Something Google could to do drastically improve the security of their two-factor authentication system is to add the ability to give more granular permissions with the application-specific passwords.
I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup), and Google Chrome surely doesn't need access to everything. But you'd get full access to my account if you compromised any of these.
They already have this for the Connected Sites, Apps, and Services. I sent them a feature request for this a while ago but it hasn't been answered (and there's no way to view it online).
Indeed. I have created a couple application passwords for "Verbs" IM on my iPad and my iPhone (though I rarely use chat, but added them just in case). I'd feel safer if I knew these guys can only see see my contacts and send/receive messages. Right now they can see all my emails and probably everything else that's on my google account.
I totally agree with this. I have to be careful where I use app-specific passwords. Currently, I only trust the keychain on my Apple devices, and would never store one of these passwords in plaintext.
> I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup)
Maybe you should use throwaway accounts for these purposes? That is, have a gmail account for github to send your patches through, and have that forward to your main email account?
In the SMS-backup case...how important is it that you access your SMSes in your Gmail account? My first thought is: it's bad enough that someone breaks into my email, nevermind all my SMSes. But I guess if you have a workflow that requires easy access to SMSes with your email, you can still have a separate email account that does nothing but forward it onto your main account.
So your main account, theoretically, has strong security with the two-factor authentication without having to make backdoors for external apps. People can always break into your throwaway accounts, but they'll have no particular inroad into your main account.
And presumably, you'd have a decent window of time to detect an intrusion and administer the throwaway accounts with your main GMail account
I was worried this would be a major pain when I enabled it, but I have to say, it has been much more painless than I thought it would be. Most of the time, I don't even think about it. Most of my consumption of google mail is through clients on my laptops, iPhone, or iPad. So in that sense, it's not much different from a regular password. The difference is that someone else has a much harder time cracking my account. It's actually much less obtrusive than using lastpass (also highly recommended, but not as transparently usable).
That being said, two factor google auth wasn't going to save Matt Honan here. Identity, trust, and authentication on the internet are all built on a foundation of sand. We need a new model.
According to Matt (and, apparently, his hacker) you're wrong; two-factor would have saved him in this particular instance: "If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here." (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...)
Naturally, it's not a panacea, but I think a lot of people allow perfect to be the enemy of quite good when it comes to two-factor auth.
I used two-factor authentication for about a year, and I just got so sick of it. I had no issue with the whole logging in and using the time-sensitive code from my Android phone. It was the support for all the other Google apps that drove me crazy. I got really tired of needing to generate new temporary passwords for access through iCal, Mail, and I think even sites like StackOverflow. Perhaps I was at a point in life where I had too many new devices and changes going on.
It's the typical security vs accessibility trade-offs. Accessibility won.
If you've spent your career with RSA SecurIDs hanging from your keys, this isn't much of a hassle. I didn't realize that LastPass and others can use the Google Authenticator.
Yes, it would. The idea behind two factor authentication is that an attacker now needs two things to access your account: Your password and your phone. With two factor authentication, even if an attacker acquires or changes your password (which is what happened in Matt's case), they still won't be able to login to your account.
I literally could not enter the 2-factor code into my Galaxy Nexus running 4.1.1. The process asked for my password, then redirected to Chrome to finish the process, which asked me for a code. I then switched to the Authenticator app to get the code, but then I couldn't switch back to the place to enter it. Whhaaaaa??? I tried this 3 times looking everywhere.
I finally gave up and turned off 2-factor auth. I'm guessing this is a limitation in 4.1.1, but it really, really sucks.
Why wouldn't two-factor authentication protected Mat from at least his GMail account being hacked? Even if password-resets were being sent to the .Me account, wouldn't the hackers still need to generate the authentication token?
The reason I'm not using 2FA right now is twofold. First, because Google doesn't have half of their services using it for some undefined reason (for at least a year plus!). Also, the whole "app specific password" thing is a huge pain in the ass. (And appears to randomly stop working on say, IMAP mail).
Second, because the mobile authenticator is not feasible for me right now. I do a lot of android development work (well, mostly screwing around, but we'll call it work) on the side, with the result that I'm wiping my phone for romflashes at least once a week. Makes everything going through a mobile app a little useless.
