Sunday, April 17, 2011

Implementing Google's two factor authentication

I've been planning to switch to Google's two factor authentication once it was a few months old (time for bug fixing), so James Fallows recent experiences only confirmed my schedule. Interestingly he's not the only recent victim. I assume, based on my personal experience, James' wife was the victim of a keystroke logger infection (was she using a Mac client?) or password reuse.
It worked pretty much as per my notes. Google's setup process takes about 15 minutes, including installing the authenticator app on your iPhone or Android device (other phones get SMS authentication). A few things to note ...

  • Emily pointed out that I need to add two factor recovery directions to our password database, so if I become abruptly dead or incapacitated she knows how to get my stuff. In particular I will put the backup verification codes into a piece of paper she has access to.
  • I needed application-specific passwords created for OS X Mail, iOS Mail, Google Voice iPhone,, Spanning Sync (forgot that one) and probably a few more.
  • It is a nuisance to enter the generated 16 character app-specific passwords on the iPhone -- but the white space feature is very nice. Would be great if the Authenticator app on the iPhone could handle assigning app-specific passwords. on my iPhone works with two factor; when I tried entering an application specific password it told me to use my two factor password. Just like my desktop, it can be configured to "remember me" for 30 days. (If you lose a device, you have to get access to Google to remove its credentials).
  • I don't think you can copy paste the numeric codes to from to You have to load into short term memory and tap them in.

Two factor authentication means I'm willing to enter Google credentials on relatively untrusted machines (given https encryption). That means ...

  • Whatever password I enter on those machines will be public (that is a keystroke logger will catch it sooner or later). So there's no sense using a complex or difficult to type password. The main value of the password is to protect me when my phone is lost. I've reverted to an easy to type password that I expect will become "public". In other words, a Level I password.
  • I can now stop using the Google App identity I setup to facilitate access to shared resources from insecure machines (such as corporate/office laptops)
  • As per Google's recommendations, I carry the verification codes in my wallet. I also have a printed set Emily can access.

See also:

Update 4/18/11: I've found a hole in the system. You can set any computer to save 2nd factor authentication for up to 1 month, but you can't revoke this remotely and there's no UI to undo the change locally. Since the extended authorization cert is saved as a cookie, you need to delete cookies on the machine to re-enable Authenticator requests. So you should really reserve extended authentication for trusted machines. A corporate laptop, for example, should not be considered a trusted machine.

Update 5/1/11: I'm surprised how often I need to generate a single use application specific key. For example, I just had to do one for the Google's iPhoto PIcasa image uploader. I'm up to about 13 of 'em. Bit of a pain really. I've contemplated storing one for general reuse in my password database but haven't done that yet.

Update 7/4/11: I still rely on two-step verification, but Google needs to do a lot more work on this.

Update 9/8/11: I rethink it all.


    Doctor Science said...

    Fallows prompted me to look into two-factor authentication, but there doesn't seem to be a useful method for people who don't reliably use a cell phone, e.g. me. I mean, I *have* one, but it's pre-paid, sometimes gets lost, and I never text.

    What to do?

    JGF said...

    I wonder if authenticator will run on iPad or iPod Touch (iTouch). If it could then that might work. You might still need a mobile phone that someone you (REALLY) trust owns, but practically you'd be ok that way.

    It really does rely on a mobi.

    Doug K said...

    the cell phone requirement is an issue. if travelling outside the US, US cellphones won't work for the most part. That's when the security exposure is greatest, too. So any non-Android, Iphone or Blackberry user is out of luck. I'd like to see a way to easily get a fresh list of 10 backup verification codes..

    JGF said...

    It is pretty easy to get the list of backup verification codes designed to be used without a cell phone or when the phone is lost or stolen. I keep mine in my wallet. You can print any 10 on demand (prior 10 are obsolete). They are longer to enter than the generated codes

    Martin said...

    @JGF: Didn't you recently post on Gmail backups or was that just a Google Reader link to another posting?

    I'm asking because I haven't been able to uncheck all custom labels for IMAP, i.e. the checkboxes for all my custom labels remain visible and some (not all) labels still appear in my IMAP clients although without any messages … better than nothing but still an annoyance. Unchecking default folders such as 'sent' worked on the other hand.

    Martin said...

    Another OT comment re. the label issue:

    The problem is apparently caused by my label structure, i.e. root labels and sub-labels using '/'. Single labels and sub-labels are not listed via IMAP, root-labels with sub-labels are … :(

    JGF said...

    @Martin - thanks for the update on labels. We need Apple to fix -- maybe Lion?

    I think Google has it mostly right, wish Apple and IMAP could catch up.

    Martin said...

    I sent a bug report to both Apple (via Bug Tracker) and Google (feedback form of Advanced IMAP Controls). Guess what?

    Google solved the problem, i.e. on Mac OS X and iOS does no longer show empty folders/labels! :)

    The solution led to a new problem, however, there's no a label called '[Gmail]/Sent Mail' in Gmail and I cannot permanently remove it. Well, I guess I can live with that!

    Martin said...

    Good news: I sent bug reports to both Apple and Google, and it seems that Google solved the problem. I haven't received a feedback from either of them, however, on Mac OS X and iOS no longer shows empty labels.

    There's now a new problem, however: Gmail shows a [Gmail]/Sent Mail that cannot be permanently removed. I guess I'll have to live with that.

    Anonymous said...

    I seem to have to reset my IOS devices: iPhone4 and iPad after only a few days with the application device password which is all letters(doesn't seem that secure). Then I have to re-enter it into Google Reader on the devices too. Rather a pain. The devices cannot use the main password and 2 factor generated password, but requires you to set an app password from within your Google account.

    JGF said...

    Wow, that's neat Martin. Thanks!