and changed it...

... we don't ask for much personal information when you sign up for Gmail, which can sometimes make it difficult to prove ownership of an account and trigger the recovery process.

Still, there are some simple steps you can take to ensure that your account stays in your hands, and to greatly improve the chances of regaining access if you have any problems...
  • Always keep the verification number you get when you sign up for Gmail. When you sign up for Gmail, we'll ask you for a secondary email address and then email a verification number to that account. This number is the best way to prove ownership of your account, so be sure to hang on to it.
  • If you aren't able to access your account, try resetting your password. As mentioned above, most of the support requests we get turn out to be lost or forgotten passwords, rather than something more serious. Resetting your password usually gets the job done.
  • If resetting your password doesn't work, try our account-recovery process. We recently launched an account-recovery form in our help center that can drastically reduce the amount of time it takes to verify ownership of an account and restore access. If you have the information necessary to prove ownership -- such as the verification code for the account -- this new process can help our support team restore access within a matter of hours.
The $%!%!#$% verification code for my Gmail account?!! The account I opened the month they launched? Did they even do verification codes back then? What's the chance I could find that now? At least I know it's not in my Gmail respository?

And, of course we know about Google's brilliant mafia-funded password reset approach.

I was on the verge of having nightmares about losing control of my Google account, but their "reassuring" message is giving me night terrors instead.

On the bright side, there's optional two factor identification for my myOpenID account.
About CallVerifID

... CallVerifID™ provides the most convenient and cost-effective strong security measure available for OpenID users. An individual can enable CallVerifID™ within seconds to add an additional authentication factor.

* Easy two-factor authentication for myOpenID
* Instantly receive a call when signing into myOpenID. Simply answer and press # to authenticate.
* No extra phone capabilities or text messages. Use any phone.
The basics of OpenID are pretty simple. From a user perspective it's like the old Microsoft Hailstorm/Passport scheme -- a single un/pw sign-on. So when I use my OpenID to sign on to a web service, I'm redirected to enter my password into the myOpenID site then return to my true destination. I can stay authenticated with myOpenID provider, then I don't have to keep entering my password as I move from site to site.

The big difference from Hailstorm/Passport is it's not controlled by Microsoft, Apple, Amazon, IBM or your cellphone company. All kinds of places can, and do, offer OpenID services -- including my many Blogger blogs.

Of course these services are only as good as the associated security, and Google hasn't been wining any prizes for their security measures.

Even MyOpenID is vulnerable, like anyone else, to password theft. It's a "one factor identification" service -- a "what I know" factor. If I add CallVerifID though it's a "two factor" service -- "what I know" and "what I have". A thief would have to steal both.

So what happens if I lose my phone?

Well, that's kind of where the good news ends:
What happens if I lose my phone?

An alternate number can be set up by calling the support staff, once your identity is strongly established.

What happens if I lose cell phone coverage in a certain area?

Call the support staff from any phone to request a one time bypass. Once your identity is strongly established, they can allow you to authenticate one time without receiving a PhoneFactor call. They can also change your account to point to an alternate phone number, such as a land line.

Ooookkkkaaayy. What do they mean by "strongly established"? There's no detail on what that is, it sure sounds vulnerable to social engineering.

Still, it's a measure of progress.

What I think I need is some combination of two factor identification and a digital certificate stored on secured machines. Then if I lose the phone I could at least fix things from a secure machine with a digital certificate (eg. home computer, not a laptop) stored on an encrypted disk image.

I think it might be possible to do that with MyOpenID; I'm going to give it a try. The combination of digital cert access from secured machines with two factor phone id when in other locations is interesting. I do want to be able to secure the cert on an encrypted disk image, I'll have to research how to do that, I'd prefer not to encrypt my entire user account directory (the default OS X approach). The cert can be revoked, so if I knew the machine had been stolen I could revoke the cert. [ps. The digital cert is browser specific, not user account specific. So if you use more than one browser you need a cert for each one on the user account.]

Now if only Google would enroll itself in a remedial security training program. At least they could use some loose change to pay Schneier for a consultation ...

PS. It looks like I can create MyOpenIDs for my domains, such as or That could help with securing Emily and the children's accounts.

Update: Too bad! myOpenID missed the brass ring.

If you active the two factor identification, you still need the cell phone call even when signing in with the digital certificate. So there's no good fallback if you lose cell phone access. Arghh!! They should have had two different two factor identification schemes:
  • password + digital cert (secure browser)
  • password + phone ID
Then if you lose the phone, you could go to the secure machine and get access.

Oh well, maybe they'll read this blog and fix it.

Update 3/8/09: Sign. never did get a clue. BTW, more the horror of losing Gmail account access.

1 comment:

Andy said...

"The $%!%!#$% verification code for my Gmail account?!! The account I opened the month they launched?"

Classic, exactly what I though when i read this on Life Hacker the other week. I went to google help search but there is nothing on there at all about getting this so called code... and i gave up trying to find an actual support email address or web form to ask them for it...