I really wish Google would support a hardware token of some kind.
Yes, can someone explain why Google Chrome doesn't support 2FA on the desktop or iOS? It's bizarre.
(Well, I suppose it's tragically normal. I'm sure there is a corporate directive that says every Google service must support 2FA, but Chrome has an exception so they don't need to do it yet.)
Am I the only person in the world who doesn't have a cell phone? It annoys me that the two-factor auth setups at sites (like Google) assume I have one and don't even have an option for "I don't have a cell phone, please stop nagging me about this."
You can use a YubiKey for Google 2-factor along with a helper app like Yubikco's "sidekick" for Windows [1] or my company's OneTime on Mac [2]. A YubiKey costs about $25 but is very portable, fast and convenient option.
Why are you the only person in the world who doesn't have a cell phone? Why would you assume that super-large companies would consider your single-person use-case?
No; I know dozens of people, including myself, who do not have cell phones, and have no intention of getting one. I find this an extremely obnoxious assumption by Google (and others) -- it's not like we're luddites; it's frequently the programmers I know who are least willing to carry a cell phone.
I'm always dumbfounded when these topics come up and a lot of people start saying how inconvenient it is, that it is all wrong. But these are probably the same people which later accuse Google that they didn't do enough to protect their accounts!
Yes, two factor authentication is a small hassle. Yes, two factor authentication requires a bit to set up. But do you realize how much actually depends on your email account being safe?
For one, how many times did you use Googles OpenID provider? Yes, that's your Gmail account! Or for how many services did you use your Gmail account as the email address? You know that password resets go to that account, right?
Don't do that? Maybe you use Google Calendar, then. So yes, there is actually a lot of sensitive data in there. If you don't believe me, try to get a hold of a friends calendar, and see what you can guess about that person just from the calendar.
Or should someone just post some slander about you on you G+ profile? Or buy some apps from the Android Market? Of course this things never happen to you...
So just take the time to, besides looking at the time or the latest message on your phone, open that stupid app and type that stupid code in! It's not THAT much work!
Two-factor authentication improves security, but cannot solve the online security problem for most people, because the vulnerabilities are primarily CULTURAL: the average person does not understand the risks nor what they could do to ameliorate them.
Compare the attitude towards security that people have in the physical world with their attitude online. No sane person would ever want to use the same exact key to open their home, car, desk, safety deposit box, etc., because that would obviously be unsafe. Yet most people today will happily use the same easy-to-remember password for all online accounts without giving it a second thought.
Similarly, no sane person would ever lend their wallet and keys to a stranger, because that would obviously be unsafe. Yet most people today will happily walk into an Internet cafe or hotel business center and enter all their online credentials without giving it a second thought.
Providers of online services like Google, Amazon, Apple, etc. will find it difficult to solve the security problem until society has evolved its understanding of, and attitude towards, online security.
--
Edit: softened the tone of the last paragraph to make it more accurately reflects my views.
really surprised so many people that post here refuse to use google authenticator because its "annoying." is it a hassle? yes, but if you have ever had your email (and other accounts) compromised you understand why it is worth that small 5 second hassle when you login.
one feature that i cannot understand why it hasnt been implemented though is protecting the app itself with a password or pin. some people say to just protect your whole phone, but i dont really want to do that because to me that _is_ too large a hassle. if i lose my phone i can revoke access to my email and other similar apps, but not if the person that finds it opens up google authenticator (which shows the account the id is used for) and logs in to change the password before i have a chance to. even just allowing for it to display an account nickname instead of full login would be a huge step forward
Somebody should set up a website dedicated to listing organisations and what information is required in order to obtain access to an account at that organisation.
Like the second class citizens of the web we are, Nigeria does not have 2 factor authentication.
Ghana, Pakistan, Iran, North Korea, Russia, all have 2 factor authentication. Why not Nigeria? This is just another example why being Nigerian is kinda hard on the internet.
All this talk about security and multiple authentication levels yet, your browser --if you use Chrome-- is the worst security leak in a persons digital life. It would take almost anyone a minute in front of a computer to fire-up Chrome and have every single login and password available in plain text.
