I've been planning to switch to Google's two factor authentication once it was a few months old (time for bug fixing), so James Fallows recent experiences only confirmed my schedule. Interestingly he's not the only recent victim. I assume, based on my personal experience, James' wife was the victim of a keystroke logger infection (was she using a Mac client?) or password reuse.
It worked pretty much as per my notes. Google's setup process takes about 15 minutes, including installing the authenticator app on your iPhone or Android device (other phones get SMS authentication). A few things to note ...
- Emily pointed out that I need to add two factor recovery directions to our password database, so if I become abruptly dead or incapacitated she knows how to get my stuff. In particular I will put the backup verification codes into a piece of paper she has access to.
- I needed application-specific passwords created for OS X Mail, iOS Mail, Google Voice iPhone, Reeder.app, Spanning Sync (forgot that one) and probably a few more.
- It is a nuisance to enter the generated 16 character app-specific passwords on the iPhone -- but the white space feature is very nice. Would be great if the Authenticator app on the iPhone could handle assigning app-specific passwords. Google.app on my iPhone works with two factor; when I tried entering an application specific password it told me to use my two factor password. Just like my desktop, it can be configured to "remember me" for 30 days. (If you lose a device, you have to get access to Google to remove its credentials).
- I don't think you can copy paste the numeric codes to from Authenticator.app to Google.app. You have to load into short term memory and tap them in.
Two factor authentication means I'm willing to enter Google credentials on relatively untrusted machines (given https encryption). That means ...
- Whatever password I enter on those machines will be public (that is a keystroke logger will catch it sooner or later). So there's no sense using a complex or difficult to type password. The main value of the password is to protect me when my phone is lost. I've reverted to an easy to type password that I expect will become "public". In other words, a Level I password.
- I can now stop using the Google App identity I setup to facilitate access to shared resources from insecure machines (such as corporate/office laptops)
- As per Google's recommendations, I carry the verification codes in my wallet. I also have a printed set Emily can access.
- Gordon's Tech: RIP Password - Google's two factor authentication (2/2011 - how it works)
- Gordon's Tech: My Google (gmail) account is hacked - by ductus.com (9/2010)
- Gordon's Tech: After the Gmail hack - passwords and security (9/2010)
- Gordon's Tech: Google hack lessons - where the geek risks are (9/2010)
- Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts (9/2010 - where we're going)
- Gordon's Notes: Thunder in the Cloud: Lessons from my hacked Google Account (9/2010) - most comprehensive post
Update 4/18/11: I've found a hole in the system. You can set any computer to save 2nd factor authentication for up to 1 month, but you can't revoke this remotely and there's no UI to undo the change locally. Since the extended authorization cert is saved as a cookie, you need to delete cookies on the machine to re-enable Authenticator requests. So you should really reserve extended authentication for trusted machines. A corporate laptop, for example, should not be considered a trusted machine.
Update 5/1/11: I'm surprised how often I need to generate a single use application specific key. For example, I just had to do one for the Google's iPhoto PIcasa image uploader. I'm up to about 13 of 'em. Bit of a pain really. I've contemplated storing one for general reuse in my password database but haven't done that yet.
Update 7/4/11: I still rely on two-step verification, but Google needs to do a lot more work on this.
Update 9/8/11: I rethink it all.