Saturday, May 07, 2011

Google's two factor: Three weeks later

implemented Google's two factor authentication about three weeks ago. It's mostly working, but there are a few issues:

  1. Application-specific passwords are risky.
  2. You can't de-authorize a computer from Google Accounts.
  3. Authentication isn't working quite right with on the iPhone.
  4. I've had to create more application-specific passwords than I'd expected

The big positive is that with two-factor and https I'm now willing to connect with an untrusted machine. By untrusted I machine a machine that has a reasonable chance of hosting a keystroke logger. That means any machine running XP and any machine I don't control. My work laptop, for example, is doubly untrusted.

A second bonus is that I'm now more comfortable with using my Google account as an OpenID/OAuth server.

The biggest problem is application-specific passwords. They behave like regular passwords, so if a keystroke logger captures the password one it can be used to, say, get access to your email from OS X

You really, really, really do not want to use an application-specific password on an untrusted machine. Google should provide more warning about their use. I use them on my iPhone and and my home Mac.

Use of application-specific passwords on an iPhone is a PITA. You can't generate these from an iPhone and they're a nuisance to type in. I've stored one in the encrypted 1Password database I use on my iPhone for reuse only on that device. (I'm taking this risk since if my iPhone is stolen and the 1Password database is hacked I'm in a world of pain anyway.)

Having this password on my iPhone is particularly important because's current behavior is obnoxious. In my case I entered a application-specific password and authenticated. Subsequently other iPhone Google App references (example desktop shortcut to Google Reader) requested a Google account password, not an Authenticator password and not an application-specific password. Every two weeks or so, however, makes me enter a NEW application-specific password.

The second shortcoming is that there doesn't seem to be a way to easily de-authorize a computer. When you first connect to a Google account from a new machine you're asked to enter your Google password [1]. Then, if you're using, you're asked to enter your Authenticator token. At that point, if the machine authenticates, there's an option to authorize it for a month.

There should be a way to reverse that decision from your Google account. For example - what if the machine is lost? What if, as in my case, you make that choice from an untrusted machine and decide it was a bad idea? (In theory deleting cookies will undo this, but, perhaps due to user error, that didn't work for me. Of course that also requires physical control of the machine.) For now, be careful to only "authorize" your primary, secured, non-portable, home machine.

Lastly I've found I needed around 8-14 application-specific passwords, even when I reuse one - such as for IMAP and SMTP authentication from OS X There's no way around this one -- I use a lot of Google services from many devices and accounts.

Overall I'm pleased with Google's two factor authentication. They've given it a lot of thought, and I love that they've open sourced key parts of the infrastructure. We needed this years ago, but I'm grateful to have it at all.

[1] At that point, on a keystroke logger infected machine, your Google password is public knowledge. That's why I was willing to simplify my Google password. I now assume it is public, though I obviously haven't made it public.

See also:


Anonymous said...

I posted under your original post 3 weeks ago, but I think it is a PITA. I am about ready to turn it off. I only get a few days before having to reset the Apple IOS devices. The authenticator doesn't work and I have to log in to reset from my main Google account. It needs to be more user friendly and work better with Apple products IMHO.

JGF said...

They really need to update their iPhone app to work better with two factor. Secondarily they need to reconsider how they handle mobile web apps.

Two factor is a really big change, and definitely a work in progress. So far it's worth the pain for me, but I can see why you might choose to revert.

I think it will take them a year of hard work to get this right. I hope they stick with it.

Paul said...

Well, here we are a year later and how much better is it? I'd share this to G+ but you know, I can't log in. Funny, that…