I've written about this before and so have countless of other techies. A non-techie has not a single clue, making them perfect victims. Any number of scenarios can be imagined: From taking your laptop in for repairs/upgrades to someone gaining physical access to your machine for just a few minutes. And, just like that, your digital life is turned upside-down.
I hear a lot of people advising to turn on two factor auth on Google because of this incident, but I haven't heard anyone say that we should be deleting our card details from Amazon. Well, I have, and you should too. Lots of places use the last 4 digits of your card as "authentication", and Amazon happily displays those details in your account.
Is there a way to use a separate hardware device? Using my phone as the second factor is nice, but my phone is vulnerable to theft because of its value for resale.
A sealed gizmo that shows a number just looks like an el-cheapo souvenier. Without knowing my username and password too, it really is worthless.
I'm sure someone is probably working on this, but what about a service that generates a one off seed for the second stage of auth, married with either a desktop or smartphone app for generating it for the user. Lose your phone/laptop/PC simply cancel it remotely so it stops generating, same as you would if you lost your bank card.
I'm sure I'm missing something, but I'm not sure what.
EDIT: I'll let the post stand but I need to read more clearly, I thought Google Authenticator was purely for Google services.
You can actually authenticate against the GA product from any system - hook it into PAM for sshd access, use it for another factor in OpenVPN, or even just wire it into Apache:
>Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.
How is that "even longer" part supposed to work? I have a desktop Mac that prompt me every 30 days to re-logon to GMail in Safari. Is there a way to add it to the trusted computer list?
The image linked from there says it's a new feature. I couldn't check it even by logging out of my account and logging in again (this doesn't deauth the computer? didn't know), so not sure if it's available for everyone yet.
I would add to that: Web developers, please implement two factor auth for your own apps as well. It takes minutes, literally, to add support for the Google Authenticator to your own app. I made a demo a while back inside of an hour. http://dendory.net/twofactors
Two-factor auth gets old really fast when you have to use public computers in a setting like a college library. I had turned it on for a while, but turned it off when I had 5 minutes to print out a paper that I had emailed myself (yes, I still do that) and was fiddling with my phone to get the damn PIN. Never again.
I did this a few months ago, but I'm thinking of turning it off. I know it's trivial, but there's something deeply annoying about being dinged $0.20 a pop for the SMS message to get the code.
I'll have to see if I can set up the Google Authenticator; I hadn't heard of that before.
It's a good idea, but it's not the weakest link in user security right now. It does very little to solve problems like Apple positively identifying people based on totally insufficient and publicly available information.
OK, so I turn on two-factor authentication for GMail, but...
1) I immediately have to create a application specific password to actually read my mail on my iPhone.
2) If anyone ever gets access to that secret password, or any of the others I create, they have full access to my email and any password resets they generate.
3) I will have no idea this is happening since I would expect my mail to access that app password daily.
So your fancy two factor authentication still ends up resting on one piece of secret info as the weak point. Am I missing something?
I've been avoiding doing this, and I'm not certain the reason is valid - I don't want Google to have my mobile phone number. Perhaps I'm being overly cautious, but the fact Google already collects such a huge amount of data on me, coupled with the increasing insistent requests to enable two-factor with my mobile phone number, has made me not do it. I got so sick of being pestered about it that I stopped using Gmail a little while ago.
I can guarantee you that google knows your mobile number already. Do you have friends? do they know your number? do they have you saved as a google contact? game over.
If you are sufficiently paranoid there are probably call/sms-forwarding services available for a reasonable cost.
You don't need to enter your phone number to use Google's two factor. You can use their smartphone application to generate codes. If you don't want to do that, the algorithm is free and open-source so you can probably find an alternate implementation that works fine.
It's more than a little likely that they already have your number. They have your email address, and chances are that more than a few of your friends have a contact in their google contacts that has that same address alongside your phone number. You could argue that they can't be certain, but aggregated across however many of your friends have those same details stored for you they can make some pretty safe assumptions.
This is the same reason I avoid it. They were insistent about getting my phone number when it was just to verify after a lockout. They've been extremely insistent about it lately regarding 2-factor authentication, which leads me to believe there's a motive here beyond just getting everyone more secure. Until someone can alleviate me of that concern I think I'll have to pass.
