Monday, November 28, 2011

Google Chrome sync does not work with 2-step verification

As best I can tell Google's two-factor ("2-step") verification is incompatible with Chrome sync. There are two ways it fails:

1. During initial authentication you are required to enter a full access password, the Authenticator token won't work. (Laughably, Google calls these 'application-specific' passwords. That's a lie. I wish they'd stop repeating it.) This defeats the value of the Authenticator's keystroke-logger protection.

2. You can't use your Google account authentication to encrypt your sync store. Maybe it uses the 'application specific password'. When I try this, Sync hangs - but tells me it has succeeded. Using a separate sync password works.

There are lots of similar bugs with use of two-factor. It's really not finished; I wonder if it's one of the projects that Page has terminated. I still use it, but I don't recommend it to anyone else. The illusion of security may be worse than no security.

No comments: