Thursday, July 21, 2011

The massive security hole in Google two factor authentication

I've been using Google's two factor authentication for a few months. It works reasonably well for the core Google App suite (gmail, calendar, contacts, etc) from a web UI if I use Chrome.

Even there, however, there are bugs. Even on machines I don't authorize for '30 day use' I sometimes connect without a request for an authenticator token. I think this is improving, but there's still no way to de-authenticate a '30 day' machine from the Google Account.

Beyond the core services though, there are lots of problems. The worst of these is Google's "Application Specific" password framework. It's the software equivalent of medical malpractice.

The problems start with the misleading name. There is nothing Application Specific about these passwords. If you write one down, or if one is captured by a keystroke logger, it works with most (all?) Google services. The same password can be used with an IMAP client to download email or with Google Chrome to sync passwords. If you know one has been lost it can be revoked, but of course by then it's too late.

The only sense in which these "additional passwords" are "application specific" is that Google has us label them by application. This is worse than worthless, it's misleading.

I find I have to use these "additional passwords" very frequently. Today, when I tried enabling Google Sync in the very latest Chrome release, I was asked for one. That was on a less-trusted machine, if a keystroke logger were running it would have been lost.

Obviously, I'm disappointed. Actually, I'm kind of appalled. This smells like a marketing maneuver. Somewhere in Google there are security people contemplating honorable seppuku.


heavymark said...

I agree, contacted Google about these same problems but never heard back.

The bigger problem is if you enable "Postini" as an added level of security for people with Google Apps Business, and have 2 Factor Authentication enabled, you can easily bypass the factor but going to the Postini Master Login into your gmail which does not support 2 factor authentication. Thus if you enable Postini then 2 factor authentication is useless but no where does it warn you about this.

The application specific passwords are also silly. My passwords are more secure than the shorter random passwords they create, and having one password is better than having 50 since as the poster says its much easier for one of those to get lost or guessed than it is for only one to.

bd_ said...

While you're correct that application specific passwords do weaken things a bit, two-factor authentication is not designed to protect against the compromise of an on-disk password cache. From what I see, it's designed to protect against phishing attacks, and against attacks based on passwords being shared among services. And in this respect, it's far better than nothing, while not making things so inconvenient that nobody would use it.

Bob Foster said...

I use Authenticator on my iPhone. Those fixed passwords are for filing away for the day you lose your phone and need to get in to reset it all. Even so, a keystroke logger would get exactly nothing, since the passwords can only be used once.

JGF said...

Bob, you are thinking about the single-use one time passwords for loss of Authenticator access.

I am talking about the "application specific passwords".

JGF said...

bd: not weaken a bit , weaken completely.

Tarthon said...

Thanks for the post, that really sucks. They provide a false sense of security calling them "application specific passwords".

I consider my email contents the "holy grail" and for a while felt completely secured by the new two-factor authentication. They need to add some security "categories" for each application specific password so it's up to the user which services are accessible by each generated password. Maybe they could even automatically assign them based on what service is used during first use. There's no reason why my Digsby generated password should be able to pull my email via IMAP - that really defeats the purpose.

Brandon Leon said...

I've been in the habit of changing my application specific passwords every month. I agree with you in the fact that its not as secure as it could be, but its a hell of a lot more secure than the original way.

Also if you copy and paste the passwords your run of the mill key logger will not get it. (although more complex clipboard loggers may).

Anonymous said...

If that's affective Drive, then google's so-called "archiving solutions" may need a revamp in the security section.