[+] [-] avar|13 years ago|reply
I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup), and Google Chrome surely doesn't need access to everything. But you'd get full access to my account if you compromised any of these.
They already have this for the Connected Sites, Apps, and Services. I sent them a feature request for this a while ago but it hasn't been answered (and there's no way to view it online).
[+] [-] pooriaazimi|13 years ago|reply
[+] [-] conradev|13 years ago|reply
[+] [-] estel|13 years ago|reply
[+] [-] danso|13 years ago|reply
Maybe you should use throwaway accounts for these purposes? That is, have a gmail account for github to send your patches through, and have that forward to your main email account?
In the SMS-backup case...how important is it that you access your SMSes in your Gmail account? My first thought is: it's bad enough that someone breaks into my email, nevermind all my SMSes. But I guess if you have a workflow that requires easy access to SMSes with your email, you can still have a separate email account that does nothing but forward it onto your main account.
So your main account, theoretically, has strong security with the two-factor authentication without having to make backdoors for external apps. People can always break into your throwaway accounts, but they'll have no particular inroad into your main account.
And presumably, you'd have a decent window of time to detect an intrusion and administer the throwaway accounts with your main GMail account
[+] [-] JunkDNA|13 years ago|reply
That being said, two factor google auth wasn't going to save Matt Honan here. Identity, trust, and authentication on the internet are all built on a foundation of sand. We need a new model.
[+] [-] gilrain|13 years ago|reply
Naturally, it's not a panacea, but I think a lot of people allow perfect to be the enemy of quite good when it comes to two-factor auth.
[+] [-] loeschg|13 years ago|reply
It's the typical security vs accessibility trade-offs. Accessibility won.
[+] [-] ja27|13 years ago|reply
[+] [-] esolyt|13 years ago|reply
[+] [-] e40|13 years ago|reply
I finally gave up and turned off 2-factor auth. I'm guessing this is a limitation in 4.1.1, but it really, really sucks.
[+] [-] Xyzodiac|13 years ago|reply
[+] [-] danso|13 years ago|reply
[+] [-] Karunamon|13 years ago|reply
Second, because the mobile authenticator is not feasible for me right now. I do a lot of android development work (well, mostly screwing around, but we'll call it work) on the side, with the result that I'm wiping my phone for romflashes at least once a week. Makes everything going through a mobile app a little useless.
I really wish Google would support a hardware token of some kind.
[+] [-] smackfu|13 years ago|reply
(Well, I suppose it's tragically normal. I'm sure there is a corporate directive that says every Google service must support 2FA, but Chrome has an exception so they don't need to do it yet.)
[+] [-] Lagged2Death|13 years ago|reply
[+] [-] nodata|13 years ago|reply
[+] [-] sjlo|13 years ago|reply
[1] http://yubico.com/totp [2] http://zetetic.net/software-onetime
[+] [-] nl|13 years ago|reply
But 2-factor does mean there in an expectation you will have to carry some kind of token device.
[+] [-] stephengillie|13 years ago|reply
[+] [-] ralph|13 years ago|reply
[+] [-] doskir|13 years ago|reply
[+] [-] tokenrove|13 years ago|reply
[+] [-] hnwh|13 years ago|reply
[+] [-] zumda|13 years ago|reply
Yes, two factor authentication is a small hassle. Yes, two factor authentication requires a bit to set up. But do you realize how much actually depends on your email account being safe?
For one, how many times did you use Googles OpenID provider? Yes, that's your Gmail account! Or for how many services did you use your Gmail account as the email address? You know that password resets go to that account, right?
Don't do that? Maybe you use Google Calendar, then. So yes, there is actually a lot of sensitive data in there. If you don't believe me, try to get a hold of a friends calendar, and see what you can guess about that person just from the calendar.
Or should someone just post some slander about you on you G+ profile? Or buy some apps from the Android Market? Of course this things never happen to you...
So just take the time to, besides looking at the time or the latest message on your phone, open that stupid app and type that stupid code in! It's not THAT much work!
[+] [-] cs702|13 years ago|reply
Compare the attitude towards security that people have in the physical world with their attitude online. No sane person would ever want to use the same exact key to open their home, car, desk, safety deposit box, etc., because that would obviously be unsafe. Yet most people today will happily use the same easy-to-remember password for all online accounts without giving it a second thought.
Similarly, no sane person would ever lend their wallet and keys to a stranger, because that would obviously be unsafe. Yet most people today will happily walk into an Internet cafe or hotel business center and enter all their online credentials without giving it a second thought.
Providers of online services like Google, Amazon, Apple, etc. will find it difficult to solve the security problem until society has evolved its understanding of, and attitude towards, online security.
--
Edit: softened the tone of the last paragraph to make it more accurately reflects my views.
[+] [-] andyakb|13 years ago|reply
one feature that i cannot understand why it hasnt been implemented though is protecting the app itself with a password or pin. some people say to just protect your whole phone, but i dont really want to do that because to me that _is_ too large a hassle. if i lose my phone i can revoke access to my email and other similar apps, but not if the person that finds it opens up google authenticator (which shows the account the id is used for) and logs in to change the password before i have a chance to. even just allowing for it to display an account nickname instead of full login would be a huge step forward
[+] [-] mike-cardwell|13 years ago|reply
[+] [-] OoTheNigerian|13 years ago|reply
Ghana, Pakistan, Iran, North Korea, Russia, all have 2 factor authentication. Why not Nigeria? This is just another example why being Nigerian is kinda hard on the internet.
https://accounts.google.com/b/0/SmsAuthConfig
http://oonwoye.com/2011/01/23/life-as-a-second-class-citizen...
[+] [-] robomartin|13 years ago|reply
I've written about this before and so have countless of other techies. A non-techie has not a single clue, making them perfect victims. Any number of scenarios can be imagined: From taking your laptop in for repairs/upgrades to someone gaining physical access to your machine for just a few minutes. And, just like that, your digital life is turned upside-down.
[+] [-] mike-cardwell|13 years ago|reply
[+] [-] bcl|13 years ago|reply
Either way, using the last 4 digits as 'security' is just stupid. You can get those from a receipt.
[+] [-] sbov|13 years ago|reply
[+] [-] billpg|13 years ago|reply
A sealed gizmo that shows a number just looks like an el-cheapo souvenier. Without knowing my username and password too, it really is worthless.
[+] [-] _ea1k|13 years ago|reply
YubiKeys are relatively cheap and would provide a nice alternative to using a phone, IMO.
[+] [-] nicholassmith|13 years ago|reply
I'm sure I'm missing something, but I'm not sure what.
EDIT: I'll let the post stand but I need to read more clearly, I thought Google Authenticator was purely for Google services.
[+] [-] lreeves|13 years ago|reply
http://code.google.com/p/google-authenticator-apache-module/
[+] [-] alfiejohn_|13 years ago|reply
[+] [-] smackfu|13 years ago|reply
How is that "even longer" part supposed to work? I have a desktop Mac that prompt me every 30 days to re-logon to GMail in Safari. Is there a way to add it to the trusted computer list?
[+] [-] sundarurfriend|13 years ago|reply
[+] [-] dendory|13 years ago|reply
[+] [-] xfax|13 years ago|reply
[+] [-] oddthink|13 years ago|reply
I'll have to see if I can set up the Google Authenticator; I hadn't heard of that before.
[+] [-] mistercow|13 years ago|reply
[+] [-] smackfu|13 years ago|reply
1) I immediately have to create a application specific password to actually read my mail on my iPhone.
2) If anyone ever gets access to that secret password, or any of the others I create, they have full access to my email and any password resets they generate.
3) I will have no idea this is happening since I would expect my mail to access that app password daily.
So your fancy two factor authentication still ends up resting on one piece of secret info as the weak point. Am I missing something?
[+] [-] revjx|13 years ago|reply
[+] [-] fr0sty|13 years ago|reply
If you are sufficiently paranoid there are probably call/sms-forwarding services available for a reasonable cost.
[+] [-] jarito|13 years ago|reply
[+] [-] lparry|13 years ago|reply
[+] [-] hackinthebochs|13 years ago|reply